From 94466d8196dce3dafd2a41942d02e4c5362dbe51 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 30 Apr 2019 19:07:57 +0200 Subject: [PATCH] chg: [ATT&CK] updated to the latest version --- clusters/mitre-attack-pattern.json | 1044 +- clusters/mitre-course-of-action.json | 1313 +- ...re-enterprise-attack-course-of-action.json | 9 +- clusters/mitre-intrusion-set.json | 10573 ++++++---- clusters/mitre-malware.json | 17177 ++++++++++------ .../mitre-mobile-attack-attack-pattern.json | 2 +- .../mitre-mobile-attack-course-of-action.json | 2 +- clusters/mitre-mobile-attack-malware.json | 16 +- clusters/mitre-pre-attack-attack-pattern.json | 2 +- clusters/mitre-pre-attack-intrusion-set.json | 16 +- clusters/mitre-tool.json | 2274 +- 11 files changed, 21331 insertions(+), 11097 deletions(-) diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index 677e86c..d766609 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -229,7 +229,7 @@ "value": "Acquire and/or use 3rd party infrastructure services - T1329" }, { - "description": "Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)", + "description": "Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)", "meta": { "external_id": "T1310", "kill_chain": [ @@ -313,7 +313,7 @@ "value": "Compromise 3rd party infrastructure to support delivery - T1312" }, { - "description": "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an signed piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)", + "description": "Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is. (Citation: DiginotarCompromise)", "meta": { "external_id": "T1332", "kill_chain": [ @@ -393,7 +393,7 @@ "value": "Abuse of iOS Enterprise App Signing Key - T1445" }, { - "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated or Encrypted Payload](https://attack.mitre.org/techniques/T1406)\n* PRE-ATT&CK: [Choose pre-compromised mobile app developer account credentials or signing keys](https://attack.mitre.org/techniques/T1391)\n* PRE-ATT&CK: [Test ability to evade automated mobile application security analysis performed by app stores](https://attack.mitre.org/techniques/T1393)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)", + "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n* PRE-ATT&CK: [Choose pre-compromised mobile app developer account credentials or signing keys](https://attack.mitre.org/techniques/T1391)\n* PRE-ATT&CK: [Test ability to evade automated mobile application security analysis performed by app stores](https://attack.mitre.org/techniques/T1393)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)", "meta": { "external_id": "ECO-22", "kill_chain": [ @@ -561,7 +561,7 @@ "value": "Identify vulnerabilities in third-party software libraries - T1389" }, { - "description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nThe HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Visa and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", + "description": "Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.\n\nThe following run keys are created by default on Windows systems:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n* HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\n\nThe HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" (Citation: Oddvar Moe RunOnceEx Mar 2018)\n\nThe following Registry keys can be used to set startup folder items for persistence:\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n* HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\n\nAdversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.", "meta": { "external_id": "CAPEC-270", "kill_chain": [ @@ -587,7 +587,7 @@ "value": "Registry Run Keys / Startup Folder - T1060" }, { - "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)", + "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as a man-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).", "meta": { "external_id": "CEL-37", "kill_chain": [ @@ -604,7 +604,8 @@ "https://www.youtube.com/watch?v=q0n5ySqbfdI", "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf", "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", - "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" + "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf", + "https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/" ] }, "uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", @@ -692,8 +693,8 @@ "https://attack.mitre.org/techniques/T1450", "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf", - "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf", "https://www.youtube.com/watch?v=q0n5ySqbfdI", + "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf", "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf", "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf" ] @@ -1055,7 +1056,7 @@ "value": "Modify OS Kernel or Boot Partition - T1398" }, { - "description": "If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection.\n\nKrebs described this technique in (Citation: Krebs-JuiceJacking). Lau et al. (Citation: Lau-Mactans) demonstrated the ability to inject malicious applications into an iOS device via USB. Hay (Citation: IBM-NexusUSB) demonstrated the ability to exploit a Nexus 6 or 6P device over USB and then gain the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location. Horn (Citation: GoogleProjectZero-OATmeal) demonstrated the ability to exploit Android devices such as the Google Pixel 2 over USB.\n\nProducts from Cellebrite and Grayshift purportedly can use physical access to the data port to unlock the passcode on some iOS devices (Citation: Computerworld-iPhoneCracking).", + "description": "If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device's battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection(Citation: Krebs-JuiceJacking).\n\nPrevious demonstrations have included:\n\n* Injecting malicious applications into iOS devices(Citation: Lau-Mactans).\n* Exploiting a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location(Citation: IBM-NexusUSB).\n* Exploiting Android devices such as the Google Pixel 2 over USB(Citation: GoogleProjectZero-OATmeal).\n\nProducts from Cellebrite and Grayshift purportedly can use physical access to the data port to unlock the passcode on some iOS devices(Citation: Computerworld-iPhoneCracking).", "meta": { "external_id": "PHY-1", "kill_chain": [ @@ -1079,7 +1080,7 @@ "value": "Exploit via Charging Station or PC - T1458" }, { - "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1192) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n\nAs a prerequisite, adversaries may use this PRE-ATT&CK technique:\n\n* [Obtain Apple iOS enterprise distribution key pair and certificate](https://attack.mitre.org/techniques/T1392)", + "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1192) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nAs a prerequisite, adversaries may use this PRE-ATT&CK technique:\n\n* [Obtain Apple iOS enterprise distribution key pair and certificate](https://attack.mitre.org/techniques/T1392)", "meta": { "external_id": "ECO-21", "kill_chain": [ @@ -1093,7 +1094,10 @@ "https://attack.mitre.org/techniques/T1476", "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html", - "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html" + "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html", + "https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861", + "https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/" ] }, "uuid": "53263a67-075e-48fa-974b-91c5b5445db7", @@ -1114,7 +1118,7 @@ "value": "Upload, install, and configure software/tools - T1362" }, { - "description": "An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.\n\n Zhou and Jiang (Citation: Zhou) analyzed 1260 Android malware samples belonging to 49 families of malware, and determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.", + "description": "An Android application can listen for the BOOT_COMPLETED broadcast, ensuring that the app's functionality will be activated every time the device starts up without having to wait for the device user to manually start the app.\n\nAn analysis published in 2012(Citation: Zhou) of1260 Android malware samples belonging to 49 families of malware determined that 29 malware families and 83.3% of the samples listened for BOOT_COMPLETED.", "meta": { "external_id": "T1402", "kill_chain": [ @@ -1458,7 +1462,7 @@ "value": "Data from Network Shared Drive - T1039" }, { - "description": "An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review (Citation: Poeplau-ExecuteThis). \n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability (Citation: Bromium-AndroidRCE).\n\nOn iOS, techniques for executing dynamic code downloaded after application installation include JSPatch (Citation: FireEye-JSPatch). Wang et al. describe a related method of constructing malicious logic at app runtime on iOS (Citation: Wang).", + "description": "An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review.(Citation: Poeplau-ExecuteThis)\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView's JavascriptInterface capability.(Citation: Bromium-AndroidRCE)\n\nOn iOS, techniques also exist for executing dynamic code downloaded after application installation.(Citation: FireEye-JSPatch)(Citation: Wang)", "meta": { "external_id": "APP-20", "kill_chain": [ @@ -1585,7 +1589,7 @@ "value": "Image File Execution Options Injection - T1183" }, { - "description": "A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords. Zeltser (Citation: Zeltser-Keyboard) describes these risks.\n\nBoth iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.", + "description": "A malicious app can register as a device keyboard and intercept keypresses containing sensitive values such as usernames and passwords(Citation: Zeltser-Keyboard).\n\nBoth iOS and Android require the user to explicitly authorize use of third party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.", "meta": { "external_id": "T1417", "kill_chain": [ @@ -1706,7 +1710,7 @@ "value": "Determine secondary level tactical element - T1244" }, { - "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC. Wang and Stavrou (Citation: Wang-ExploitingUSB) and Kamkar (Citation: ArsTechnica-PoisonTap) describe this technique. This technique has been demonstrated on Android, and we are unaware of any demonstrations on iOS.", + "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.", "meta": { "external_id": "PHY-2", "kill_chain": [ @@ -1932,7 +1936,7 @@ "value": "Automated system performs requested action - T1384" }, { - "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication. For example, He et al. (Citation: mHealth) describe numerous healthcare-related applications that did not properly protect network communication.", + "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)", "meta": { "external_id": "APP-1", "kill_chain": [ @@ -2037,7 +2041,7 @@ "value": "Compromise of externally facing system - T1388" }, { - "description": "An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating. (Citation: NIST-SP800187)", + "description": "An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating. (Citation: NIST-SP800187)(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)", "meta": { "external_id": "GPS-0", "kill_chain": [ @@ -2053,7 +2057,11 @@ "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html", "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html", "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html", - "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf" + "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf", + "https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/", + "https://www.nytimes.com/2007/11/04/technology/04jammer.html", + "https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/", + "https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/" ] }, "uuid": "d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", @@ -2080,7 +2088,7 @@ "value": "Lock User Out of Device - T1446" }, { - "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.", + "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)", "meta": { "external_id": "EMM-7", "kill_chain": [ @@ -2093,7 +2101,8 @@ "refs": [ "https://attack.mitre.org/techniques/T1468", "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", - "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html" + "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", + "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/" ] }, "uuid": "6f86d346-f092-4abc-80df-8558a90c426a", @@ -2184,6 +2193,38 @@ "uuid": "58d0b955-ae3d-424a-a537-2804dab38793", "value": "Unconditional client-side exploitation/Injected Website/Driveby - T1372" }, + { + "description": "Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)\n\nSeveral tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder)", + "meta": { + "external_id": "T1171", + "kill_chain": [ + "mitre-attack:credential-access" + ], + "mitre_data_sources": [ + "Windows event logs", + "Windows Registry", + "Packet capture", + "Netflow/Enclave netflow" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1171", + "https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution", + "https://technet.microsoft.com/library/cc958811.aspx", + "https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html", + "https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html", + "https://github.com/nomex/nbnspoof", + "https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response", + "https://github.com/SpiderLabs/Responder", + "https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning", + "https://github.com/Kevin-Robertson/Conveigh" + ] + }, + "uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "value": "LLMNR/NBT-NS Poisoning and Relay - T1171" + }, { "description": "Google and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices. (Citation: Securelist Mobile Malware 2013) (Citation: DroydSeuss)", "meta": { @@ -2229,7 +2270,7 @@ "value": "Standard Non-Application Layer Protocol - T1095" }, { - "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication as described in NIST SP 800-153 (Citation: NIST-SP800153). \n\nFor example, Kaspersky describes a threat actor they call DarkHotel that targeted hotel Wi-Fi networks, using them to compromise computers belonging to business executives (Citation: Kaspersky-DarkHotel).", + "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).", "meta": { "external_id": "LPN-0", "kill_chain": [ @@ -2250,7 +2291,7 @@ "value": "Rogue Wi-Fi Access Points - T1465" }, { - "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, [Scripting](https://attack.mitre.org/techniques/T1064), [PowerShell](https://attack.mitre.org/techniques/T1086), or by using utilities present on the system.\n\nOne such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia)\n\nAnother example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used with [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.", + "description": "Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, [Scripting](https://attack.mitre.org/techniques/T1064), [PowerShell](https://attack.mitre.org/techniques/T1086), or by using utilities present on the system.\n\nOne such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia)\n\nAnother example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)\n\nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used with [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as Javascript.", "meta": { "external_id": "T1140", "kill_chain": [ @@ -2266,8 +2307,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1140", - "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/", "https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/", + "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/", "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" ] }, @@ -2668,10 +2709,10 @@ "https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf", "https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", - "https://github.com/danielbohannon/Revoke-Obfuscation", - "https://github.com/itsreallynick/office-crackros", "https://en.wikipedia.org/wiki/Duqu", - "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/" + "https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/", + "https://github.com/danielbohannon/Revoke-Obfuscation", + "https://github.com/itsreallynick/office-crackros" ] }, "uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", @@ -2836,7 +2877,7 @@ "value": "File System Permissions Weakness - T1044" }, { - "description": "An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques, as described in (Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS).", + "description": "An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques.(Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS)", "meta": { "external_id": "APP-21", "kill_chain": [ @@ -2856,7 +2897,7 @@ ] }, "uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", - "value": "Obfuscated or Encrypted Payload - T1406" + "value": "Obfuscated Files or Information - T1406" }, { "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.", @@ -3123,7 +3164,7 @@ "value": "Exploitation for Credential Access - T1212" }, { - "description": "The (Citation: Microsoft Component Object Model) (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.", + "description": "The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.", "meta": { "external_id": "T1122", "kill_chain": [ @@ -3191,7 +3232,7 @@ ] }, "uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", - "value": "Local Network Connections Discovery - T1421" + "value": "System Network Connections Discovery - T1421" }, { "description": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Adversaries can use loadable kernel modules to covertly persist on a system and evade defenses. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)\n\nCommon features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)\n\nKernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through kextload and kextunload commands. Several examples have been found where this can be used. (Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken) Examples have been found in the wild. (Citation: Securelist Ventir)", @@ -3277,7 +3318,7 @@ "value": "Signed Script Proxy Execution - T1216" }, { - "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.\n\n### Mavinject.exe\nMavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process. (Citation: Twitter gN3mes1s Status Update MavInject32)\n\n\"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe\" /INJECTRUNNING \nC:\\Windows\\system32\\mavinject.exe /INJECTRUNNING \n\n### SyncAppvPublishingServer.exe\nSyncAppvPublishingServer.exe can be used to run powershell scripts without executing powershell.exe. (Citation: Twitter monoxgas Status Update SyncAppvPublishingServer)\n\nSeveral others binaries exist that may be used to perform similar behavior. (Citation: GitHub Ultimate AppLocker Bypass List)", + "description": "Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application whitelisting and signature validation on systems. This technique accounts for proxy execution methods that are not already accounted for within the existing techniques.\n\n### Msiexec.exe\nMsiexec.exe is the command-line Windows utility for the Windows Installer. Adversaries may use msiexec.exe to launch malicious MSI files for code execution. An adversary may use it to launch local or network accessible MSI files.(Citation: LOLBAS Msiexec)(Citation: Rancor Unit42 June 2018)(Citation: TrendMicro Msiexec Feb 2018) Msiexec.exe may also be used to execute DLLs.(Citation: LOLBAS Msiexec)\n\n* msiexec.exe /q /i \"C:\\path\\to\\file.msi\"\n* msiexec.exe /q /i http[:]//site[.]com/file.msi\n* msiexec.exe /y \"C:\\path\\to\\file.dll\"\n\n### Mavinject.exe\nMavinject.exe is a Windows utility that allows for code execution. Mavinject can be used to input a DLL into a running process. (Citation: Twitter gN3mes1s Status Update MavInject32)\n\n* \"C:\\Program Files\\Common Files\\microsoft shared\\ClickToRun\\MavInject32.exe\" <PID> /INJECTRUNNING <PATH DLL>\n* C:\\Windows\\system32\\mavinject.exe <PID> /INJECTRUNNING <PATH DLL>\n\n### SyncAppvPublishingServer.exe\nSyncAppvPublishingServer.exe can be used to run PowerShell scripts without executing powershell.exe. (Citation: Twitter monoxgas Status Update SyncAppvPublishingServer)\n\n### Odbcconf.exe\nOdbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) The utility can be misused to execute functionality equivalent to [Regsvr32](https://attack.mitre.org/techniques/T1117) with the REGSVR option to execute a DLL.(Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)\n\n* odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\file.dll\"}\n\nSeveral other binaries exist that may be used to perform similar behavior. (Citation: GitHub Ultimate AppLocker Bypass List)", "meta": { "external_id": "T1218", "kill_chain": [ @@ -3293,8 +3334,15 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1218", + "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/", "https://twitter.com/gn3mes1s/status/941315826107510784", "https://twitter.com/monoxgas/status/895045566090010624", + "https://docs.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-2017", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/", "https://github.com/api0cradle/UltimateAppLockerByPassList" ] }, @@ -3302,7 +3350,7 @@ "value": "Signed Binary Proxy Execution - T1218" }, { - "description": "The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)\n\nThe module loader can load DLLs:\n\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\n \n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\n \n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\n \n* via in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\n\nAdversaries can use this functionality as a way to execute arbitrary code on a system.", + "description": "The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like CreateProcess(), LoadLibrary(), etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)\n\nThe module loader can load DLLs:\n\n* via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;\n \n* via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);\n \n* via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;\n \n* via <file name=\"filename.extension\" loadFrom=\"fully-qualified or relative pathname\"> in an embedded or external \"application manifest\". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.\n\nAdversaries can use this functionality as a way to execute arbitrary code on a system.", "meta": { "external_id": "T1129", "kill_chain": [ @@ -3381,24 +3429,6 @@ "uuid": "357e137c-7589-4af1-895c-3fbad35ea4d2", "value": "Obfuscate or encrypt code - T1319" }, - { - "description": "An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android, and we are unaware of any demonstrated use on iOS.", - "meta": { - "external_id": "APP-28", - "kill_chain": [ - "mitre-mobile-attack:effects" - ], - "mitre_platforms": [ - "Android" - ], - "refs": [ - "https://attack.mitre.org/techniques/T1471", - "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html" - ] - }, - "uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4", - "value": "Encrypt Files for Ransom - T1471" - }, { "description": "Windows Distributed Component Object Model (DCOM) is transparent middleware that extends the functionality of Component Object Model (COM) (Citation: Microsoft COM) beyond a local computer using remote procedure call (RPC) technology. COM is a component of the Windows application programming interface (API) that enables interaction between software objects. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE).\n\nPermissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. (Citation: Microsoft COM ACL) (Citation: Microsoft Process Wide Com Keys) (Citation: Microsoft System Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.\n\nAdversaries may use DCOM for lateral movement. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications (Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods. (Citation: Enigma MMC20 COM Jan 2017) (Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents (Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1173) (DDE) execution directly through a COM created instance of a Microsoft Office application (Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document.\n\nDCOM may also expose functionalities that can be leveraged during other areas of the adversary chain of activity such as Privilege Escalation and Persistence. (Citation: ProjectZero File Write EoP Apr 2018)", "meta": { @@ -3507,7 +3537,7 @@ ] }, "uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", - "value": "Local Network Configuration Discovery - T1422" + "value": "System Network Configuration Discovery - T1422" }, { "description": "Analysts identify gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: BrighthubGapAnalysis) (Citation: ICD115) (Citation: JP2-01)", @@ -3707,7 +3737,7 @@ "value": "Post compromise tool development - T1353" }, { - "description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.\n\nIn the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. As described by Kaspersky (Citation: Kaspersky-MobileMalware), Google responds to reports of abuse by blocking access to GCM.", + "description": "Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.\n\nIn the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. Google reportedly responds to reports of abuse by blocking access to GCM.(Citation: Kaspersky-MobileMalware)", "meta": { "external_id": "APP-29", "kill_chain": [ @@ -3770,7 +3800,7 @@ "value": "Targeted social media phishing - T1366" }, { - "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.\n\nThomas Roth describes the potential for placing a rootkit within the TrustZone secure world (Citation: Roth-Rootkits).", + "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)", "meta": { "external_id": "APP-27", "kill_chain": [ @@ -3791,7 +3821,7 @@ "value": "Modify Trusted Execution Environment - T1399" }, { - "description": "A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary, for example as described by Lookout in (Citation: Lookout-SMS).\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).", + "description": "A malicious app could use standard Android APIs to send SMS messages. SMS messages could potentially be sent to premium numbers that charge the device owner and generate revenue for an adversary(Citation: Lookout-SMS).\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).", "meta": { "external_id": "T1448", "kill_chain": [ @@ -3810,7 +3840,7 @@ "value": "Premium SMS Toll Fraud - T1448" }, { - "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate as described in NIST SP 800-187 (Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.", + "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.", "meta": { "external_id": "CEL-3", "kill_chain": [ @@ -3830,7 +3860,7 @@ "value": "Downgrade to Insecure Protocols - T1466" }, { - "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. For example, Ritter and DePerry of iSEC Partners demonstrated this technique using a compromised cellular femtocell at Black Hat USA 2013 (Citation: Computerworld-Femtocell).", + "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).", "meta": { "external_id": "CEL-7", "kill_chain": [ @@ -3850,7 +3880,36 @@ "value": "Rogue Cellular Base Station - T1467" }, { - "description": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi or other) to the mobile device could exploit a vulnerability in code running on the device. D. Komaromy and N. Golde demonstrated baseband exploitation of a Samsung mobile device at the PacSec 2015 security conference. (Citation: Register-BaseStation) Weinmann described and demonstrated \"the risk of remotely exploitable memory corruptions in cellular baseband stacks.\" (Citation: Weinmann-Baseband)\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device. For example, Mulliner and Miller demonstrated such an attack against the iPhone in 2009. (Citation: Forbes-iPhoneSMS) An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages. (Citation: SRLabs-SIMCard)", + "description": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)\n\nTo maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)", + "meta": { + "external_id": "T1486", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Kernel drivers", + "File monitoring", + "Process command-line parameters", + "Process monitoring" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1486", + "https://www.us-cert.gov/ncas/alerts/TA16-091A", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://www.us-cert.gov/ncas/alerts/TA17-181A", + "https://www.us-cert.gov/ncas/alerts/AA18-337A" + ] + }, + "uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "value": "Data Encrypted for Impact - T1486" + }, + { + "description": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).", "meta": { "external_id": "T1477", "kill_chain": [ @@ -3862,6 +3921,7 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1477", + "https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html", "http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/", "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf", "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html", @@ -3871,6 +3931,86 @@ "uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", "value": "Exploit via Radio Interfaces - T1477" }, + { + "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nA Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS). Many different methods to accomplish such network saturation have been observed, but most fall into two main categories: Direct Network Floods and Reflection Amplification.\n\nTo perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)\n\nFor DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499).\n\n###Direct Network Flood###\n\nDirect Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for Direct Network Floods. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.\n\n###Reflection Amplification###\n\nAdversaries may amplify the volume of their attack traffic by using Reflection. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017)\n\nReflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018)", + "meta": { + "external_id": "T1498", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Sensor health and status", + "Network protocol analysis", + "Netflow/Enclave netflow", + "Network intrusion detection system", + "Network device logs" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1498", + "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html", + "https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf", + "https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged", + "https://blog.cloudflare.com/reflections-on-reflections/", + "https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/", + "https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/", + "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", + "https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf" + ] + }, + "uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "value": "Network Denial of Service - T1498" + }, + { + "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)\n\nAn Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).\n\nTo perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.\n\nAdversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.\n\nBotnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)\n\nIn cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China)\n\nFor attacks attempting to saturate the providing network, see the Network Denial of Service Technique [Network Denial of Service](https://attack.mitre.org/techniques/T1498).\n\n### OS Exhaustion Flood\nSince operating systems (OSs) are responsible for managing the finite resources on a system, they can be a target for DoS. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity. Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018)\n\n#### SYN Flood\nWith SYN floods excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)\n\n#### ACK Flood\nACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)\n\n### Service Exhaustion Flood\nDifferent network services provided by systems are targeted in different ways to conduct a DoS. Adversaries often target DNS and web servers, but other services have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.\n\n#### Simple HTTP Flood\nA large number of HTTP requests can be issued to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)\n\n#### SSL Renegotiation Attack\nSSL Renegotiation Attacks take advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)\n\n### Application Exhaustion Flood\nWeb applications that sit on top of web server stacks can be targeted for DoS. Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust resources and deny access to the application or the server itself.(Citation: Arbor AnnualDoSreport Jan 2018)\n\n### Application or System Exploitation\nSoftware vulnerabilities exist that when exploited can cause an application or system to crash and deny availability to users.(Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition.", + "meta": { + "external_id": "CAPEC-125", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "SSL/TLS inspection", + "Web logs", + "Web application firewall logs", + "Network intrusion detection system", + "Network protocol analysis", + "Network device logs", + "Netflow/Enclave netflow" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1499", + "https://capec.mitre.org/data/definitions/227.html", + "https://capec.mitre.org/data/definitions/131.html", + "https://capec.mitre.org/data/definitions/130.html", + "https://capec.mitre.org/data/definitions/125.html", + "https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html", + "https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf", + "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf", + "https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged", + "https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/", + "https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf", + "https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/", + "https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html", + "https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/", + "https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new", + "https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html", + "https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf" + ] + }, + "uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4", + "value": "Endpoint Denial of Service - T1499" + }, { "description": "This technique has been deprecated. Please see ATT&CK's Initial Access and Execution tactics for replacement techniques.\n\nA technique to push an [iOS](https://www.apple.com/ios) or [Android](https://www.android.com) MMS-type message to the target which does not require interaction on the part of the target to be successful. (Citation: BlackHat Stagefright) (Citation: WikiStagefright)", "meta": { @@ -3886,7 +4026,7 @@ "value": "Push-notification client-side exploit - T1373" }, { - "description": "The use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL) (Citation: NVD CVE-2016-6662), standard services (like SMB (Citation: CIS Multiple SMB Vulnerabilities) or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services. (Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).\n\nFor websites and databases, the OWASP top 10 gives a good list of the top 10 most common web-based vulnerabilities. (Citation: OWASP Top 10)", + "description": "The use of software, data, or commands to take advantage of a weakness in an Internet-facing computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL) (Citation: NVD CVE-2016-6662), standard services (like SMB (Citation: CIS Multiple SMB Vulnerabilities) or SSH), and any other applications with Internet accessible open sockets, such as web servers and related services. (Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities. (Citation: OWASP Top 10) (Citation: CWE top 25)", "meta": { "external_id": "T1190", "kill_chain": [ @@ -3908,7 +4048,8 @@ "https://nvd.nist.gov/vuln/detail/CVE-2016-6662", "https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/", "https://nvd.nist.gov/vuln/detail/CVE-2014-7169", - "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project" + "https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project", + "https://cwe.mitre.org/top25/index.html" ] }, "uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", @@ -4096,7 +4237,7 @@ "value": "System Owner/User Discovery - T1033" }, { - "description": "An adversary could use knowledge of the techniques used by security software to evade detection. For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection as described by Rastogi et al. (Citation: Rastogi).\n\nBrodie (Citation: Brodie) describes limitations of jailbreak/root detection mechanisms.\n\nTan (Citation: Tan) describes his experience defeating the jailbreak detection used by the iOS version of Good for Enterprise.", + "description": "An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).", "meta": { "external_id": "EMM-5", "kill_chain": [ @@ -4109,9 +4250,9 @@ "refs": [ "https://attack.mitre.org/techniques/T1408", "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html", - "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf", "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf", - "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions" + "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions", + "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf" ] }, "uuid": "b332a960-3c04-495a-827f-f17a5daed3a6", @@ -4285,6 +4426,32 @@ "uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", "value": "Modify System Partition - T1400" }, + { + "description": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)\n\nSource code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)\n", + "meta": { + "external_id": "T1500", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Process command-line parameters", + "Process monitoring", + "File monitoring" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1500", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/" + ] + }, + "uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", + "value": "Compile After Delivery - T1500" + }, { "description": "Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are \"sc,\" \"tasklist /svc\" using [Tasklist](https://attack.mitre.org/software/S0057), and \"net start\" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well.", "meta": { @@ -4597,7 +4764,7 @@ "value": "Credentials in Files - T1081" }, { - "description": "Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. \n\n### Windows\n\nExamples of tools and commands that acquire this information include \"ping\" or \"net view\" using [Net](https://attack.mitre.org/software/S0039).\n\n### Mac\n\nSpecific to Mac, the bonjour protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as \"ping\" and others can be used to gather information about remote systems.\n\n### Linux\n\nUtilities such as \"ping\" and others can be used to gather information about remote systems.", + "description": "Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used. Adversaries may also use local host files in order to discover the hostname to IP address mappings of remote systems. \n\n### Windows\n\nExamples of tools and commands that acquire this information include \"ping\" or \"net view\" using [Net](https://attack.mitre.org/software/S0039). The contents of the C:\\Windows\\System32\\Drivers\\etc\\hosts file can be viewed to gain insight into the existing hostname to IP mappings on the system.\n\n### Mac\n\nSpecific to Mac, the bonjour protocol to discover additional Mac-based systems within the same broadcast domain. Utilities such as \"ping\" and others can be used to gather information about remote systems. The contents of the /etc/hosts file can be viewed to gain insight into existing hostname to IP mappings on the system.\n\n### Linux\n\nUtilities such as \"ping\" and others can be used to gather information about remote systems. The contents of the /etc/hosts file can be viewed to gain insight into existing hostname to IP mappings on the system.", "meta": { "external_id": "T1018", "kill_chain": [ @@ -4622,13 +4789,14 @@ "value": "Remote System Discovery - T1018" }, { - "description": "Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these utilities for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106).", + "description": "Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", "meta": { "external_id": "T1202", "kill_chain": [ "mitre-attack:defense-evasion" ], "mitre_data_sources": [ + "File monitoring", "Process monitoring", "Process command-line parameters", "Windows event logs" @@ -4842,7 +5010,7 @@ "value": "Private whois services - T1305" }, { - "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.\n\n### Windows\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.\n\n### Mac\n\nIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.", + "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. These checks may be built into early-stage remote access tools.\n\n### Windows\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), reg query with [Reg](https://attack.mitre.org/software/S0075), dir with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.\n\n### Mac\n\nIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.", "meta": { "external_id": "T1063", "kill_chain": [ @@ -4973,6 +5141,34 @@ "uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "value": "Windows Management Instrumentation - T1047" }, + { + "description": "Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)\n\nA number of native Windows utilities have been used by adversaries to disable or delete system recovery features:\n\n* vssadmin.exe can be used to delete all volume shadow copies on a system - vssadmin.exe delete shadows /all /quiet\n* [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - wmic shadowcopy delete\n* wbadmin.exe can be used to delete the Windows Backup Catalog - wbadmin.exe delete catalog -quiet\n* bcdedit.exe can be used to disable automatic Windows recovery features by modifying boot configuration data - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no", + "meta": { + "external_id": "T1490", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Windows Registry", + "Services", + "Windows event logs", + "Process command-line parameters", + "Process monitoring" + ], + "mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1490", + "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" + ] + }, + "uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "value": "Inhibit System Recovery - T1490" + }, { "description": "Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.", "meta": { @@ -5065,15 +5261,15 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1096", - "http://msdn.microsoft.com/en-us/library/aa364404", - "http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html", - "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/", "https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea", - "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/", - "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore", "https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/", + "http://msdn.microsoft.com/en-us/library/aa364404", + "https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/", + "https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/", + "http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html", "https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/", - "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/" + "https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/", + "https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore" ] }, "uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", @@ -5187,7 +5383,7 @@ "value": "Disabling Security Tools - T1089" }, { - "description": "User Interface Spoofing can be used to trick users into providing sensitive information, such as account credentials, bank account information, or Personally Identifiable Information (PII) to an unintended entity.\n\nAt least three methods exist to perform User Interface Spoofing:\n\nFirst, on both Android and iOS, an adversary could impersonate the user interface of a legitimate app or device function to trick a user into entering sensitive information. The constrained display size of mobile devices (compared to traditional PC displays) may impair the ability to provide the user with contextual information (for example, displaying a full web site address) that may alert the user to a potential issue. (Citation: Felt-PhishingOnMobileDevices) As described by PRE-ATT&CK ([Spearphishing for information](https://attack.mitre.org/techniques/T1397)), it is also possible for an adversary to carry out this form of the technique without a direct adversary presence on the mobile devices, e.g. through a spoofed web page.\n\nSecond, on both Android and iOS, a malicious app could impersonate the identity of another app (e.g. use the same app name and/or icon) and somehow get installed on the device (e.g. using [Deliver Malicious App via Authorized App Store](https://attack.mitre.org/techniques/T1475) or [Deliver Malicious App via Other Means](https://attack.mitre.org/techniques/T1476). The malicious app could then prompt the user for sensitive information. (Citation: eset-finance)\n\nThird, on older versions of Android, a malicious app could abuse mobile operating system features to interfere with a running legitimate app. (Citation: Felt-PhishingOnMobileDevices) (Citation: Hassell-ExploitingAndroid) However, this technique appears to have been addressed starting in Android 5.0 with the deprecation of the Android's ActivityManager.getRunningTasks method and modification of its behavior (Citation: Android-getRunningTasks) and further addressed in Android 5.1.1 (Citation: StackOverflow-getRunningAppProcesses) to prevent a malicious app from determining what app is currently in the foreground.", + "description": "User Interface Spoofing can be used to trick users into providing sensitive information, such as account credentials, bank account information, or Personally Identifiable Information (PII) to an unintended entity.\n\n### Impersonate User Interface of Legitimate App or Device Function\n\nOn both Android and iOS, an adversary could impersonate the user interface of a legitimate app or device function to trick a user into entering sensitive information. The constrained display size of mobile devices (compared to traditional PC displays) may impair the ability to provide the user with contextual information (for example, displaying a full web site address) that may alert the user to a potential issue. (Citation: Felt-PhishingOnMobileDevices) As described by PRE-ATT&CK ([Spearphishing for Information](https://attack.mitre.org/techniques/T1397)), it is also possible for an adversary to carry out this form of the technique without a direct adversary presence on the mobile devices, e.g. through a spoofed web page.\n\n### Impersonate Identity of Legitimate App\n\nOn both Android and iOS, a malicious app could impersonate the identity of another app (e.g. use the same app name and/or icon) and somehow get installed on the device (e.g. using [Deliver Malicious App via Authorized App Store](https://attack.mitre.org/techniques/T1475) or [Deliver Malicious App via Other Means](https://attack.mitre.org/techniques/T1476)). The malicious app could then prompt the user for sensitive information. (Citation: eset-finance)\n\n### Abuse OS Features to Interfere with Legitimate App\n\nOn older versions of Android, a malicious app could abuse mobile operating system features to interfere with a running legitimate app. (Citation: Felt-PhishingOnMobileDevices) (Citation: Hassell-ExploitingAndroid) However, this technique appears to have been addressed starting in Android 5.0 with the deprecation of the Android's ActivityManager.getRunningTasks method and modification of its behavior (Citation: Android-getRunningTasks) and further addressed in Android 5.1.1 (Citation: StackOverflow-getRunningAppProcesses) to prevent a malicious app from determining what app is currently in the foreground.", "meta": { "external_id": "APP-31", "kill_chain": [ @@ -5201,9 +5397,9 @@ "https://attack.mitre.org/techniques/T1411", "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf", + "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/", "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29", - "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag", - "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/" + "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag" ] }, "uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", @@ -5437,11 +5633,12 @@ "value": "Remote Access Tools - T1219" }, { - "description": "Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028) can also be used externally.\n\nAdversaries may use remote services to access and persist within a network. (Citation: Volexity Virtual Private Keylogging) Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as part of [Redundant Access](https://attack.mitre.org/techniques/T1108) during an operation.", + "description": "Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028) can also be used externally.\n\nAdversaries may use remote services to initially access and/or persist within a network. (Citation: Volexity Virtual Private Keylogging) Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as part of [Redundant Access](https://attack.mitre.org/techniques/T1108) during an operation.", "meta": { "external_id": "T1133", "kill_chain": [ - "mitre-attack:persistence" + "mitre-attack:persistence", + "mitre-attack:initial-access" ], "mitre_data_sources": [ "Authentication logs" @@ -5531,7 +5728,7 @@ "value": "Network Share Discovery - T1135" }, { - "description": "Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started.\n\n### Office Template Macros\n\nMicrosoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can inserted into the base templated and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded. (Citation: enigma0x3 normal.dotm) (Citation: Hexacorn Office Template Macros)\n\nWord Normal.dotm location:C:\\Users\\(username)\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel Personal.xlsb location:C:\\Users\\(username)\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.\n\n### Office Test\n\nA Registry location was found that when a DLL reference was placed within it the corresponding DLL pointed to by the binary path would be executed every time an Office application is started (Citation: Hexacorn Office Test)\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\n\n### Add-ins\n\nOffice add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins)\n\nAdd-ins can also be used to obtain persistence because they can be set to execute code when an Office application starts. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), and Visual Studio Tools for Office (VSTO) add-ins. (Citation: MRWLabs Office Persistence Add-ins)", + "description": "Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started.\n\n### Office Template Macros\n\nMicrosoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)\n\nOffice Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can inserted into the base templated and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded. (Citation: enigma0x3 normal.dotm) (Citation: Hexacorn Office Template Macros)\n\nWord Normal.dotm location:C:\\Users\\(username)\\AppData\\Roaming\\Microsoft\\Templates\\Normal.dotm\n\nExcel Personal.xlsb location:C:\\Users\\(username)\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\PERSONAL.XLSB\n\nAn adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.\n\n### Office Test\n\nA Registry location was found that when a DLL reference was placed within it the corresponding DLL pointed to by the binary path would be executed every time an Office application is started (Citation: Hexacorn Office Test)\n\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office test\\Special\\Perf\n\n### Add-ins\n\nOffice add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins)\n\nAdd-ins can also be used to obtain persistence because they can be set to execute code when an Office application starts. There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)\n\n### Outlook Rules, Forms, and Home Page\n\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) \n\nOutlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)\n\nOutlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook Forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)\n\nOutlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)\n\nTo abuse these features, an adversary requires prior access to the user’s Outlook mailbox, either via an Exchange/OWA server or via the client application. Once malicious rules, forms, or Home Pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded while malicious rules and forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)(Citation: SensePost Outlook Forms)(Citation: SensePost Outlook Home Page)", "meta": { "external_id": "T1137", "kill_chain": [ @@ -5554,7 +5751,16 @@ "http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/", "http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/", "https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460", - "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/" + "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/", + "https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf", + "https://github.com/sensepost/ruler", + "https://silentbreaksecurity.com/malicious-outlook-rules/", + "https://sensepost.com/blog/2017/outlook-forms-and-shells/", + "https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/", + "https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746", + "https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943", + "https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack", + "https://github.com/sensepost/notruler" ] }, "uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", @@ -5579,14 +5785,14 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1173", + "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/", + "https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021", "https://technet.microsoft.com/library/security/4053440", - "https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/", - "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/", "https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/", "https://www.contextis.com/blog/comma-separated-vulnerabilities", - "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/", "https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee", - "https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021" + "https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/", + "https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/" ] }, "uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", @@ -5627,7 +5833,7 @@ "value": "Capture Clipboard Data - T1414" }, { - "description": "An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account (Citation: NYGov-Simswap) (Citation: Motherboard-Simswap2). The adversary could then obtain SMS messages or hijack phone calls intended for someone else (Citation: Betanews-Simswap). \n\nOne use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account (Citation: Guardian-Simswap) (Citation: Motherboard-Simswap1).", + "description": "An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account (Citation: NYGov-Simswap) (Citation: Motherboard-Simswap2). The adversary could then obtain SMS messages or hijack phone calls intended for someone else (Citation: Betanews-Simswap). \n\nOne use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account (Citation: Guardian-Simswap) (Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap).", "meta": { "external_id": "STA-22", "kill_chain": [ @@ -5641,17 +5847,19 @@ "https://attack.mitre.org/techniques/T1451", "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html", "http://www.dos.ny.gov/consumerprotection/scams/att-sim.html", + "https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam", "http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/", "https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters", - "https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam", - "https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin" + "https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin", + "https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/", + "https://techcrunch.com/2017/08/23/i-was-hacked/" ] }, "uuid": "a64a820a-cb21-471f-920c-506a2ff04fa5", "value": "SIM Card Swap - T1451" }, { - "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application. This technique, for example, could be used to capture OAuth authorization codes as described in (Citation: IETF-PKCE) or to phish user credentials as described in (Citation: MobileIron-XARA). Related potential security implications are described in (Citation: Dhanjani-URLScheme). FireEye researchers describe URL scheme hijacking in a blog post (Citation: FireEye-Masque2), including evidence of its use.", + "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).", "meta": { "external_id": "AUT-10", "kill_chain": [ @@ -5663,17 +5871,17 @@ "refs": [ "https://attack.mitre.org/techniques/T1415", "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html", - "https://tools.ietf.org/html/rfc7636", - "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures", + "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html", "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html", - "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html" + "https://tools.ietf.org/html/rfc7636", + "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures" ] }, "uuid": "8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", "value": "URL Scheme Hijacking - T1415" }, { - "description": "A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes as described in (Citation: IETF-PKCE).", + "description": "A malicious app can register to receive intents meant for other applications and may then be able to receive sensitive values such as OAuth authorization codes(Citation: IETF-PKCE).", "meta": { "external_id": "T1416", "kill_chain": [ @@ -5780,7 +5988,7 @@ "value": "Spearphishing via Service - T1194" }, { - "description": "Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory)\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011)", + "description": "Supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. \n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images (multiple cases of removable media infected at the factory)\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)", "meta": { "external_id": "CAPEC-439", "kill_chain": [ @@ -5800,10 +6008,11 @@ "https://capec.mitre.org/data/definitions/437.html", "https://capec.mitre.org/data/definitions/438.html", "https://capec.mitre.org/data/definitions/439.html", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", "https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities", "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/", - "https://www.commandfive.com/papers/C5_APT_SKHack.pdf" + "https://www.commandfive.com/papers/C5_APT_SKHack.pdf", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", + "https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets" ] }, "uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", @@ -6261,7 +6470,7 @@ "value": "Conduct active scanning - T1254" }, { - "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class (Citation: Android-Build).\n\nOn iOS, techniques exist for applications to programmatically access this information, for example as described in (Citation: StackOverflow-iOSVersion).", + "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.\n\nOn Android, much of this information is programmatically accessible to applications through the android.os.Build class(Citation: Android-Build).\n\nOn iOS, techniques exist for applications to programmatically access this information(Citation: StackOverflow-iOSVersion).", "meta": { "external_id": "T1426", "kill_chain": [ @@ -6310,6 +6519,34 @@ "uuid": "78e41091-d10d-4001-b202-89612892b6ff", "value": "Identify supply chains - T1246" }, + { + "description": "Adversaries may attempt to gather information on domain trust relationships that may be used to identify [Lateral Movement](https://attack.mitre.org/tactics/TA0008) opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1178), [Pass the Ticket](https://attack.mitre.org/techniques/T1097), and [Kerberoasting](https://attack.mitre.org/techniques/T1208).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)", + "meta": { + "external_id": "T1482", + "kill_chain": [ + "mitre-attack:discovery" + ], + "mitre_data_sources": [ + "PowerShell logs", + "API monitoring", + "Process command-line parameters", + "Process monitoring" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1482", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10)", + "https://adsecurity.org/?p=1588", + "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ ", + "https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/", + "https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships" + ] + }, + "uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "value": "Domain Trust Discovery - T1482" + }, { "description": "Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).", "meta": { @@ -6359,6 +6596,31 @@ "uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", "value": "Conduct social engineering - T1249" }, + { + "description": "Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making. \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "meta": { + "external_id": "T1492", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Application logs", + "File monitoring" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1492", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.justice.gov/opa/press-release/file/1092091/download" + ] + }, + "uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "value": "Stored Data Manipulation - T1492" + }, { "description": "Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)", "meta": { @@ -6575,7 +6837,7 @@ "value": "Remotely Install Application - T1443" }, { - "description": "A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions, as demonstrated in a proof of concept created by Skycure (Citation: Skycure-Accessibility).", + "description": "A malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions(Citation: Skycure-Accessibility).", "meta": { "external_id": "T1453", "kill_chain": [ @@ -6665,6 +6927,42 @@ "uuid": "3911658a-6506-4deb-9ab4-595a51ae71ad", "value": "Commonly Used Port - T1436" }, + { + "description": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)\n\nDGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)\n\nAdversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)", + "meta": { + "external_id": "T1483", + "kill_chain": [ + "mitre-attack:command-and-control" + ], + "mitre_data_sources": [ + "Process use of network", + "Packet capture", + "Network device logs", + "Netflow/Enclave netflow", + "DNS records" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1483", + "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf", + "https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/", + "https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/", + "http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html", + "https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html", + "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html", + "https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/", + "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/", + "http://csis.pace.edu/~ctappert/srd2017/2017PDF/d4.pdf", + "https://arxiv.org/pdf/1611.00791.pdf" + ] + }, + "uuid": "54456690-84de-4538-9101-643e26437e09", + "value": "Domain Generation Algorithms - T1483" + }, { "description": "Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.", "meta": { @@ -6685,6 +6983,31 @@ "uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", "value": "Alternate Network Mediums - T1438" }, + { + "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making. \n\nManipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "meta": { + "external_id": "T1493", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Packet capture", + "Network protocol analysis" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1493", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.justice.gov/opa/press-release/file/1092091/download" + ] + }, + "uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", + "value": "Transmitted Data Manipulation - T1493" + }, { "description": "Callbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached. (Citation: LeeBeaconing)", "meta": { @@ -6748,7 +7071,7 @@ "value": "Malicious SMS Message - T1454" }, { - "description": "As further described in [ATT&CK for Enterprise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.\n\nRelated PRE-ATT&CK techniques include:\n\n* [Identify vulnerabilities in third-party software libraries](https://attack.mitre.org/techniques/T1389) - Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\n* [Distribute malicious software development tools](https://attack.mitre.org/techniques/T1394) - As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.", + "description": "As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.\n\nRelated PRE-ATT&CK techniques include:\n\n* [Identify vulnerabilities in third-party software libraries](https://attack.mitre.org/techniques/T1389) - Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).\n* [Distribute malicious software development tools](https://attack.mitre.org/techniques/T1394) - As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.", "meta": { "external_id": "APP-6", "kill_chain": [ @@ -6785,6 +7108,58 @@ "uuid": "8e27551a-5080-4148-a584-c64348212e4f", "value": "Wipe Device Data - T1447" }, + { + "description": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. \n\nGroup policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path \\\\<DOMAIN>\\SYSVOL\\<DOMAIN>\\Policies\\.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016) \n\nLike other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.\n\nMalicious GPO modifications can be used to implement [Scheduled Task](https://attack.mitre.org/techniques/T1053), [Disabling Security Tools](https://attack.mitre.org/techniques/T1089), [Remote File Copy](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1035) and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs) Publicly available scripts such as New-GPOImmediateTask can be leveraged to automate the creation of a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <GPO_PATH>\\Machine\\Preferences\\ScheduledTasks\\ScheduledTasks.xml.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <GPO_PATH>\\MACHINE\\Microsoft\\Windows NT\\SecEdit\\GptTmpl.inf, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary's control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)\n", + "meta": { + "external_id": "T1484", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Windows event logs" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1484", + "https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/", + "https://adsecurity.org/?p=2716", + "https://wald0.com/?p=179", + "http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/", + "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf", + "https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/", + "http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/" + ] + }, + "uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "value": "Group Policy Modification - T1484" + }, + { + "description": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making. \n\nAdversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1042) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.", + "meta": { + "external_id": "T1494", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "File monitoring", + "Process monitoring" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1494", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.justice.gov/opa/press-release/file/1092091/download" + ] + }, + "uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", + "value": "Runtime Data Manipulation - T1494" + }, { "description": "A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi or other) to the mobile device could exploit a vulnerability in code running on the device.\n\nD. Komaromy and N. Golde demonstrated baseband exploitation of a Samsung mobile device at the PacSec 2015 security conference (Citation: Register-BaseStation).\n\nWeinmann described and demonstrated \"the risk of remotely exploitable memory corruptions in cellular baseband stacks.\" (Citation: Weinmann-Baseband)\n\nPlatforms: Android, iOS", "meta": { @@ -6826,33 +7201,59 @@ "value": "Malicious Media Content - T1457" }, { - "description": "Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)\n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords.\n\nSeveral tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder)", + "description": "Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) if all sectors of a disk are wiped.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)", "meta": { - "external_id": "T1171", + "external_id": "T1487", "kill_chain": [ - "mitre-attack:credential-access" + "mitre-attack:impact" ], "mitre_data_sources": [ - "Windows Registry", - "Packet capture", - "Netflow/Enclave netflow" + "Kernel drivers", + "MBR" ], "mitre_platforms": [ + "Windows", + "macOS", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1487", + "https://www.symantec.com/connect/blogs/shamoon-attacks", + "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf", + "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/" + ] + }, + "uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "value": "Disk Structure Wipe - T1487" + }, + { + "description": "Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Novetta Blockbuster Destructive Malware)", + "meta": { + "external_id": "T1488", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Kernel drivers", + "Process monitoring", + "Process command-line parameters" + ], + "mitre_platforms": [ + "Linux", + "macOS", "Windows" ], "refs": [ - "https://attack.mitre.org/techniques/T1171", - "https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution", - "https://technet.microsoft.com/library/cc958811.aspx", - "https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning", - "https://github.com/Kevin-Robertson/Conveigh", - "https://github.com/SpiderLabs/Responder", - "https://github.com/nomex/nbnspoof", - "https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response" + "https://attack.mitre.org/techniques/T1488", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + "https://www.justice.gov/opa/press-release/file/1092091/download" ] }, - "uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", - "value": "LLMNR/NBT-NS Poisoning - T1171" + "uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "value": "Disk Content Wipe - T1488" }, { "description": "A payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available. (Citation: SonyDestover)", @@ -7040,7 +7441,7 @@ "value": "Multi-hop Proxy - T1188" }, { - "description": "A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. This can happen in several ways, but there are a few main components: \n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring. (Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.", + "description": "A drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation.\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring. (Citation: Shadowserver Strategic Web Compromise)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.\n\nUnlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.", "meta": { "external_id": "T1189", "kill_chain": [ @@ -7068,7 +7469,7 @@ "value": "Drive-by Compromise - T1189" }, { - "description": "As described by [ATT&CK for Enterprise](https://attack.mitre.org/techniques/T1189), a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).\n\n(This technique was formerly known as Malicious Web Content. It has been renamed to better align with ATT&CK for Enterprise.)", + "description": "As described by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).\n\n(This technique was formerly known as Malicious Web Content. It has been renamed to better align with ATT&CK for Enterprise.)", "meta": { "external_id": "CEL-22", "kill_chain": [ @@ -7129,6 +7530,34 @@ "uuid": "6063b486-a247-499b-976a-9de16f4e83bc", "value": "Develop KITs/KIQs - T1227" }, + { + "description": "Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. \n\nAdversaries may use several methods including [Security Software Discovery](https://attack.mitre.org/techniques/T1063) to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) by searching for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) to help determine if it is an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandboxes. (Citation: Unit 42 Pirpi July 2015)\n\n###Virtual Machine Environment Artifacts Discovery###\n\nAdversaries may use utilities such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1086), [Systeminfo](https://attack.mitre.org/software/S0096), and the [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, and/or the Registry. Adversaries may use [Scripting](https://attack.mitre.org/techniques/T1064) to combine these checks into one script and then have the program exit if it determines the system to be a virtual environment. Also, in applications like VMWare, adversaries can use a special I/O port to send commands and receive output. Adversaries may also check the drive size. For example, this can be done using the Win32 DeviceIOControl function. \n\nExample VME Artifacts in the Registry(Citation: McAfee Virtual Jan 2017)\n\n* HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions\n* HKLM\\HARDWARE\\Description\\System\\”SystemBiosVersion”;”VMWARE”\n* HKLM\\HARDWARE\\ACPI\\DSDT\\BOX_\n\nExample VME files and DLLs on the system(Citation: McAfee Virtual Jan 2017)\n\n* WINDOWS\\system32\\drivers\\vmmouse.sys \n* WINDOWS\\system32\\vboxhook.dll\n* Windows\\system32\\vboxdisp.dll\n\nCommon checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017)\n\n###User Activity Discovery###\n\nAdversaries may search for user activity on the host (e.g., browser history, cache, bookmarks, number of files in the home directories, etc.) for reassurance of an authentic environment. They might detect this type of information via user interaction and digital signatures. They may have malware check the speed and frequency of mouse clicks to determine if it’s a sandboxed environment.(Citation: Sans Virtual Jan 2016) Other methods may rely on specific user interaction with the system before the malicious code is activated. Examples include waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) and waiting for a user to double click on an embedded image to activate (Citation: FireEye FIN7 April 2017).\n\n###Virtual Hardware Fingerprinting Discovery###\n\nAdversaries may check the fan and temperature of the system to gather evidence that can be indicative a virtual environment. An adversary may perform a CPU check using a WMI query $q = “Select * from Win32_Fan” Get-WmiObject -Query $q. If the results of the WMI query return more than zero elements, this might tell them that the machine is a physical one. (Citation: Unit 42 OilRig Sept 2018)", + "meta": { + "external_id": "T1497", + "kill_chain": [ + "mitre-attack:defense-evasion", + "mitre-attack:discovery" + ], + "mitre_data_sources": [ + "Process monitoring", + "Process command-line parameters" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1497", + "https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/", + "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/", + "https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667", + "https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", + "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" + ] + }, + "uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "value": "Virtualization/Sandbox Evasion - T1497" + }, { "description": "Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, commingling legitimate traffic with C2 communications traffic, or using a non-standard data encoding system, such as a modified Base64 encoding for the message body of an HTTP request.", "meta": { @@ -7263,7 +7692,7 @@ "value": "Data Compressed - T1002" }, { - "description": "Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.\n\nSeveral of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n\n### Windows\n\n#### SAM (Security Accounts Manager)\n\nThe SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with [Reg](https://attack.mitre.org/software/S0075):\n\n* reg save HKLM\\sam sam\n* reg save HKLM\\system system\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7)\n\nNotes:\nRid 500 account is the local, in-built administrator.\nRid 501 is the guest account.\nUser accounts start with a RID of 1,000+.\n\n#### Cached Credentials\n\nThe DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nCached credentials for Windows Vista are derived using PBKDF2.\n\n#### Local Security Authority (LSA) Secrets\n\nWith SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.\n \nWhen services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nThe passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.\nWindows 10 adds protections for LSA Secrets described in Mitigation.\n\n#### NTDS from Domain Controller\n\nActive Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)\n \nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n\n* Volume Shadow Copy\n* secretsdump.py\n* Using the in-built Windows tool, ntdsutil.exe\n* Invoke-NinjaCopy\n\n#### Group Policy Preference (GPP) Files\n\nGroup Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.\n\nThese group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)\n\nThe following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:\n\n* Metasploit’s post exploitation module: \"post/windows/gather/credentials/gpp\"\n* Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)\n* gpprefdecrypt.py\n\nNotes:\nOn the SYSVOL share, the following can be used to enumerate potential XML files.\ndir /s * .xml\n\n#### Service Principal Names (SPNs)\n\nSee [Kerberoasting](https://attack.mitre.org/techniques/T1208).\n\n#### Plaintext Credentials\n\nAfter a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.\n\nSSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.\n\nThe following SSPs can be used to access credentials:\n\nMsv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\nWdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)\nKerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\nCredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)\n \nThe following tools can be used to enumerate credentials:\n\n* [Windows Credential Editor](https://attack.mitre.org/software/S0005)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\n#### DCSync\n\nDCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the \"lsadump\" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)\n\n### Linux\n\n#### Proc filesystem\n\nThe /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.", + "description": "Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.\n\nSeveral of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.\n\n### Windows\n\n#### SAM (Security Accounts Manager)\n\nThe SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with [Reg](https://attack.mitre.org/software/S0075):\n\n* reg save HKLM\\sam sam\n* reg save HKLM\\system system\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7)\n\nNotes:\nRid 500 account is the local, in-built administrator.\nRid 501 is the guest account.\nUser accounts start with a RID of 1,000+.\n\n#### Cached Credentials\n\nThe DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nCached credentials for Windows Vista are derived using PBKDF2.\n\n#### Local Security Authority (LSA) Secrets\n\nWith SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.\n \nWhen services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.\n \nA number of tools can be used to retrieve the SAM file through in-memory techniques.\n\n* pwdumpx.exe \n* [gsecdump](https://attack.mitre.org/software/S0008)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n* secretsdump.py\n\nAlternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.\n\nNotes:\nThe passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.\nWindows 10 adds protections for LSA Secrets described in Mitigation.\n\n#### NTDS from Domain Controller\n\nActive Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\\NTDS\\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)\n \nThe following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.\n\n* Volume Shadow Copy\n* secretsdump.py\n* Using the in-built Windows tool, ntdsutil.exe\n* Invoke-NinjaCopy\n\n#### Group Policy Preference (GPP) Files\n\nGroup Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.\n\nThese group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)\n\nThe following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:\n\n* Metasploit’s post exploitation module: \"post/windows/gather/credentials/gpp\"\n* Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)\n* gpprefdecrypt.py\n\nNotes:\nOn the SYSVOL share, the following can be used to enumerate potential XML files.\ndir /s * .xml\n\n#### Service Principal Names (SPNs)\n\nSee [Kerberoasting](https://attack.mitre.org/techniques/T1208).\n\n#### Plaintext Credentials\n\nAfter a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.\n\nSSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.\n\nThe following SSPs can be used to access credentials:\n\nMsv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.\nWdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)\nKerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.\nCredSSP:  Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)\n \nThe following tools can be used to enumerate credentials:\n\n* [Windows Credential Editor](https://attack.mitre.org/software/S0005)\n* [Mimikatz](https://attack.mitre.org/software/S0002)\n\nAs well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.\n\nFor example, on the target host use procdump:\n\n* procdump -ma lsass.exe lsass_dump\n\nLocally, mimikatz can be run:\n\n* sekurlsa::Minidump lsassdump.dmp\n* sekurlsa::logonPasswords\n\n#### DCSync\n\nDCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1097) (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098). (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the \"lsadump\" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)\n\n### Linux\n\n#### Proc filesystem\n\nThe /proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. This functionality has been implemented in the [MimiPenguin](https://attack.mitre.org/software/S0179), an open source tool inspired by [Mimikatz](https://attack.mitre.org/software/S0002). The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.", "meta": { "external_id": "CAPEC-567", "kill_chain": [ @@ -7283,31 +7712,31 @@ "refs": [ "https://attack.mitre.org/techniques/T1003", "https://capec.mitre.org/data/definitions/567.html", - "https://github.com/mattifestation/PowerSploit", - "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/", - "https://adsecurity.org/?p=1729", - "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump", - "https://msdn.microsoft.com/library/cc228086.aspx", - "https://msdn.microsoft.com/library/dd207691.aspx", - "https://wiki.samba.org/index.php/DRSUAPI", - "https://source.winehq.org/WineAPI/samlib.html", - "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM", - "https://msdn.microsoft.com/library/cc245496.aspx", - "https://msdn.microsoft.com/library/cc237008.aspx", "https://github.com/Neohapsis/creddump7", "https://en.wikipedia.org/wiki/Active_Directory", "https://msdn.microsoft.com/library/cc422924.aspx", "http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx", + "https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html", "https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-vista/cc749211(v=ws.10)", - "https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html" + "https://msdn.microsoft.com/library/cc228086.aspx", + "https://msdn.microsoft.com/library/dd207691.aspx", + "https://wiki.samba.org/index.php/DRSUAPI", + "https://source.winehq.org/WineAPI/samlib.html", + "https://adsecurity.org/?p=1729", + "http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/", + "https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM", + "https://github.com/gentilkiwi/mimikatz/wiki/module-~-lsadump", + "https://msdn.microsoft.com/library/cc237008.aspx", + "https://github.com/mattifestation/PowerSploit", + "https://msdn.microsoft.com/library/cc245496.aspx" ] }, "uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "value": "Credential Dumping - T1003" }, { - "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning](https://attack.mitre.org/techniques/T1171), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities.", + "description": "Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.\n\nData captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and Relay](https://attack.mitre.org/techniques/T1171), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.\n\nNetwork sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (ex: IP addressing, hostnames, VLAN IDs) necessary for follow-on Lateral Movement and/or Defense Evasion activities.", "meta": { "external_id": "CAPEC-158", "kill_chain": [ @@ -7442,7 +7871,7 @@ "value": "Connection Proxy - T1090" }, { - "description": "Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.\n\n[Credential Dumping](https://attack.mitre.org/techniques/T1003) to obtain password hashes may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1075) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table. Cracking hashes is usually done on adversary-controlled systems outside of the target network. (Citation: Wikipedia Password cracking)\n\nAdversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nA related technique called password spraying uses one password, or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)", + "description": "Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.\n\n[Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1075) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network. (Citation: Wikipedia Password cracking)\n\nAdversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)\n\nA related technique called password spraying uses one password (e.g. 'Password01'), or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)\n\nTypically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:\n\n* SSH (22/TCP)\n* Telnet (23/TCP)\n* FTP (21/TCP)\n* NetBIOS / SMB / Samba (139/TCP & 445/TCP)\n* LDAP (389/TCP)\n* Kerberos (88/TCP)\n* RDP / Terminal Services (3389/TCP)\n* HTTP/HTTP Management Services (80/TCP & 443/TCP)\n* MSSQL (1433/TCP)\n* Oracle (1521/TCP)\n* MySQL (3306/TCP)\n* VNC (5900/TCP)\n\n\nIn default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows \"logon failure\" event ID 4625.", "meta": { "external_id": "T1110", "kill_chain": [ @@ -7460,7 +7889,8 @@ "https://attack.mitre.org/techniques/T1110", "https://en.wikipedia.org/wiki/Password_cracking", "https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf", - "http://www.blackhillsinfosec.com/?p=4645" + "http://www.blackhillsinfosec.com/?p=4645", + "https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing" ] }, "uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", @@ -7568,7 +7998,7 @@ "value": "AppInit DLLs - T1103" }, { - "description": "A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. The Registry key contains entries for the following:\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.", + "description": "A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in C:\\Windows\\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Monitors. \n\nThe Registry key contains entries for the following:\n\n* Local Port\n* Standard TCP/IP Port\n* USB Monitor\n* WSD Port\n\nAdversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.", "meta": { "external_id": "T1013", "kill_chain": [ @@ -7623,7 +8053,7 @@ "value": "Accessibility Features - T1015" }, { - "description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UT-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges). \nAdversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)", + "description": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as /Library/Preferences (which execute with elevated privileges) and ~/Library/Preferences (which execute with a user's privileges). \nAdversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)", "meta": { "external_id": "T1150", "kill_chain": [ @@ -7647,6 +8077,35 @@ "uuid": "06780952-177c-4247-b978-79c357fb311f", "value": "Plist Modification - T1150" }, + { + "description": "Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.\n\nSystemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the /etc/systemd/system and /usr/lib/systemd/system directories and have the file extension .service. Each service unit file may contain numerous directives that can execute system commands. \n\n* ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start. \n* ExecReload directive covers when a service restarts. \n* ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.\n\nAdversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018)\n\nWhile adversaries typically require root privileges to create/modify service unit files in the /etc/systemd/system and /usr/lib/systemd/system directories, low privilege users can create/modify service unit files in directories such as ~/.config/systemd/user/ to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)", + "meta": { + "external_id": "T1501", + "kill_chain": [ + "mitre-attack:persistence" + ], + "mitre_data_sources": [ + "Process command-line parameters", + "Process monitoring", + "File monitoring" + ], + "mitre_platforms": [ + "Linux" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1501", + "http://man7.org/linux/man-pages/man1/systemd.1.html", + "https://www.freedesktop.org/wiki/Software/systemd/", + "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang", + "https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a", + "https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/", + "https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html", + "https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence" + ] + }, + "uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "value": "Systemd Service - T1501" + }, { "description": "Adversaries may add malicious content to an internally accessible website through an open network file share that contains the website's webroot or Web content directory (Citation: Microsoft Web Root OCT 2016) (Citation: Apache Server 2018) and then browse to that content with a Web browser to cause the server to execute the malicious content. The malicious content will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured.\n\nThis mechanism of shared access and remote execution could be used for lateral movement to the system running the Web server. For example, a Web server running PHP with an open network share could allow an adversary to upload a remote access tool and PHP script to execute the RAT on the system running the Web server when a specific page is visited. (Citation: Webroot PHP 2011)", "meta": { @@ -8330,6 +8789,36 @@ "uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "value": "Data Staged - T1074" }, + { + "description": "Execution guardrails constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. \n\nGuardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.\n\nEnvironmental keying is one type of guardrail that includes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents) Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use guardrails and environmental keying to help protect their TTPs and evade detection. For example, environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) In general, guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) where a decision can be made not to further engage because the value conditions specified by the adversary are meant to be target specific and not such that they could occur in any environment.", + "meta": { + "external_id": "T1480", + "kill_chain": [ + "mitre-attack:defense-evasion" + ], + "mitre_data_sources": [ + "Process monitoring" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1480", + "https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/", + "https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf", + "https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices", + "https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf", + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/smuggling-hta-files-in-internet-exploreredge/", + "https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf", + "https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js" + ] + }, + "uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "value": "Execution Guardrails - T1480" + }, { "description": "Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.\n\n### Windows\n\nThere are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Endgame Process Injection July 2017)\n\n* **Dynamic-link library (DLL) injection** involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.\n* **Portable executable injection** involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017)\n* **Thread execution hijacking** involves injecting malicious code or the path to a DLL into a thread of a process. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1093), the thread must first be suspended.\n* **Asynchronous Procedure Call** (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A variation of APC injection, dubbed \"Early Bird injection\", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table)\n* **Thread Local Storage** (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017)\n\n### Mac and Linux\n\nImplementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle)\n\n* **LD_PRELOAD, LD_LIBRARY_PATH** (Linux), **DYLD_INSERT_LIBRARIES** (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)\n* **Ptrace system calls** can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle)\n* **/proc/[pid]/mem** provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle)\n* **VDSO hijacking** performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009)\n\nMalware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.", "meta": { @@ -8455,7 +8944,7 @@ "value": "Account Discovery - T1087" }, { - "description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. \n\nCompromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nAdversaries may also create accounts, sometimes using pre-defined account names and passwords, as a means for persistence through backup access in case other means are unsuccessful. \n\nThe overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)", + "description": "Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Initial Access. \n\nAccounts that an adversary may use can fall into three categories: default, local, and domain accounts. Default accounts are those that are built-into an OS such as Guest or Administrator account on Windows systems or default factory/provider set accounts on other types of systems, software, or devices. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. (Citation: Microsoft Local Accounts Feb 2019) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.\n\nCompromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nDefault accounts are also not limited to Guest and Administrator on client machines, they also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or COTS. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed private keys, or stolen private keys, to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021) (Citation: Metasploit SSH Module)\n\nThe overlap of account access, credentials, and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)", "meta": { "external_id": "CAPEC-560", "kill_chain": [ @@ -8476,6 +8965,8 @@ "refs": [ "https://attack.mitre.org/techniques/T1078", "https://capec.mitre.org/data/definitions/560.html", + "https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts", + "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh", "https://technet.microsoft.com/en-us/library/dn535501.aspx", "https://technet.microsoft.com/en-us/library/dn487457.aspx" ] @@ -8540,7 +9031,7 @@ "value": "Account Manipulation - T1098" }, { - "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reg)hide NOV 2006 Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to establish Persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) for RPC communication.", + "description": "Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in Persistence and Execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API (see examples).\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to establish Persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)\n\nThe Registry of a remote system may be modified to aid in execution of files as part of Lateral Movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system's [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) for RPC communication.", "meta": { "external_id": "T1112", "kill_chain": [ @@ -8560,11 +9051,11 @@ "https://attack.mitre.org/techniques/T1112", "https://technet.microsoft.com/en-us/library/cc732643.aspx", "https://docs.microsoft.com/sysinternals/downloads/reghide", - "https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull", - "https://technet.microsoft.com/en-us/library/cc754820.aspx", + "https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/", "https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353", + "https://technet.microsoft.com/en-us/library/cc754820.aspx", "https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657", - "https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/" + "https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull" ] }, "uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", @@ -8667,23 +9158,28 @@ "value": "Email Collection - T1114" }, { - "description": "When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task. Adversaries can mimic this functionality to prompt users for credentials with a normal-looking prompt. This type of prompt can be accomplished with AppleScript:\n\nset thePassword to the text returned of (display dialog \"AdobeUpdater needs permission to check for updates. Please authenticate.\" default answer \"\")\n (Citation: OSX Keydnap malware)\n\nAdversaries can prompt a user for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite. (Citation: OSX Malware Exploits MacKeeper)", + "description": "When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1088)).\n\nAdversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1155)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware) and [PowerShell](https://attack.mitre.org/techniques/T1086)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015).", "meta": { "external_id": "T1141", "kill_chain": [ "mitre-attack:credential-access" ], "mitre_data_sources": [ + "Process monitoring", + "Process command-line parameters", "User interface", - "Process monitoring" + "PowerShell logs" ], "mitre_platforms": [ - "macOS" + "macOS", + "Windows" ], "refs": [ "https://attack.mitre.org/techniques/T1141", + "https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html", + "https://logrhythm.com/blog/do-you-trust-your-computer/", "https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/", - "https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html" + "https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/" ] }, "uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", @@ -8788,7 +9284,7 @@ "value": "Automated Collection - T1119" }, { - "description": "Microsoft’s Open Office XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017)\n\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\n\nAdversaries may abuse this technology to initially conceal malicious code to be executed via documents (i.e. [Scripting](https://attack.mitre.org/techniques/T1064)). Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. These documents can be delivered via other techniques such as [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017)\n\nThis technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016)", + "description": "Microsoft’s Open Office XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017)\n\nProperties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.\n\nAdversaries may abuse this technology to initially conceal malicious code to be executed via documents (i.e. [Scripting](https://attack.mitre.org/techniques/T1064)). Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. (Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017)\n\nThis technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016)", "meta": { "external_id": "T1221", "kill_chain": [ @@ -8806,11 +9302,12 @@ "refs": [ "https://attack.mitre.org/techniques/T1221", "https://docs.microsoft.com/previous-versions/office/developer/office-2007/aa338205(v=office.12)", - "https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104", + "https://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780", + "http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html", "https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/", + "https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104", "https://blog.talosintelligence.com/2017/07/template-injection.html", - "https://github.com/ryhanson/phishery", - "http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html" + "https://github.com/ryhanson/phishery" ] }, "uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", @@ -8942,7 +9439,7 @@ "value": "Domain Fronting - T1172" }, { - "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager are loaded into every process that calls the ubiquitously used application programming interface (API) functions: (Citation: Endgame Process Injection July 2017)\n\n* CreateProcess\n* CreateProcessAsUser\n* CreateProcessWithLoginW\n* CreateProcessWithTokenW\n* WinExec\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.", + "description": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Endgame Process Injection July 2017)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.", "meta": { "external_id": "T1182", "kill_chain": [ @@ -8959,9 +9456,9 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1182", + "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", "https://technet.microsoft.com/en-us/sysinternals/bb963902", - "https://forum.sysinternals.com/appcertdlls_topic12546.html", - "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + "https://forum.sysinternals.com/appcertdlls_topic12546.html" ] }, "uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025", @@ -9067,7 +9564,7 @@ "value": "Create Account - T1136" }, { - "description": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS. A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to [Hooking](https://attack.mitre.org/techniques/T1179), utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.", + "description": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS. \n\nA list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:\n\n* %WINDIR%\\AppPatch\\sysmain.sdb\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\installedsdb\n\nCustom databases are stored in:\n\n* %WINDIR%\\AppPatch\\custom & %WINDIR%\\AppPatch\\AppPatch64\\Custom\n* hklm\\software\\microsoft\\windows nt\\currentversion\\appcompatflags\\custom\n\nTo keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to [Hooking](https://attack.mitre.org/techniques/T1179), utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.", "meta": { "external_id": "T1138", "kill_chain": [ @@ -9086,8 +9583,8 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1138", - "https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf", - "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" + "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf" ] }, "uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", @@ -9206,7 +9703,7 @@ "value": "Private Keys - T1145" }, { - "description": "An adversary with physical access to a mobile device may seek to bypass the device's lockscreen.\n\n### Biometric Spoofing\nIf biometric authentication is used, an adversary could attempt to spoof a mobile device's biometric authentication mechanism. For example, SRLabs (Citation: SRLabs-Fingerprint) describes providing a fake fingerprint, and SecureIDNews describes similar work by Michigan State University (Citation: SecureIDNews-Spoof). The Sun describes a case where someone else's face was able to unlock an iPhone X with Face ID (Citation: TheSun-FaceID).\n\niOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID). Android has similar mitigations.\n\n### Device Unlock Code Guessing or Brute Force\nAn adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\"shoulder surfing\") the device owner's use of the lockscreen passcode. \n\n### Exploit Other Device Lockscreen Vulnerabilities\nTechniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lockscreen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.", + "description": "An adversary with physical access to a mobile device may seek to bypass the device's lockscreen.\n\n### Biometric Spoofing\nIf biometric authentication is used, an adversary could attempt to spoof a mobile device's biometric authentication mechanism(Citation: SRLabs-Fingerprint)(Citation: SecureIDNews-Spoof)(Citation: TheSun-FaceID).\n\niOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID). Android has similar mitigations.\n\n### Device Unlock Code Guessing or Brute Force\nAn adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\"shoulder surfing\") the device owner's use of the lockscreen passcode. \n\n### Exploit Other Device Lockscreen Vulnerabilities\nTechniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lockscreen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.", "meta": { "external_id": "T1461", "kill_chain": [ @@ -9218,17 +9715,35 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1461", - "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/", - "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/", "https://srlabs.de/bites/spoofing-fingerprints/", - "https://support.apple.com/en-us/HT204587", "https://thehackernews.com/2016/05/android-kernal-exploit.htmlhttps://www.secureidnews.com/news-item/another-spoof-of-mobile-biometrics/", - "https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/" + "https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/", + "https://support.apple.com/en-us/HT204587", + "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/", + "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/" ] }, "uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", "value": "Lockscreen Bypass - T1461" }, + { + "description": "An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS.", + "meta": { + "external_id": "APP-28", + "kill_chain": [ + "mitre-mobile-attack:effects" + ], + "mitre_platforms": [ + "Android" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1471", + "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html" + ] + }, + "uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4", + "value": "Encrypt Files - T1471" + }, { "description": "Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in /Library/Preferences/com.apple.loginwindow called Hide500Users that prevents users with userIDs 500 and lower from appearing at the login screen. By using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: sudo dscl . -create /Users/username UniqueID 401 (Citation: Cybereason OSX Pirrit).", "meta": { @@ -9297,6 +9812,24 @@ "uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", "value": "SSH Hijacking - T1184" }, + { + "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.\n\nThese commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.\n\nPopular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.\n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).", + "meta": { + "external_id": "T1481", + "kill_chain": [ + "mitre-mobile-attack:command-and-control" + ], + "mitre_platforms": [ + "Android", + "iOS" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1481" + ] + }, + "uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", + "value": "Web Service - T1481" + }, { "description": "As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD (Citation: Prolific OSX Malware History). The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different (Citation: Methods of Mac Malware Persistence). By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.", "meta": { @@ -9710,7 +10243,7 @@ "value": "Credential pharming - T1374" }, { - "description": "An adversary could download a legitimate app, disassemble it, add malicious code, and then reassemble the app, for example as described by Zhou and Jiang in (Citation: Zhou). The app would appear to be the original app but contain additional malicious functionality. The adversary could then publish this app to app stores or use another delivery technique.", + "description": "An adversary could download a legitimate app, disassemble it, add malicious code, and then reassemble the app(Citation: Zhou). The app would appear to be the original app but contain additional malicious functionality. The adversary could then publish this app to app stores or use another delivery technique.", "meta": { "external_id": "APP-14", "kill_chain": [ @@ -9729,6 +10262,113 @@ "uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", "value": "Repackaged Application - T1444" }, + { + "description": "Adversaries may destroy data data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as del and rm often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) because individual files are destroyed rather than sections of a storage disk or the disk's logical structure.\n\nAdversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018)", + "meta": { + "external_id": "T1485", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "File monitoring", + "Process command-line parameters", + "Process monitoring" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1485", + "https://www.symantec.com/connect/blogs/shamoon-attacks", + "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html", + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf", + "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", + "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" + ] + }, + "uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "value": "Data Destruction - T1485" + }, + { + "description": "Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.", + "meta": { + "external_id": "T1495", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "BIOS", + "Component firmware" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1495", + "https://www.symantec.com/security-center/writeup/2000-122010-2655-99", + "http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research" + ] + }, + "uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "value": "Firmware Corruption - T1495" + }, + { + "description": "Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. \n\nOne common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.", + "meta": { + "external_id": "T1496", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Process use of network", + "Process monitoring", + "Network protocol analysis", + "Network device logs" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1496", + "https://securelist.com/lazarus-under-the-hood/77908/" + ] + }, + "uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "value": "Resource Hijacking - T1496" + }, + { + "description": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary's overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster) \n\nAdversaries may accomplish this by disabling individual services of high importance to an organization, such as MSExchangeIS, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)", + "meta": { + "external_id": "T1489", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Process command-line parameters", + "Process monitoring", + "Windows Registry", + "API monitoring" + ], + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1489", + "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://www.secureworks.com/research/wcry-ransomware-analysis" + ] + }, + "uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "value": "Service Stop - T1489" + }, { "description": "During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.\n\nAdversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user (Citation: Methods of Mac Malware Persistence).", "meta": { @@ -9833,7 +10473,7 @@ "value": "Mshta - T1170" }, { - "description": "Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension. (Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.exe is located in C:\\Windows\\System32\\ along with screensavers included with base Windows installations. The following screensaver settings are stored in the Registry (HKCU\\Control Panel\\Desktop\\) and could be manipulated to achieve persistence:\n\n* SCRNSAVE.exe - set to malicious PE path\n* ScreenSaveActive - set to '1' to enable the screensaver\n* ScreenSaverIsSecure - set to '0' to not require a password to unlock\n* ScreenSaverTimeout - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)", + "description": "Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\\Windows\\System32\\, and C:\\Windows\\sysWOW64\\ on 64-bit Windows systems, along with screensavers included with base Windows installations. \n\nThe following screensaver settings are stored in the Registry (HKCU\\Control Panel\\Desktop\\) and could be manipulated to achieve persistence:\n\n* SCRNSAVE.exe - set to malicious PE path\n* ScreenSaveActive - set to '1' to enable the screensaver\n* ScreenSaverIsSecure - set to '0' to not require a password to unlock\n* ScreenSaverTimeout - sets user inactivity timeout before screensaver is executed\n\nAdversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)", "meta": { "external_id": "T1180", "kill_chain": [ @@ -9963,7 +10603,7 @@ "value": "Kerberoasting - T1208" }, { - "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs. This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the C:\\Windows\\System32 directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the /bin directory. Examples of trusted binary names that can be given to malicious binares include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", + "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named March 25 \\u202Excod.scr will display as March 25 rcs.docx. A JavaScript file named photo_high_re\\u202Egnp.js will be displayed as photo_high_resj.png. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the C:\\Windows\\System32 directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the /bin directory. Examples of trusted binary names that can be given to malicious binares include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", "meta": { "external_id": "T1036", "kill_chain": [ @@ -9981,18 +10621,23 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1036", + "https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html", + "https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/", + "https://securelist.com/zero-day-vulnerability-in-telegram/83800/", "https://www.endgame.com/blog/how-hunt-masquerade-ball", "https://www.f-secure.com/documents/996508/1030745/CozyDuke", "https://www.welivesecurity.com/2016/03/30/meet-remaiten-a-linux-bot-on-steroids-targeting-routers-and-potentially-other-iot-devices/", "https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/", - "https://vms.drweb.com/virus/?i=4276269" + "https://vms.drweb.com/virus/?i=4276269", + "https://twitter.com/ItsReallyNick/status/1055321652777619457" ] }, "uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "value": "Masquerading - T1036" }, { - "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macos being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", + "description": "Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.\n\nScripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.\n\nMany popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. (Citation: Metasploit) (Citation: Metasploit), (Citation: Veil) (Citation: Veil), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)", "meta": { "external_id": "T1064", "kill_chain": [ @@ -10011,10 +10656,10 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1064", - "https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/", "http://www.metasploit.com", "https://www.veil-framework.com/framework/", "https://github.com/mattifestation/PowerSploit", + "https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/", "https://www.uperesia.com/analyzing-malicious-office-documents" ] }, @@ -10047,13 +10692,16 @@ "value": "Bootkit - T1067" }, { - "description": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. \n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nAdministrator permissions are required to use PowerShell to connect to remote systems.\n\nA number of PowerShell-based offensive testing tools are available, including Empire, (Citation: Github PowerShell Empire) PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)", + "description": "PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer. \n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nAdministrator permissions are required to use PowerShell to connect to remote systems.\n\nA number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)\n\nPowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell's underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)", "meta": { "external_id": "T1086", "kill_chain": [ "mitre-attack:execution" ], "mitre_data_sources": [ + "PowerShell logs", + "Loaded DLLs", + "DLL monitoring", "Windows Registry", "File monitoring", "Process monitoring", @@ -10064,12 +10712,14 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1086", - "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html", "https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx", "https://github.com/mattifestation/PowerSploit", "https://github.com/jaredhaight/PSAttack", - "https://github.com/PowerShellEmpire/Empire", - "http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf" + "http://www.sixdub.net/?p=367", + "https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/", + "https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/", + "http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf", + "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html" ] }, "uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", @@ -10119,8 +10769,9 @@ "refs": [ "https://attack.mitre.org/techniques/T1117", "https://support.microsoft.com/en-us/kb/249873", - "https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html", - "https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/" + "https://web.archive.org/web/20161128183535/https://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html", + "https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/", + "https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html" ] }, "uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", @@ -10299,7 +10950,38 @@ "value": "HISTCONTROL - T1148" }, { - "description": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program.\nAppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. \n\nAdversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python (Citation: Macro Malware Targets Macs). Scripts can be run from the command lie via osascript /path/to/script or osascript -e \"script here\".", + "description": "Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. \n\n### Internal\nAn adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages. While internally defacing systems exposes an adversary's presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)\n\n### External \nWebsites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) Defacement may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)\n", + "meta": { + "external_id": "T1491", + "kill_chain": [ + "mitre-attack:impact" + ], + "mitre_data_sources": [ + "Packet capture", + "Web application firewall logs", + "Web logs", + "Packet capture" + ], + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/techniques/T1491", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf", + "https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-entertainment.pdf", + "https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-033017.pdf", + "https://torrentfreak.com/anonymous-hackers-deface-russian-govt-site-to-protest-web-blocking-nsfw-180512/", + "https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf" + ] + }, + "uuid": "5909f20f-3c39-4795-be06-ef1ea40d350b", + "value": "Defacement - T1491" + }, + { + "description": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the osalang program.\nAppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely. \n\nAdversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they're already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python (Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via osascript /path/to/script or osascript -e \"script here\".", "meta": { "external_id": "T1155", "kill_chain": [ @@ -10346,7 +11028,7 @@ "value": "Sudo - T1169" }, { - "description": "Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. Hooking involves redirecting calls to these functions and can be implemented via:\n\n* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs. (Citation: Microsoft Hook Overview) (Citation: Endgame Process Injection July 2017)\n* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored. (Citation: Endgame Process Injection July 2017) (Citation: Adlice Software IAT Hooks Oct 2014) (Citation: MWRInfoSecurity Dynamic Hooking 2015)\n* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow. (Citation: Endgame Process Injection July 2017) (Citation: HighTech Bridge Inline Hooking Sept 2011) (Citation: MWRInfoSecurity Dynamic Hooking 2015)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use.\n\nMalicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. (Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017)\n\nHooking is commonly utilized by [Rootkit](https://attack.mitre.org/techniques/T1014)s to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. (Citation: Symantec Windows Rootkits)", + "description": "Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. \n\nHooking involves redirecting calls to these functions and can be implemented via:\n\n* **Hooks procedures**, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs. (Citation: Microsoft Hook Overview) (Citation: Endgame Process Injection July 2017)\n* **Import address table (IAT) hooking**, which use modifications to a process’s IAT, where pointers to imported API functions are stored. (Citation: Endgame Process Injection July 2017) (Citation: Adlice Software IAT Hooks Oct 2014) (Citation: MWRInfoSecurity Dynamic Hooking 2015)\n* **Inline hooking**, which overwrites the first bytes in an API function to redirect code flow. (Citation: Endgame Process Injection July 2017) (Citation: HighTech Bridge Inline Hooking Sept 2011) (Citation: MWRInfoSecurity Dynamic Hooking 2015)\n\nSimilar to [Process Injection](https://attack.mitre.org/techniques/T1055), adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use.\n\nMalicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. (Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017)\n\nHooking is commonly utilized by [Rootkit](https://attack.mitre.org/techniques/T1014)s to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. (Citation: Symantec Windows Rootkits)", "meta": { "external_id": "T1179", "kill_chain": [ @@ -10367,20 +11049,20 @@ ], "refs": [ "https://attack.mitre.org/techniques/T1179", - "https://www.adlice.com/userland-rootkits-part-1-iat-hooks/", - "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", - "https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/", - "http://www.gmer.net/", - "https://www.exploit-db.com/docs/17802.pdf", - "https://github.com/jay/gethooks", - "https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/", "https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx", - "https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx", - "https://github.com/prekageo/winhook", - "https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis", + "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process", + "https://www.adlice.com/userland-rootkits-part-1-iat-hooks/", + "https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/", + "https://www.exploit-db.com/docs/17802.pdf", "https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf", "https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html", - "https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/" + "https://github.com/prekageo/winhook", + "https://github.com/jay/gethooks", + "https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/", + "https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/", + "http://www.gmer.net/", + "https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx", + "https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis" ] }, "uuid": "66f73398-8394-4711-85e5-34c8540b22a5", @@ -10401,5 +11083,5 @@ "value": "DNSCalc - T1324" } ], - "version": 8 + "version": 9 } diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index 23efe07..8483059 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -343,14 +343,14 @@ "type": "mitigates" }, { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1016,7 +1016,7 @@ "value": "Signed Script Proxy Execution Mitigation - T1216" }, { - "description": "Certain signed binaries that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.", + "description": "Certain signed binaries that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these binaries if they are not required for a given system or network to prevent potential misuse by adversaries. If these binaries are required for use, then restrict execution of them to privileged accounts or groups that need to use them to lessen the opportunities for malicious use.", "meta": { "external_id": "T1218", "refs": [ @@ -1121,6 +1121,74 @@ "uuid": "84d633a4-dd93-40ca-8510-40238c021931", "value": "Hidden Files and Directories Mitigation - T1158" }, + { + "description": "Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP)\n\nIn some cases, the means to decrypt files affected by a ransomware campaign is released to the public. Research trusted sources for public releases of decryptor tools/keys to reverse the effects of ransomware.\n\nIdentify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1486", + "refs": [ + "https://attack.mitre.org/techniques/T1486", + "https://www.ready.gov/business/implementation/IT", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "429a5c0c-e132-45c0-a4aa-c1f736c92a1c", + "value": "Data Encrypted for Impact Mitigation - T1486" + }, + { + "description": "When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.(Citation: CERT-EU DDoS March 2017)\n\nDepending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.(Citation: CERT-EU DDoS March 2017)\n\nAs immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents.(Citation: CERT-EU DDoS March 2017)", + "meta": { + "external_id": "T1498", + "refs": [ + "https://attack.mitre.org/techniques/T1498", + "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf" + ] + }, + "related": [ + { + "dest-uuid": "d74c4a7e-ffbf-432f-9365-7ebf1f787cab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "654addf1-47ab-410a-8578-e1a0dc2a49b8", + "value": "Network Denial of Service Mitigation - T1498" + }, + { + "description": "Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services.(Citation: CERT-EU DDoS March 2017) Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. To defend against SYN floods, enable SYN Cookies.", + "meta": { + "external_id": "T1499", + "refs": [ + "https://attack.mitre.org/techniques/T1499", + "http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf" + ] + }, + "related": [ + { + "dest-uuid": "c675646d-e204-4aa8-978d-e3d6d65885c4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "82c21600-ccb6-4232-8c04-ef3792b56628", + "value": "Endpoint Denial of Service Mitigation - T1499" + }, { "description": "Application developers should use device-provided credential storage mechanisms such as Android's KeyStore or iOS's KeyChain. These can prevent credentials from being exposed to an adversary.", "meta": { @@ -1209,9 +1277,9 @@ { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { - "external_id": "T1033", + "external_id": "T1482", "refs": [ - "https://attack.mitre.org/techniques/T1033", + "https://attack.mitre.org/techniques/T1482", "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", @@ -1226,10 +1294,17 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", - "value": "System Owner/User Discovery Mitigation - T1033" + "value": "System Owner/User Discovery Mitigation - T1482" }, { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", @@ -1295,90 +1370,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "ef771e03-e080-43b4-a619-ac6f84899884", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", "tags": [ @@ -1387,21 +1378,7 @@ "type": "mitigates" }, { - "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", + "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1421,6 +1398,34 @@ ], "type": "mitigates" }, + { + "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "tags": [ @@ -1429,7 +1434,7 @@ "type": "mitigates" }, { - "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1441,6 +1446,76 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "ef771e03-e080-43b4-a619-ac6f84899884", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", @@ -1682,7 +1757,7 @@ "value": "Graphical User Interface Mitigation - T1061" }, { - "description": "Grant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation of Vulnerability](https://attack.mitre.org/techniques/T1068). \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", + "description": "Grant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", "meta": { "external_id": "T1017", "refs": [ @@ -1748,7 +1823,7 @@ "value": "Remote System Discovery Mitigation - T1018" }, { - "description": "Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities used to invoke execution.", + "description": "Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities and file types/locations used to invoke malicious execution.(Citation: SpectorOPs SettingContent-ms Jun 2018)", "meta": { "external_id": "T1202", "refs": [ @@ -1757,7 +1832,8 @@ "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", - "https://technet.microsoft.com/en-us/library/ee791851.aspx" + "https://technet.microsoft.com/en-us/library/ee791851.aspx", + "https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39" ] }, "related": [ @@ -1834,6 +1910,31 @@ "uuid": "a569295c-a093-4db4-9fb4-7105edef85ad", "value": "Custom Cryptographic Protocol Mitigation - T1024" }, + { + "description": "This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to decrypt, deobfuscate, decode, and compile files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1502", + "refs": [ + "https://attack.mitre.org/techniques/T1502", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "ae56a49d-5281-45c5-ab95-70a1439c338e", + "value": "Compile After Delivery Mitigation - T1502" + }, { "description": "Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)", "meta": { @@ -1972,6 +2073,32 @@ "uuid": "ba2ec548-fb75-4b8c-88d6-d91a77a943cf", "value": "Windows Management Instrumentation Mitigation - T1047" }, + { + "description": "Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.\n\nIdentify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1490", + "refs": [ + "https://attack.mitre.org/techniques/T1490", + "https://www.ready.gov/business/implementation/IT", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "bb25b897-bfc7-4128-839d-52e9764dbfa6", + "value": "Inhibit System Recovery Mitigation - T1490" + }, { "description": "Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports. \n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "meta": { @@ -1998,7 +2125,8 @@ "meta": { "external_id": "T1075", "refs": [ - "https://attack.mitre.org/techniques/T1075" + "https://attack.mitre.org/techniques/T1075", + "https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml" ] }, "related": [ @@ -2384,14 +2512,16 @@ "value": "Network Share Discovery Mitigation - T1135" }, { - "description": "Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Even setting to disable with notification could enable unsuspecting users to execute potentially malicious macros. (Citation: TechNet Office Macro Security)\n\nFor the Office Test method, create the Registry key used to execute it and set the permissions to \"Read Control\" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. (Citation: Palo Alto Office Test Sofacy)\n\nDisable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. (Citation: MRWLabs Office Persistence Add-ins)", + "description": "Follow Office macro security best practices suitable for your environment. Disable Office VBA macros from executing. Even setting to disable with notification could enable unsuspecting users to execute potentially malicious macros. (Citation: TechNet Office Macro Security)\n\nFor the Office Test method, create the Registry key used to execute it and set the permissions to \"Read Control\" to prevent easy access to the key without administrator permissions or requiring Privilege Escalation. (Citation: Palo Alto Office Test Sofacy)\n\nDisable Office add-ins. If they are required, follow best practices for securing them by requiring them to be signed and disabling user notification for allowing add-ins. For some add-ins types (WLL, VBA) additional mitigation is likely required as disabling add-ins in the Office Trust Center does not disable WLL nor does it prevent VBA code from executing. (Citation: MRWLabs Office Persistence Add-ins)\n\nFor the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page)", "meta": { "external_id": "T1137", "refs": [ "https://attack.mitre.org/techniques/T1137", + "https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/", "https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/", "https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/", - "https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/" + "https://sensepost.com/blog/2017/outlook-forms-and-shells/", + "https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/" ] }, "related": [ @@ -2407,18 +2537,18 @@ "value": "Office Application Startup Mitigation - T1137" }, { - "description": "Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017) (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: GitHub Disable DDEAUTO Oct 2017) Microsoft also created Registry keys to completely disable DDE execution in Word and Excel. (Citation: Microsoft ADV170021 Dec 2017)\n\nEnsure Protected View is enabled (Citation: Microsoft Protected View) and consider disabling embedded files in Office programs, such as OneNote, not enrolled in Protected View. (Citation: Enigma Reviving DDE Jan 2018) (Citation: GitHub Disable DDEAUTO Oct 2017)\n\nOn Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. (Citation: Microsoft ASR Nov 2017) (Citation: Enigma Reviving DDE Jan 2018)", + "description": "Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017) (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: GitHub Disable DDEAUTO Oct 2017) Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel. (Citation: Microsoft ADV170021 Dec 2017)\n\nEnsure Protected View is enabled (Citation: Microsoft Protected View) and consider disabling embedded files in Office programs, such as OneNote, not enrolled in Protected View. (Citation: Enigma Reviving DDE Jan 2018) (Citation: GitHub Disable DDEAUTO Oct 2017)\n\nOn Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. (Citation: Microsoft ASR Nov 2017) (Citation: Enigma Reviving DDE Jan 2018)", "meta": { "external_id": "T1173", "refs": [ "https://attack.mitre.org/techniques/T1173", "https://technet.microsoft.com/library/security/4053440", - "https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653", "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/", "https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b", + "https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021", + "https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653", "https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee", - "https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction", - "https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021" + "https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction" ] }, "related": [ @@ -2496,13 +2626,14 @@ "value": "Spearphishing via Service Mitigation - T1194" }, { - "description": "Apply supply chain risk management (SCRM) practices and procedures (Citation: MITRE SE Guide 2014), such as supply chain analysis and appropriate risk management, throughout the life-cycle of a system.\n\nLeverage established software development lifecycle (SDLC) practices (Citation: NIST Supply Chain 2012): \n\n* Uniquely Identify Supply Chain Elements, Processes, and Actors\n* Limit Access and Exposure within the Supply Chain\n* Establish and Maintain the Provenance of Elements, Processes, Tools, and Data\n* Share Information within Strict Limits\n* Perform SCRM Awareness and Training\n* Use Defensive Design for Systems, Elements, and Processes\n* Perform Continuous Integrator Review\n* Strengthen Delivery Mechanisms\n* Assure Sustainment Activities and Processes\n* Manage Disposal and Final Disposition Activities throughout the System or Element Life Cycle", + "description": "Apply supply chain risk management (SCRM) practices and procedures (Citation: MITRE SE Guide 2014), such as supply chain analysis and appropriate risk management, throughout the life-cycle of a system.\n\nLeverage established software development lifecycle (SDLC) practices (Citation: NIST Supply Chain 2012): \n\n* Uniquely Identify Supply Chain Elements, Processes, and Actors\n* Limit Access and Exposure within the Supply Chain\n* Establish and Maintain the Provenance of Elements, Processes, Tools, and Data\n* Share Information within Strict Limits\n* Perform SCRM Awareness and Training\n* Use Defensive Design for Systems, Elements, and Processes\n* Perform Continuous Integrator Review\n* Strengthen Delivery Mechanisms\n* Assure Sustainment Activities and Processes\n* Manage Disposal and Final Disposition Activities throughout the System or Element Life Cycle\n\nA patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well. (Citation: OWASP Top 10 2017)", "meta": { "external_id": "T1195", "refs": [ "https://attack.mitre.org/techniques/T1195", "https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf", - "http://dx.doi.org/10.6028/NIST.IR.7622" + "http://dx.doi.org/10.6028/NIST.IR.7622", + "https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" ] }, "related": [ @@ -2623,12 +2754,150 @@ "value": "Compiled HTML File Mitigation - T1223" }, { - "description": "Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. (Citation: ADSecurity Windows Secure Baseline)\n\nUse host-based security software to block LLMNR/NetBIOS traffic.", + "description": "Map the trusts within existing domains/forests and keep trust relationships to a minimum. Employ network segmentation for sensitive domains.(Citation: Harmj0y Domain Trusts)", + "meta": { + "external_id": "T1482", + "refs": [ + "https://attack.mitre.org/techniques/T1482", + "http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/ " + ] + }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "159b4ee4-8fa1-44a5-b095-2973f3c7e25e", + "value": "Domain Trust Discovery Mitigation - T1482" + }, + { + "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure the data related to those processes against tampering. least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. Consider encrypting important information to reduce an adversaries ability to perform tailor data modifications. Where applicable, examine using file monitoring software to check integrity on important files and directories as well as take corrective actions when unauthorized changes are detected. \n\nConsider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and manipulate backups.", + "meta": { + "external_id": "T1492", + "refs": [ + "https://attack.mitre.org/techniques/T1492", + "https://www.ready.gov/business/implementation/IT" + ] + }, + "related": [ + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "e9362d25-4427-446b-99e8-b8f0c3b86615", + "value": "Stored Data Manipulation Mitigation - T1492" + }, + { + "description": "This technique may be difficult to mitigate since the domains can be registered just before they are used, and disposed shortly after. Malware researchers can reverse-engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA Brute Force) Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.(Citation: Akamai DGA Mitigation) Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost. In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.\n\nNetwork intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", + "meta": { + "external_id": "T1483", + "refs": [ + "https://attack.mitre.org/techniques/T1483", + "http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf", + "https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/", + "https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html", + "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + ] + }, + "related": [ + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "3bd2cf87-1ceb-4317-9aee-3e7dc713261b", + "value": "Domain Generation Algorithms Mitigation - T1483" + }, + { + "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure communications related to those processes against tampering. Encrypt all important data flows to reduce the impact of tailored modifications on data in transit.", + "meta": { + "external_id": "T1493", + "refs": [ + "https://attack.mitre.org/techniques/T1493" + ] + }, + "related": [ + { + "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "245075bc-f992-4d89-af8c-834c53d403f4", + "value": "Transmitted Data Manipulation Mitigation - T1493" + }, + { + "description": "Identify and correct GPO permissions abuse opportunities (ex: GPO modification privileges) using auditing tools such as Bloodhound (version 1.5.1 and later)(Citation: GitHub Bloodhound).\n\nConsider implementing WMI and security filtering to further tailor which users and computers a GPO will apply to.(Citation: Wald0 Guide to GPOs)(Citation: Microsoft WMI Filters)(Citation: Microsoft GPO Security Filtering)", + "meta": { + "external_id": "T1484", + "refs": [ + "https://attack.mitre.org/techniques/T1484", + "https://github.com/BloodHoundAD/BloodHound", + "https://wald0.com/?p=179", + "https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/", + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/Policy/filtering-the-scope-of-a-gpo" + ] + }, + "related": [ + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "2108b914-eee1-45cc-8840-36272b19596a", + "value": "Group Policy Modification Mitigation - T1484" + }, + { + "description": "Identify critical business and system processes that may be targeted by adversaries and work to secure those systems against tampering. Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1494", + "refs": [ + "https://attack.mitre.org/techniques/T1494", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "337172b1-b003-4034-8a3f-1d89a71da628", + "value": "Runtime Data Manipulation Mitigation - T1494" + }, + { + "description": "Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. (Citation: ADSecurity Windows Secure Baseline)\n\nUse host-based security software to block LLMNR/NetBIOS traffic. Enabling SMB Signing can stop NTLMv2 relay attacks.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)(Citation: Microsoft SMB Packet Signing)", "meta": { "external_id": "T1171", "refs": [ "https://attack.mitre.org/techniques/T1171", - "https://adsecurity.org/?p=3299" + "https://adsecurity.org/?p=3299", + "https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html", + "https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html", + "https://docs.microsoft.com/en-us/previous-versions/system-center/operations-manager-2005/cc180803(v=technet.10)" ] }, "related": [ @@ -2665,7 +2934,7 @@ "value": "Multi-Stage Channels Mitigation - T1104" }, { - "description": "Evaluate the security of third-party software that could be used to deploy or execute programs. Ensure that access to management systems for deployment systems is limited, monitored, and secure. Have a strict approval policy for use of deployment systems.\n\nGrant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation of Vulnerability](https://attack.mitre.org/techniques/T1068). \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", + "description": "Evaluate the security of third-party software that could be used to deploy or execute programs. Ensure that access to management systems for deployment systems is limited, monitored, and secure. Have a strict approval policy for use of deployment systems.\n\nGrant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068). \n\nIf the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.", "meta": { "external_id": "T1072", "refs": [ @@ -2819,6 +3088,26 @@ "uuid": "7a4d0054-53cd-476f-88af-955dddc80ee0", "value": "Drive-by Compromise Mitigation - T1189" }, + { + "description": "Mitigation of this technique with preventative controls may impact the adversary's decision process depending on what they're looking for, how they use the information, and what their objectives are. Since it may be difficult to mitigate all aspects of information that could be gathered, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.", + "meta": { + "external_id": "T1497", + "refs": [ + "https://attack.mitre.org/techniques/T1497" + ] + }, + "related": [ + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "c4585911-6ecf-47b6-aa6b-a2bae30fd3f7", + "value": "Virtualization/Sandbox Evasion Mitigation - T1497" + }, { "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)", "meta": { @@ -2841,7 +3130,7 @@ "value": "Data Obfuscation Mitigation - T1001" }, { - "description": "Ensure that externally facing Web servers are patched regularly to prevent adversary access through [Exploitation of Vulnerability](https://attack.mitre.org/techniques/T1068) to gain remote code access or through file inclusion weaknesses that may allow adversaries to upload files or scripts that are automatically served as Web pages. \n\nAudit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network. (Citation: US-CERT Alert TA15-314A Web Shells)", + "description": "Ensure that externally facing Web servers are patched regularly to prevent adversary access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) to gain remote code access or through file inclusion weaknesses that may allow adversaries to upload files or scripts that are automatically served as Web pages. \n\nAudit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network. (Citation: US-CERT Alert TA15-314A Web Shells)", "meta": { "external_id": "T1100", "refs": [ @@ -3119,13 +3408,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "a5de0540-73e7-4c67-96da-4143afedc7ed", "tags": [ @@ -3133,20 +3415,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "f58cd69a-e548-478b-9248-8a9af881dc34", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "633baf01-6de4-4963-bb54-ff6c6357bed3", "tags": [ @@ -3154,23 +3422,45 @@ ], "type": "mitigates" }, + { + "dest-uuid": "f58cd69a-e548-478b-9248-8a9af881dc34", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", "value": "Encrypt Network Traffic - M1009" }, { - "description": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Use multifactor authentication. Follow best practices for mitigating access to [Valid Accounts](https://attack.mitre.org/techniques/T1078)", + "description": "Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. \nToo strict a policy can create a denial of service condition and render environments un-usable, with all accounts being locked-out permanently. Use multifactor authentication. Follow best practices for mitigating access to [Valid Accounts](https://attack.mitre.org/techniques/T1078)\n\nRefer to NIST guidelines when creating passwords.(Citation: NIST 800-63-3)\n\nWhere possible, also enable multi factor authentication on external facing services.", "meta": { "external_id": "T1110", "refs": [ - "https://attack.mitre.org/techniques/T1110" + "https://attack.mitre.org/techniques/T1110", + "https://pages.nist.gov/800-63-3/sp800-63b.html" ] }, "related": [ @@ -3362,6 +3652,26 @@ "uuid": "2d704e56-e689-4011-b989-bf4e025a8727", "value": "Plist Modification Mitigation - T1150" }, + { + "description": "The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. Limit user access to system utilities such as systemctl to only users who have a legitimate need. Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. Additionally, the installation of software commonly adds and changes systemd service unit files. Restrict software installation to trusted repositories only and be cautious of orphaned software packages. Utilize malicious code protection and application whitelisting to mitigate the ability of malware to create or modify systemd services. ", + "meta": { + "external_id": "T1501", + "refs": [ + "https://attack.mitre.org/techniques/T1501" + ] + }, + "related": [ + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "83130e62-bca6-4a81-bd4b-8e233bd49db6", + "value": "Systemd Service Mitigation - T1501" + }, { "description": "Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit privileged account use, unauthenticated network share access, and network/system isolation.\n\nEnsure proper permissions on directories that are accessible through a Web server. Disallow remote access to the webroot or other directories used to serve Web content. Disable execution on directories within the webroot. Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems. (Citation: acunetix Server Secuirty) (Citation: NIST Server Security July 2008)", "meta": { @@ -3872,6 +4182,26 @@ "uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd", "value": "Data Staged Mitigation - T1074" }, + { + "description": "This technique likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.", + "meta": { + "external_id": "T1480", + "refs": [ + "https://attack.mitre.org/techniques/T1480" + ] + }, + "related": [ + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "c61e2da1-f51f-424c-b152-dc930d4f2e70", + "value": "Environmental Keying Mitigation - T1480" + }, { "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific Windows API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. (Citation: GDSecurity Linux injection)\n\nIdentify or block potentially malicious software that may contain process injection functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)\n\nUtilize Yama (Citation: Linux kernel Yama) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux (Citation: SELinux official), grsecurity (Citation: grsecurity official), and AppAmour (Citation: AppArmor official).", "meta": { @@ -3979,14 +4309,15 @@ "value": "Account Discovery Mitigation - T1087" }, { - "description": "Take measures to detect or prevent techniques such as [Credential Dumping](https://attack.mitre.org/techniques/T1003) or installation of keyloggers to acquire credentials through [Input Capture](https://attack.mitre.org/techniques/T1056). Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access). Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege)", + "description": "Take measures to detect or prevent techniques such as [Credential Dumping](https://attack.mitre.org/techniques/T1003) or installation of keyloggers to acquire credentials through [Input Capture](https://attack.mitre.org/techniques/T1056). Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems. \n\nFollow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access) \n\nAudit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. \n\nApplications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: US-CERT Alert TA13-175A Risks of Default Passwords on the Internet) When possible, applications that use SSH keys should be updated periodically and properly secured. ", "meta": { "external_id": "T1078", "refs": [ "https://attack.mitre.org/techniques/T1078", + "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach", "https://technet.microsoft.com/en-us/library/dn535501.aspx", "https://technet.microsoft.com/en-us/library/dn487450.aspx", - "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" + "https://www.us-cert.gov/ncas/alerts/TA13-175A" ] }, "related": [ @@ -4140,7 +4471,7 @@ "value": "Email Collection Mitigation - T1114" }, { - "description": "Users need to be trained to know which programs ask for permission and why. Follow mitigation recommendations for [AppleScript](https://attack.mitre.org/techniques/T1155).", + "description": "This technique exploits users' tendencies to always supply credentials when prompted, which makes it very difficult to mitigate. Use user training as a way to bring awareness and raise suspicion for potentially malicious events (ex: Office documents prompting for credentials).", "meta": { "external_id": "T1141", "refs": [ @@ -4632,6 +4963,27 @@ "uuid": "6e7db820-9735-4545-bc64-039bc4ce354b", "value": "LC_MAIN Hijacking Mitigation - T1149" }, + { + "description": "Implementing best practices for websites such as defending against [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) (Citation: OWASP Top 10 2017). Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. (Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.", + "meta": { + "external_id": "T1491", + "refs": [ + "https://attack.mitre.org/techniques/T1491", + "https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf" + ] + }, + "related": [ + { + "dest-uuid": "5909f20f-3c39-4795-be06-ef1ea40d350b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "5d8507c4-603e-4fe1-8a4a-b8241f58734b", + "value": "Defacement Mitigation - T1491" + }, { "description": "Since StartupItems are deprecated, preventing all users from writing to the /Library/StartupItems directory would prevent any startup items from getting registered. Similarly, appropriate permissions should be applied such that only specific users can edit the startup items so that they can’t be leveraged for privilege escalation.", "meta": { @@ -4827,6 +5179,111 @@ "uuid": "797312d4-8a84-4daf-9c56-57da4133c322", "value": "Trusted Relationship Mitigation - T1199" }, + { + "description": "Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification. Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities. ", + "meta": { + "external_id": "T1495", + "refs": [ + "https://attack.mitre.org/techniques/T1495" + ] + }, + "related": [ + { + "dest-uuid": "f5bb433e-bdf6-4781-84bc-35e97e43be89", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "70886857-0f19-4caa-b081-548354a8a994", + "value": "Firmware Corruption Mitigation - T1495" + }, + { + "description": "Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1496", + "refs": [ + "https://attack.mitre.org/techniques/T1496", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "46acc565-11aa-40ba-b629-33ba0ab9b07b", + "value": "Resource Hijacking Mitigation - T1496" + }, + { + "description": "Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.\n\nIdentify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)", + "meta": { + "external_id": "T1488", + "refs": [ + "https://attack.mitre.org/techniques/T1488", + "https://www.ready.gov/business/implementation/IT", + "http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599", + "http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html", + "https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm", + "http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx", + "https://technet.microsoft.com/en-us/library/ee791851.aspx" + ] + }, + "related": [ + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "0b3ee33e-430b-476f-9525-72d120c90f8d", + "value": "Data Destruction Mitigation - T1488" + }, + { + "description": "Ensure proper process, registry, and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Harden systems used to serve critical network, business, and communications functions. Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.", + "meta": { + "external_id": "T1489", + "refs": [ + "https://attack.mitre.org/techniques/T1489" + ] + }, + "related": [ + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], + "uuid": "417fed8c-bd76-48b5-90a2-a88882a95241", + "value": "Service Stop Mitigation - T1489" + }, { "description": "Limit privileges of user accounts so only authorized users can edit the rc.common file.", "meta": { @@ -4848,7 +5305,7 @@ "value": "Rc.common Mitigation - T1163" }, { - "description": "Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuess by adversaries.", + "description": "Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.", "meta": { "external_id": "T1121", "refs": [ @@ -4883,69 +5340,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "f1c3d071-0c24-483d-aca0-e8b8496ce468", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "b332a960-3c04-495a-827f-f17a5daed3a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", "tags": [ @@ -4953,34 +5347,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "a0464539-e1b7-4455-a355-12495987c300", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "ef771e03-e080-43b4-a619-ac6f84899884", "tags": [ @@ -4989,7 +5355,21 @@ "type": "mitigates" }, { - "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "dest-uuid": "a0464539-e1b7-4455-a355-12495987c300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "f1c3d071-0c24-483d-aca0-e8b8496ce468", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5001,6 +5381,83 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "b332a960-3c04-495a-827f-f17a5daed3a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", @@ -5023,14 +5480,14 @@ "type": "mitigates" }, { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5057,21 +5514,35 @@ "type": "mitigates" }, { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5084,6 +5555,48 @@ ], "type": "mitigates" }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "ef771e03-e080-43b4-a619-ac6f84899884", "tags": [ @@ -5091,6 +5604,104 @@ ], "type": "mitigates" }, + { + "dest-uuid": "8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "77e30eee-fd48-40b4-99ec-73e97c158b58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", "tags": [ @@ -5105,55 +5716,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "77e30eee-fd48-40b4-99ec-73e97c158b58", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "tags": [ @@ -5162,14 +5724,7 @@ "type": "mitigates" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5181,104 +5736,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" - }, - { - "dest-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" } ], "uuid": "1553b156-6767-47f7-9eb4-2a692505666d", @@ -5301,7 +5758,7 @@ "type": "mitigates" }, { - "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "dest-uuid": "6f86d346-f092-4abc-80df-8558a90c426a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5314,6 +5771,27 @@ ], "type": "mitigates" }, + { + "dest-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "0c71033e-401e-4b97-9309-7a7c95e43a5d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, + { + "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + }, { "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "tags": [ @@ -5328,13 +5806,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "cde2cb84-455e-410c-8aa9-086f2788bcd2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", "tags": [ @@ -5342,20 +5813,6 @@ ], "type": "mitigates" }, - { - "dest-uuid": "0c71033e-401e-4b97-9309-7a7c95e43a5d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, - { - "dest-uuid": "6f86d346-f092-4abc-80df-8558a90c426a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "mitigates" - }, { "dest-uuid": "537ea573-8a1c-468c-956b-d16d2ed9d067", "tags": [ @@ -5384,14 +5841,14 @@ "type": "mitigates" }, { - "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" }, { - "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", + "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5405,7 +5862,7 @@ "type": "mitigates" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5469,7 +5926,7 @@ "value": "Rootkit Mitigation - T1014" }, { - "description": "Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer which have reached end of life. Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", + "description": "Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.", "meta": { "external_id": "T1170", "refs": [ @@ -5951,5 +6408,5 @@ "value": "Attestation - M1002" } ], - "version": 10 + "version": 12 } diff --git a/clusters/mitre-enterprise-attack-course-of-action.json b/clusters/mitre-enterprise-attack-course-of-action.json index 69a4f2f..2fadd8f 100644 --- a/clusters/mitre-enterprise-attack-course-of-action.json +++ b/clusters/mitre-enterprise-attack-course-of-action.json @@ -973,6 +973,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "mitigates" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" } ], "uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", @@ -3665,5 +3672,5 @@ "value": "Security Software Discovery Mitigation - T1063" } ], - "version": 6 + "version": 7 } diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index db80e2e..c68b99f 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -16,11 +16,11 @@ "refs": [ "https://attack.mitre.org/groups/G0027", "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", - "http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/", "https://www.secureworks.com/research/bronze-union", - "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "https://securelist.com/luckymouse-hits-national-data-center/86083/", "https://thehackernews.com/2018/06/chinese-watering-hole-attack.html", - "https://securelist.com/luckymouse-hits-national-data-center/86083/" + "https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/", + "http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/" ], "synonyms": [ "Threat Group-3390", @@ -62,21 +62,7 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -90,49 +76,14 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -146,7 +97,77 @@ "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -167,28 +188,49 @@ "type": "uses" }, { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -202,21 +244,63 @@ "type": "uses" }, { - "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -230,7 +314,21 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -251,56 +349,14 @@ "type": "uses" }, { - "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -314,77 +370,21 @@ "type": "uses" }, { - "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -423,7 +423,7 @@ "type": "uses" }, { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -444,7 +444,7 @@ "type": "uses" }, { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -478,28 +478,7 @@ }, "related": [ { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -513,98 +492,7 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -618,63 +506,21 @@ "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -688,7 +534,28 @@ "type": "uses" }, { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -702,63 +569,14 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -772,7 +590,77 @@ "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -785,6 +673,125 @@ ], "type": "uses" }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "tags": [ @@ -803,10 +810,12 @@ "refs": [ "https://attack.mitre.org/groups/G0030", "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html", + "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf", "https://securelist.com/the-spring-dragon-apt/70726/" ], "synonyms": [ "Lotus Blossom", + "DRAGONFISH", "Spring Dragon" ] }, @@ -868,49 +877,7 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -923,34 +890,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ @@ -959,49 +898,7 @@ "type": "uses" }, { - "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1015,35 +912,14 @@ "type": "uses" }, { - "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", + "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1057,35 +933,35 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1098,6 +974,62 @@ ], "type": "uses" }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ @@ -1106,7 +1038,56 @@ "type": "uses" }, { - "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1120,7 +1101,35 @@ "type": "uses" }, { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1150,41 +1159,6 @@ ] }, "related": [ - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ @@ -1192,13 +1166,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ @@ -1207,14 +1174,14 @@ "type": "uses" }, { - "dest-uuid": "835a79f1-842d-472d-b8f4-d54b545c341b", + "dest-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "835a79f1-842d-472d-b8f4-d54b545c341b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1227,6 +1194,27 @@ ], "type": "uses" }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", "tags": [ @@ -1234,6 +1222,20 @@ ], "type": "uses" }, + { + "dest-uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ @@ -1241,6 +1243,13 @@ ], "type": "uses" }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -1249,7 +1258,7 @@ "type": "uses" }, { - "dest-uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1272,8 +1281,9 @@ "https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target", "https://www.riskiq.com/blog/labs/cobalt-strike/", "https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/", + "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain", "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report", - "https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain" + "https://blog.morphisec.com/cobalt-gang-2.0" ], "synonyms": [ "Cobalt Group", @@ -1283,42 +1293,7 @@ }, "related": [ { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1331,69 +1306,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", "tags": [ @@ -1402,28 +1314,7 @@ "type": "uses" }, { - "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1437,7 +1328,28 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1450,27 +1362,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -1485,12 +1376,159 @@ ], "type": "uses" }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "dc6fe6ee-04c2-49be-ba3d-f38d2463c02a", @@ -1503,8 +1541,8 @@ "refs": [ "https://attack.mitre.org/groups/G0009", "https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/", - "https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf", "https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/", + "https://www.emc.com/collateral/white-papers/h12756-wp-shell-crew.pdf", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf", "https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/" ], @@ -1547,21 +1585,7 @@ "type": "uses" }, { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1575,14 +1599,7 @@ "type": "uses" }, { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1596,21 +1613,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1624,14 +1627,14 @@ "type": "uses" }, { - "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1657,6 +1660,41 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", @@ -1689,6 +1727,13 @@ ], "type": "uses" }, + { + "dest-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -1697,7 +1742,7 @@ "type": "uses" }, { - "dest-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", + "dest-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1717,13 +1762,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "tags": [ @@ -1736,17 +1774,15 @@ "value": "Dust Storm - G0031" }, { - "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) is a campaign name for activity involving threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon) The activity from this group is also known as Musical Chairs. (Citation: Arbor Musical Chairs Feb 2018)", + "description": "[Night Dragon](https://attack.mitre.org/groups/G0014) is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)", "meta": { "external_id": "G0014", "refs": [ "https://attack.mitre.org/groups/G0014", - "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf", - "https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/" + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" ], "synonyms": [ - "Night Dragon", - "Musical Chairs" + "Night Dragon" ] }, "related": [ @@ -1764,6 +1800,125 @@ ], "type": "uses" }, + { + "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54e8672d-5338-4ad1-954a-a7c986bee530", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ @@ -1772,7 +1927,7 @@ "type": "uses" }, { - "dest-uuid": "1a295f87-af63-4d94-b130-039d6221fb11", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1785,6 +1940,13 @@ ], "type": "uses" }, + { + "dest-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9755ecdc-deb0-40e6-af49-713cb0f8ed92", "tags": [ @@ -1797,16 +1959,135 @@ "value": "Night Dragon - G0014" }, { - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a threat group that has been attributed to the North Korean government. (Citation: US-CERT HIDDEN COBRA June 2017) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster) In late 2017, [Lazarus Group](https://attack.mitre.org/groups/G0032) used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. (Citation: Lazarus KillDisk)", + "description": "[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)", + "meta": { + "external_id": "G0081", + "refs": [ + "https://attack.mitre.org/groups/G0081", + "https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/", + "https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" + ], + "synonyms": [ + "Tropic Trooper", + "KeyBoy" + ] + }, + "related": [ + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "56319646-eb6e-41fc-ae53-aadfa7adb924", + "value": "Tropic Trooper - G0081" + }, + { + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) is a threat group that has been attributed to the North Korean government.(Citation: US-CERT HIDDEN COBRA June 2017) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster) In late 2017, [Lazarus Group](https://attack.mitre.org/groups/G0032) used KillDisk, a disk-wiping tool, in an attack against an online casino based in Central America. (Citation: Lazarus KillDisk)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", "meta": { "external_id": "G0032", "refs": [ "https://attack.mitre.org/groups/G0032", - "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf", + "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/", + "https://securelist.com/lazarus-under-the-hood/77908/", + "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A", "https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/", - "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing", - "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/" + "https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing" ], "synonyms": [ "Lazarus Group", @@ -1839,70 +2120,7 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1915,20 +2133,6 @@ ], "type": "uses" }, - { - "dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", "tags": [ @@ -1936,139 +2140,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ @@ -2077,63 +2148,56 @@ "type": "uses" }, { - "dest-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2146,6 +2210,118 @@ ], "type": "uses" }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "tags": [ @@ -2153,6 +2329,48 @@ ], "type": "uses" }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9b325b06-35a1-457d-be46-a4ecc0b7ff0c", "tags": [ @@ -2161,7 +2379,133 @@ "type": "uses" }, { - "dest-uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1f6e3702-7ca1-4582-b2e7-4591297d05a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bd0536d7-b081-43ae-a773-cfb057c5b988", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2182,70 +2526,70 @@ "type": "uses" }, { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", + "dest-uuid": "cd25c1b4-935c-4f0e-ba8d-552f28bc4783", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9dbdadb6-fdbf-490f-a35f-38762d06a0d2", + "dest-uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2286,7 +2630,7 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2307,7 +2651,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2321,14 +2665,14 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2365,13 +2709,6 @@ ], "type": "uses" }, - { - "dest-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", "tags": [ @@ -2379,12 +2716,26 @@ ], "type": "uses" }, + { + "dest-uuid": "bb3c1098-d654-4620-bf40-694386d28921", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", @@ -2418,7 +2769,7 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2432,7 +2783,7 @@ "type": "uses" }, { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2470,9 +2821,9 @@ "refs": [ "https://attack.mitre.org/groups/G0034", "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/", "https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf", - "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/", - "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/" + "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/" ], "synonyms": [ "Sandworm Team", @@ -2541,7 +2892,42 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2561,27 +2947,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ @@ -2590,14 +2955,14 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2610,26 +2975,12 @@ ], "type": "uses" }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "894aab42-3371-47b1-8859-a4a074c804c8", @@ -2641,11 +2992,11 @@ "external_id": "G0044", "refs": [ "https://attack.mitre.org/groups/G0044", - "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates", "https://securelist.com/winnti-more-than-just-a-game/37029/", "https://securelist.com/games-are-over/70991/", "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", - "https://401trg.com/burning-umbrella/" + "https://401trg.com/burning-umbrella/", + "http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates" ], "synonyms": [ "Winnti Group", @@ -2748,7 +3099,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2769,14 +3120,14 @@ "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2801,7 +3152,7 @@ "value": "Gamaredon Group - G0047" }, { - "description": "[Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [Charming Kitten](https://attack.mitre.org/groups/G0058) usually tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, [Rocket Kitten](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities. (Citation: ClearSky Charming Kitten Dec 2017)", + "description": "[Charming Kitten](https://attack.mitre.org/groups/G0058) is an Iranian cyber espionage group that has been active since approximately 2014. They appear to focus on targeting individuals of interest to Iran who work in academic research, human rights, and media, with most victims having been located in Iran, the US, Israel, and the UK. [Charming Kitten](https://attack.mitre.org/groups/G0058) usually tries to access private email and Facebook accounts, and sometimes establishes a foothold on victim computers as a secondary objective. The group's TTPs overlap extensively with another group, [Magic Hound](https://attack.mitre.org/groups/G0059), resulting in reporting that may not distinguish between the two groups' activities. (Citation: ClearSky Charming Kitten Dec 2017)", "meta": { "external_id": "G0058", "refs": [ @@ -2838,9 +3189,9 @@ "refs": [ "https://attack.mitre.org/groups/G0059", "https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/", + "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf", "http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf", - "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations", - "https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" + "https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" ], "synonyms": [ "Magic Hound", @@ -2925,35 +3276,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2967,35 +3290,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3009,7 +3304,42 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3022,6 +3352,76 @@ ], "type": "uses" }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -3037,49 +3437,14 @@ "type": "uses" }, { - "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "dest-uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3093,14 +3458,14 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3112,24 +3477,104 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, + } + ], + "uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", + "value": "Magic Hound - G0059" + }, + { + "description": "[Stolen Pencil](https://attack.mitre.org/groups/G0086) is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.(Citation: Netscout Stolen Pencil Dec 2018)", + "meta": { + "external_id": "G0086", + "refs": [ + "https://attack.mitre.org/groups/G0086", + "https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" + ], + "synonyms": [ + "Stolen Pencil" + ] + }, + "related": [ { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], - "uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "value": "Magic Hound - G0059" + "uuid": "7a0d4c09-dfe7-4fa2-965a-1a0e42fedd70", + "value": "Stolen Pencil - G0086" }, { "description": "[Gorgon Group](https://attack.mitre.org/groups/G0078) is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. (Citation: Unit 42 Gorgon Group Aug 2018)", @@ -3152,21 +3597,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3180,14 +3611,7 @@ "type": "uses" }, { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3208,14 +3632,35 @@ "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3229,7 +3674,28 @@ "type": "uses" }, { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3248,17 +3714,172 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + } + ], + "uuid": "1f21da59-6a13-455b-afd0-d58d0a5a7d27", + "value": "Gorgon Group - G0078" + }, + { + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", + "meta": { + "external_id": "G0088", + "refs": [ + "https://attack.mitre.org/groups/G0088", + "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ", + "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html", + "https://dragos.com/resource/xenotime/", + "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/" + ], + "synonyms": [ + "TEMP.Veles", + "XENOTIME" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62166220-e498-410f-a90a-19d4339d4e99", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], - "uuid": "1f21da59-6a13-455b-afd0-d58d0a5a7d27", - "value": "Gorgon Group - G0078" + "uuid": "9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "value": "TEMP.Veles - G0088" }, { "description": "[FIN10](https://attack.mitre.org/groups/G0051) is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)", @@ -3301,20 +3922,6 @@ ], "type": "uses" }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -3322,13 +3929,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -3336,12 +3936,40 @@ ], "type": "uses" }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", @@ -3396,8 +4024,8 @@ "external_id": "G0013", "refs": [ "https://attack.mitre.org/groups/G0013", - "https://securelist.com/the-naikon-apt/69953/", - "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" + "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", + "https://securelist.com/the-naikon-apt/69953/" ], "synonyms": [ "APT30" @@ -3439,13 +4067,6 @@ ], "type": "uses" }, - { - "dest-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", "tags": [ @@ -3460,6 +4081,13 @@ ], "type": "uses" }, + { + "dest-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8b880b41-5139-4807-baa9-309690218719", "tags": [ @@ -3509,13 +4137,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", "tags": [ @@ -3523,27 +4144,6 @@ ], "type": "uses" }, - { - "dest-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -3551,27 +4151,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", "tags": [ @@ -3579,41 +4158,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ @@ -3622,21 +4166,63 @@ "type": "uses" }, { - "dest-uuid": "1d808f62-cf63-4063-9727-ff6132514c22", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", + "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3649,6 +4235,62 @@ ], "type": "uses" }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", "tags": [ @@ -3656,6 +4298,48 @@ ], "type": "uses" }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1d808f62-cf63-4063-9727-ff6132514c22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", "tags": [ @@ -3664,7 +4348,7 @@ "type": "uses" }, { - "dest-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", + "dest-uuid": "b45747dc-87ca-4597-a245-7e16a61bc491", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3677,20 +4361,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768", "tags": [ @@ -3699,7 +4369,21 @@ "type": "uses" }, { - "dest-uuid": "1a295f87-af63-4d94-b130-039d6221fb11", + "dest-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3716,10 +4400,10 @@ "refs": [ "https://attack.mitre.org/groups/G0001", "http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf", - "http://blogs.cisco.com/security/talos/threat-spotlight-group-72", "https://securelist.com/winnti-more-than-just-a-game/37029/", "https://securelist.com/games-are-over/70991/", - "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" + "http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf", + "http://blogs.cisco.com/security/talos/threat-spotlight-group-72" ], "synonyms": [ "Axiom", @@ -3762,20 +4446,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ @@ -3791,7 +4461,21 @@ "type": "uses" }, { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "95047f03-4811-4300-922e-1ba937d53a61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3805,7 +4489,7 @@ "type": "uses" }, { - "dest-uuid": "95047f03-4811-4300-922e-1ba937d53a61", + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3823,10 +4507,10 @@ "https://attack.mitre.org/groups/G0010", "https://securelist.com/the-epic-turla-operation/65545/", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", - "https://securelist.com/introducing-whitebear/81638/", - "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/", - "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" + "https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf", + "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf", + "https://securelist.com/introducing-whitebear/81638/" ], "synonyms": [ "Turla", @@ -3859,48 +4543,6 @@ ], "type": "uses" }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "tags": [ @@ -3908,55 +4550,6 @@ ], "type": "uses" }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "92b55426-109f-4d93-899f-1833ce91ff90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ @@ -3965,7 +4558,14 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3979,42 +4579,28 @@ "type": "uses" }, { - "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4028,42 +4614,7 @@ "type": "uses" }, { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4077,7 +4628,154 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "92b55426-109f-4d93-899f-1833ce91ff90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "536be338-e2ef-4a6b-afb6-8d5568b91eb2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4091,7 +4789,14 @@ "type": "uses" }, { - "dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", + "dest-uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4102,18 +4807,20 @@ "value": "Turla - G0010" }, { - "description": "[APT32](https://attack.mitre.org/groups/G0050) is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, Phillipines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. \nThe group is believed to be Vietnam-based. (Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017) (Citation: ESET OceanLotus)", + "description": "[APT32](https://attack.mitre.org/groups/G0050) is a threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as with foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims. The group is believed to be Vietnam-based. (Citation: FireEye APT32 May 2017) (Citation: Volexity OceanLotus Nov 2017) (Citation: ESET OceanLotus)", "meta": { "external_id": "G0050", "refs": [ "https://attack.mitre.org/groups/G0050", "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/", - "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" + "https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt" ], "synonyms": [ "APT32", - "OceanLotus Group", + "SeaLotus", + "OceanLotus", "APT-C-00" ] }, @@ -4140,21 +4847,14 @@ "type": "uses" }, { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4174,13 +4874,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", "tags": [ @@ -4188,76 +4881,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ @@ -4266,14 +4889,77 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "dest-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4286,6 +4972,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", "tags": [ @@ -4294,28 +4987,21 @@ "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4329,7 +5015,294 @@ "type": "uses" }, { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4340,25 +5313,32 @@ "value": "APT32 - G0050" }, { - "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018)", + "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's Main Intelligence Directorate of the Russian General Staff by a July 2018 U.S. Department of Justice indictment. This group reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. [APT28](https://attack.mitre.org/groups/G0007) has been active since at least January 2007.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018)", "meta": { "external_id": "G0007", "refs": [ "https://attack.mitre.org/groups/G0007", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", - "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", - "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "https://www.justice.gov/file/1080281/download", + "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf", + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/", "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", - "https://www.justice.gov/file/1080281/download", - "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/" + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf", + "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", + "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/", + "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" ], "synonyms": [ "APT28", + "SNAKEMACKEREL", + "Swallowtail", + "Group 74", "Sednit", "Sofacy", "Pawn Storm", @@ -4392,91 +5372,21 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4490,42 +5400,14 @@ "type": "uses" }, { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "dest-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4539,21 +5421,28 @@ "type": "uses" }, { - "dest-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "dest-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4566,6 +5455,111 @@ ], "type": "uses" }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ @@ -4573,6 +5567,48 @@ ], "type": "uses" }, + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", "tags": [ @@ -4588,112 +5624,7 @@ "type": "uses" }, { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4707,28 +5638,7 @@ "type": "uses" }, { - "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f460983-1bbb-4e7e-8094-f0b5e720f658", + "dest-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4742,28 +5652,14 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4777,35 +5673,49 @@ "type": "uses" }, { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", + "dest-uuid": "c8655260-9f4b-44e3-85e1-6538a5f6e4f4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4819,7 +5729,105 @@ "type": "uses" }, { - "dest-uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4870,6 +5878,13 @@ ], "type": "uses" }, + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "tags": [ @@ -4955,14 +5970,7 @@ "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4975,34 +5983,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ @@ -5010,125 +5990,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "tags": [ @@ -5136,6 +5997,20 @@ ], "type": "uses" }, + { + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e3cedcfe-6515-4348-af65-7f2c4157bf0d", "tags": [ @@ -5143,6 +6018,34 @@ ], "type": "uses" }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ @@ -5151,21 +6054,7 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5179,7 +6068,49 @@ "type": "uses" }, { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5191,6 +6122,97 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", @@ -5289,13 +6311,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ @@ -5310,6 +6325,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ @@ -5317,6 +6339,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4", "tags": [ @@ -5331,13 +6360,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234", "tags": [ @@ -5356,13 +6378,13 @@ "refs": [ "https://attack.mitre.org/groups/G0040", "https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf", - "https://securelist.com/the-dropping-elephant-actor/75328/", "http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries", + "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", + "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/", + "https://securelist.com/the-dropping-elephant-actor/75328/", "https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/", "https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf", - "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf", - "https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf", - "https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" + "http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf" ], "synonyms": [ "Patchwork", @@ -5395,14 +6417,7 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5416,49 +6431,7 @@ "type": "uses" }, { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5472,28 +6445,7 @@ "type": "uses" }, { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5507,21 +6459,7 @@ "type": "uses" }, { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5535,7 +6473,7 @@ "type": "uses" }, { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5549,28 +6487,7 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5583,76 +6500,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -5660,6 +6507,13 @@ ], "type": "uses" }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", "tags": [ @@ -5667,6 +6521,41 @@ ], "type": "uses" }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "tags": [ @@ -5674,12 +6563,145 @@ ], "type": "uses" }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e494ad79-37ee-4cd0-866b-299c521d8b94", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", @@ -5692,8 +6714,8 @@ "refs": [ "https://attack.mitre.org/groups/G0008", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf", - "https://www.fox-it.com/en/about-fox-it/corporate/news/anunak-aka-carbanak-update/", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://www.fox-it.com/en/about-fox-it/corporate/news/anunak-aka-carbanak-update/", "https://www.crowdstrike.com/blog/state-criminal-address/" ], "synonyms": [ @@ -5731,6 +6753,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ @@ -5738,20 +6767,6 @@ ], "type": "uses" }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -5760,7 +6775,14 @@ "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5774,7 +6796,7 @@ "type": "uses" }, { - "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5788,7 +6810,7 @@ "type": "uses" }, { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5953,14 +6975,14 @@ "type": "uses" }, { - "dest-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4", + "dest-uuid": "271e6d40-e191-421a-8f87-a8102452c201", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "271e6d40-e191-421a-8f87-a8102452c201", + "dest-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5984,7 +7006,8 @@ "refs": [ "https://attack.mitre.org/groups/G0026", "http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/", - "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" + "https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop", + "https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" ], "synonyms": [ "APT18", @@ -6022,6 +7045,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", "tags": [ @@ -6037,7 +7067,21 @@ "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6050,20 +7094,6 @@ ], "type": "uses" }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "tags": [ @@ -6071,12 +7101,61 @@ ], "type": "uses" }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", @@ -6089,11 +7168,14 @@ "refs": [ "https://attack.mitre.org/groups/G0016", "https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf", + "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf" + "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html", + "https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" ], "synonyms": [ "APT29", + "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke" @@ -6114,13 +7196,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -6128,41 +7203,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ @@ -6171,7 +7211,21 @@ "type": "uses" }, { - "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6184,6 +7238,20 @@ ], "type": "uses" }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", "tags": [ @@ -6191,20 +7259,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ @@ -6213,7 +7267,7 @@ "type": "uses" }, { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6226,6 +7280,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "tags": [ @@ -6233,6 +7294,13 @@ ], "type": "uses" }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", "tags": [ @@ -6240,6 +7308,13 @@ ], "type": "uses" }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "tags": [ @@ -6248,42 +7323,7 @@ "type": "uses" }, { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", + "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6297,28 +7337,7 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6331,12 +7350,117 @@ ], "type": "uses" }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", @@ -6348,7 +7472,7 @@ "external_id": "G0012", "refs": [ "https://attack.mitre.org/groups/G0012", - "https://securelist.com/files/2014/11/darkhotel_kl_07.11.pdf" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf" ], "synonyms": [ "Darkhotel" @@ -6369,13 +7493,6 @@ ], "type": "uses" }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ @@ -6389,6 +7506,90 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", @@ -6484,27 +7685,6 @@ ], "type": "uses" }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ @@ -6513,35 +7693,7 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6554,13 +7706,6 @@ ], "type": "uses" }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "tags": [ @@ -6576,7 +7721,14 @@ "type": "uses" }, { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6588,6 +7740,55 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", @@ -6601,8 +7802,8 @@ "https://attack.mitre.org/groups/G0073", "https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html", "https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/", - "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", "https://www.fireeye.com/current-threats/apt-groups.html#apt19", + "https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/", "https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059" ], "synonyms": [ @@ -6614,20 +7815,6 @@ ] }, "related": [ - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -6635,20 +7822,6 @@ ], "type": "uses" }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ @@ -6656,13 +7829,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "tags": [ @@ -6670,13 +7836,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -6684,27 +7843,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ @@ -6712,13 +7850,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ @@ -6734,7 +7865,77 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6748,7 +7949,14 @@ "type": "uses" }, { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6789,14 +7997,14 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6858,34 +8066,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -6894,49 +8074,14 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6956,27 +8101,6 @@ ], "type": "uses" }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -6985,14 +8109,35 @@ "type": "uses" }, { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7006,7 +8151,7 @@ "type": "uses" }, { - "dest-uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", + "dest-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7020,14 +8165,14 @@ "type": "uses" }, { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7040,6 +8185,48 @@ ], "type": "uses" }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ @@ -7047,6 +8234,27 @@ ], "type": "uses" }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "tags": [ @@ -7117,13 +8325,6 @@ ] }, "related": [ - { - "dest-uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "tags": [ @@ -7131,6 +8332,13 @@ ], "type": "uses" }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "tags": [ @@ -7138,6 +8346,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "tags": [ @@ -7152,6 +8367,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", "tags": [ @@ -7159,20 +8381,6 @@ ], "type": "uses" }, - { - "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -7181,7 +8389,7 @@ "type": "uses" }, { - "dest-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7197,7 +8405,7 @@ "external_id": "G0019", "refs": [ "https://attack.mitre.org/groups/G0019", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf", + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf", "http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf", "https://securelist.com/the-naikon-apt/69953/" ], @@ -7242,7 +8450,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7262,6 +8470,20 @@ ], "type": "uses" }, + { + "dest-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8c553311-0baa-4146-997a-f79acef3d831", "tags": [ @@ -7269,20 +8491,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "tags": [ @@ -7297,13 +8505,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", "tags": [ @@ -7311,43 +8512,50 @@ ], "type": "uses" }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "value": "Naikon - G0019" }, { - "description": "[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security. (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. (Citation: FireEye Clandestine Wolf) (Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. (Citation: Symantec Buckeye)\n\nAPT3 Adversary Emulation Plan - (Citation: APT3 Adversary Emulation Plan)", + "description": "[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China's Ministry of State Security. (Citation: FireEye Clandestine Wolf) (Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap. (Citation: FireEye Clandestine Wolf) (Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong. (Citation: Symantec Buckeye)\n\nMITRE has also developed an APT3 Adversary Emulation Plan.(Citation: APT3 Adversary Emulation Plan)", "meta": { "external_id": "G0022", "refs": [ "https://attack.mitre.org/groups/G0022", "https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html", - "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", - "http://pwc.blogs.com/cyber_security_updates/2015/07/pirpi-scanbox.html", - "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", "https://www.recordedfuture.com/chinese-mss-behind-apt3/", - "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf" + "https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html", + "http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong", + "https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf", + "http://pwc.blogs.com/cyber_security_updates/2015/07/pirpi-scanbox.html" ], "synonyms": [ "APT3", @@ -7374,69 +8582,6 @@ ], "type": "uses" }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a6525aec-acc4-47fe-92f9-b9b4de4b9228", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", "tags": [ @@ -7444,34 +8589,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ @@ -7479,48 +8596,6 @@ ], "type": "uses" }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ @@ -7529,28 +8604,35 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7563,13 +8645,6 @@ ], "type": "uses" }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", "tags": [ @@ -7578,56 +8653,49 @@ "type": "uses" }, { - "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "a6525aec-acc4-47fe-92f9-b9b4de4b9228", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7640,6 +8708,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ @@ -7648,7 +8723,49 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7662,21 +8779,7 @@ "type": "uses" }, { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7696,17 +8799,295 @@ ], "type": "uses" }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "value": "APT3 - G0022" }, + { + "description": "[APT38](https://attack.mitre.org/groups/G0082) is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.(Citation: FireEye APT38 Oct 2018)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", + "meta": { + "external_id": "G0082", + "refs": [ + "https://attack.mitre.org/groups/G0082", + "https://content.fireeye.com/apt/rpt-apt38", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://securelist.com/lazarus-under-the-hood/77908/" + ], + "synonyms": [ + "APT38" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1f47e2fd-fa77-4f2f-88ee-e85df308f125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca205a36-c1ad-488b-aa6c-ab34bdd3a36b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc1e737c-236c-4e3b-83ba-32039a626ef8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "00f67a77-86a4-4adf-be26-1a54fc713340", + "value": "APT38 - G0082" + }, { "description": "[TA459](https://attack.mitre.org/groups/G0062) is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)", "meta": { @@ -7735,7 +9116,14 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7749,7 +9137,7 @@ "type": "uses" }, { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7770,21 +9158,14 @@ "type": "uses" }, { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7832,10 +9213,7 @@ "meta": { "external_id": "G0052", "refs": [ - "https://attack.mitre.org/groups/G0052", - "http://www.clearskysec.com/copykitten-jpost/", - "http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf", - "https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" + "https://attack.mitre.org/groups/G0052" ], "synonyms": [ "CopyKittens" @@ -7864,14 +9242,14 @@ "type": "uses" }, { - "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7897,6 +9275,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", @@ -7916,56 +9301,7 @@ }, "related": [ { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7985,6 +9321,20 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -7993,63 +9343,7 @@ "type": "uses" }, { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8063,14 +9357,56 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8083,6 +9419,20 @@ ], "type": "uses" }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -8091,7 +9441,42 @@ "type": "uses" }, { - "dest-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8108,10 +9493,12 @@ "refs": [ "https://attack.mitre.org/groups/G0064", "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "https://www.brighttalk.com/webcast/10703/275683" + "https://www.brighttalk.com/webcast/10703/275683", + "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" ], "synonyms": [ - "APT33" + "APT33", + "Elfin" ] }, "related": [ @@ -8137,7 +9524,7 @@ "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8151,7 +9538,7 @@ "type": "uses" }, { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8163,6 +9550,223 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "853c4192-4311-43e1-bfbb-b11b14911852", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f", @@ -8222,6 +9826,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -8230,7 +9841,7 @@ "type": "uses" }, { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8249,13 +9860,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", @@ -8268,8 +9872,8 @@ "refs": [ "https://attack.mitre.org/groups/G0053", "https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html", - "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?", - "https://www.youtube.com/watch?v=fevGZs0EQu8" + "https://www.youtube.com/watch?v=fevGZs0EQu8", + "https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?" ], "synonyms": [ "FIN5" @@ -8284,14 +9888,14 @@ "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8305,14 +9909,21 @@ "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "dest-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8333,49 +9944,14 @@ "type": "uses" }, { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8387,6 +9963,34 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", @@ -8434,18 +10038,20 @@ "value": "Dragonfly - G0035" }, { - "description": "[APT37](https://attack.mitre.org/groups/G0067) is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. (Citation: FireEye APT37 Feb 2018) (Citation: Securelist ScarCruft Jun 2016) (Citation: Talos Group123)", + "description": "[APT37](https://attack.mitre.org/groups/G0067) is a suspected North Korean cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, Northern Korean Human Rights, and Evil New Year 2018. (Citation: FireEye APT37 Feb 2018) (Citation: Securelist ScarCruft Jun 2016) (Citation: Talos Group123)\n\nNorth Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017), [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.", "meta": { "external_id": "G0067", "refs": [ "https://attack.mitre.org/groups/G0067", - "https://securelist.com/operation-daybreak/75100/", "https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf", - "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + "https://securelist.com/operation-daybreak/75100/", + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://www.us-cert.gov/ncas/alerts/TA17-164A", + "https://securelist.com/lazarus-under-the-hood/77908/" ], "synonyms": [ - "ScarCruft", "APT37", + "ScarCruft", "Reaper", "Group123", "TEMP.Reaper" @@ -8474,14 +10080,21 @@ "type": "uses" }, { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8502,77 +10115,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8585,13 +10128,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -8600,56 +10136,21 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53a42597-1974-4b8e-84fd-3675e8992053", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8663,28 +10164,28 @@ "type": "uses" }, { - "dest-uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "53a42597-1974-4b8e-84fd-3675e8992053", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8697,24 +10198,137 @@ ], "type": "uses" }, + { + "dest-uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c", "value": "APT37 - G0067" }, { - "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. (Citation: FireEye FIN6 April 2016)", + "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", "meta": { "external_id": "G0037", "refs": [ "https://attack.mitre.org/groups/G0037", - "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" + "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" ], "synonyms": [ "FIN6" @@ -8736,7 +10350,7 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8750,28 +10364,7 @@ "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8785,42 +10378,7 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8840,6 +10398,34 @@ ], "type": "uses" }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ @@ -8847,6 +10433,34 @@ ], "type": "uses" }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -8855,7 +10469,49 @@ "type": "uses" }, { - "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8922,6 +10578,239 @@ "uuid": "da49b9f1-ca99-443f-9728-0a074db66850", "value": "BlackOasis - G0063" }, + { + "description": "[APT39](https://attack.mitre.org/groups/G0087) is an Iranian cyber espionage group that has been active since at least 2014. They have targeted the telecommunication and travel industries to collect personal information that aligns with Iran's national priorities. (Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)", + "meta": { + "external_id": "G0087", + "refs": [ + "https://attack.mitre.org/groups/G0087", + "https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html", + "https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" + ], + "synonyms": [ + "APT39", + "Chafer" + ] + }, + "related": [ + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "44e43fad-ffcb-4210-abcf-eaaed9735f80", + "value": "APT39 - G0087" + }, + { + "description": "[SilverTerrier](https://attack.mitre.org/groups/G0083) is a Nigerian threat group that has been seen active since 2014. [SilverTerrier](https://attack.mitre.org/groups/G0083) mainly targets organizations in high technology, higher education, and manufacturing.(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)", + "meta": { + "external_id": "G0083", + "refs": [ + "https://attack.mitre.org/groups/G0083", + "https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise", + "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf" + ], + "synonyms": [ + "SilverTerrier" + ] + }, + "related": [ + { + "dest-uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "76565741-3452-4069-ab08-80c0ea95bbeb", + "value": "SilverTerrier - G0083" + }, { "description": "[Suckfly](https://attack.mitre.org/groups/G0039) is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)", "meta": { @@ -8957,13 +10846,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", "tags": [ @@ -8971,26 +10853,129 @@ ], "type": "uses" }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", "value": "Suckfly - G0039" }, { - "description": "[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. (Citation: Palo Alto menuPass Feb 2017) (Citation: Crowdstrike CrowdCast Oct 2013) (Citation: FireEye Poison Ivy) (Citation: PWC Cloud Hopper April 2017) (Citation: FireEye APT10 April 2017)", + "description": "[FIN4](https://attack.mitre.org/groups/G0085) is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014) [FIN4](https://attack.mitre.org/groups/G0085) is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)", + "meta": { + "external_id": "G0085", + "refs": [ + "https://attack.mitre.org/groups/G0085", + "https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html", + "https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html", + "https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html" + ], + "synonyms": [ + "FIN4" + ] + }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0bf78622-e8d2-41da-a857-731472d61a92", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d0b3393b-3bec-4ba3-bda9-199d30db47b6", + "value": "FIN4 - G0085" + }, + { + "description": "[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that appears to originate from China and has been active since approximately 2009. The group has targeted healthcare, defense, aerospace, and government sectors, and has targeted Japanese victims since at least 2014. In 2016 and 2017, the group targeted managed IT service providers, manufacturing and mining companies, and a university. (Citation: Palo Alto menuPass Feb 2017) (Citation: Crowdstrike CrowdCast Oct 2013) (Citation: FireEye Poison Ivy) (Citation: PWC Cloud Hopper April 2017) (Citation: FireEye APT10 April 2017) (Citation: DOJ APT10 Dec 2018)", "meta": { "external_id": "G0045", "refs": [ @@ -9000,6 +10985,7 @@ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf", "https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf", "https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html", + "https://www.justice.gov/opa/press-release/file/1121706/download", "https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" ], "synonyms": [ @@ -9034,63 +11020,7 @@ "type": "uses" }, { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9103,6 +11033,13 @@ ], "type": "uses" }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "tags": [ @@ -9111,63 +11048,14 @@ "type": "uses" }, { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9181,42 +11069,14 @@ "type": "uses" }, { - "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9230,42 +11090,7 @@ "type": "uses" }, { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9279,14 +11104,126 @@ "type": "uses" }, { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9299,6 +11236,27 @@ ], "type": "uses" }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "tags": [ @@ -9306,6 +11264,13 @@ ], "type": "uses" }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "tags": [ @@ -9314,7 +11279,70 @@ "type": "uses" }, { - "dest-uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "da04ac30-27da-4959-a67d-450ce47d9470", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9351,6 +11379,55 @@ ], "type": "uses" }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", "tags": [ @@ -9365,61 +11442,12 @@ ], "type": "uses" }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "d1acfbb3-647b-4723-9154-800ec119006e", @@ -9433,10 +11461,10 @@ "https://attack.mitre.org/groups/G0046", "https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", - "http://blog.morphisec.com/fin7-attacks-restaurant-industry", - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", - "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" + "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + "http://blog.morphisec.com/fin7-attacks-restaurant-industry", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" ], "synonyms": [ "FIN7" @@ -9465,7 +11493,7 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9479,7 +11507,7 @@ "type": "uses" }, { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9493,7 +11521,14 @@ "type": "uses" }, { - "dest-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", + "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9506,27 +11541,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -9534,6 +11548,13 @@ ], "type": "uses" }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", "tags": [ @@ -9549,7 +11570,21 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9570,49 +11605,21 @@ "type": "uses" }, { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9626,7 +11633,35 @@ "type": "uses" }, { - "dest-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9636,6 +11671,72 @@ "uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "value": "FIN7 - G0046" }, + { + "description": "[Gallmaker](https://attack.mitre.org/groups/G0084) is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.(Citation: Symantec Gallmaker Oct 2018)", + "meta": { + "external_id": "G0084", + "refs": [ + "https://attack.mitre.org/groups/G0084", + "https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group" + ], + "synonyms": [ + "Gallmaker" + ] + }, + "related": [ + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "2fd2be6a-d3a2-4a65-b499-05ea2693abee", + "value": "Gallmaker - G0084" + }, { "description": "[RTM](https://attack.mitre.org/groups/G0048) is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name ([RTM](https://attack.mitre.org/software/S0148)). (Citation: ESET RTM Feb 2017)", "meta": { @@ -9668,7 +11769,7 @@ "value": "RTM - G0048" }, { - "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018) This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity.", "meta": { "external_id": "G0049", "refs": [ @@ -9677,13 +11778,15 @@ "http://www.clearskysec.com/oilrig/", "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "https://pan-unit42.github.io/playbook_viewer/", "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", - "https://pan-unit42.github.io/playbook_viewer/" + "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/" ], "synonyms": [ "OilRig", - "Helix Kitten", + "IRN2", + "HELIX KITTEN", "APT34" ] }, @@ -9717,35 +11820,7 @@ "type": "uses" }, { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9759,56 +11834,7 @@ "type": "uses" }, { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9822,84 +11848,21 @@ "type": "uses" }, { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "dest-uuid": "b9eec47e-98f4-4b3c-b574-3fa8a87ebe05", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0998045d-f96e-4284-95ce-3c8219707486", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9913,49 +11876,7 @@ "type": "uses" }, { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9969,14 +11890,7 @@ "type": "uses" }, { - "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9990,98 +11904,21 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10095,7 +11932,182 @@ "type": "uses" }, { - "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0998045d-f96e-4284-95ce-3c8219707486", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10109,7 +12121,112 @@ "type": "uses" }, { - "dest-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e6c2a9d-9dc1-4eb0-b27c-91e8076a9d77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10205,10 +12322,13 @@ "refs": [ "https://attack.mitre.org/groups/G0065", "https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets", - "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" + "https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html", + "https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html" ], "synonyms": [ "Leviathan", + "TEMP.Jumper", + "APT40", "TEMP.Periscope" ] }, @@ -10227,27 +12347,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "tags": [ @@ -10255,34 +12354,6 @@ ], "type": "uses" }, - { - "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -10291,7 +12362,7 @@ "type": "uses" }, { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "dest-uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10304,27 +12375,6 @@ ], "type": "uses" }, - { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ @@ -10332,27 +12382,6 @@ ], "type": "uses" }, - { - "dest-uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", "tags": [ @@ -10361,21 +12390,7 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "dest-uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10395,13 +12410,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ @@ -10409,6 +12417,20 @@ ], "type": "uses" }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ @@ -10416,6 +12438,90 @@ ], "type": "uses" }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", "tags": [ @@ -10429,6 +12535,69 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03342581-f790-4f03-ba41-e82e67392e23", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7113eaa5-ba79-4fb3-b68a-398ee9cd698e", @@ -10448,7 +12617,7 @@ }, "related": [ { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10461,6 +12630,13 @@ ], "type": "uses" }, + { + "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ @@ -10468,20 +12644,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -10490,7 +12652,21 @@ "type": "uses" }, { - "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d186c1d6-e3ac-4c3d-a534-9ddfeb8c57bb", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10504,7 +12680,7 @@ "type": "uses" }, { - "dest-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", + "dest-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10518,7 +12694,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10534,9 +12710,9 @@ "external_id": "G0066", "refs": [ "https://attack.mitre.org/groups/G0066", + "http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html", "http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf", - "https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China", - "http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html" + "https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China" ], "synonyms": [ "Elderwood", @@ -10560,27 +12736,6 @@ ], "type": "uses" }, - { - "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ @@ -10588,20 +12743,6 @@ ], "type": "uses" }, - { - "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", "tags": [ @@ -10609,20 +12750,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", "tags": [ @@ -10630,13 +12757,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde", "tags": [ @@ -10645,7 +12765,28 @@ "type": "uses" }, { - "dest-uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", + "dest-uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10659,7 +12800,21 @@ "type": "uses" }, { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "dest-uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10678,6 +12833,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "03506554-5f37-4f8f-9ce4-0e9f01a1b484", @@ -10696,27 +12872,6 @@ ] }, "related": [ - { - "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", "tags": [ @@ -10731,12 +12886,33 @@ ], "type": "uses" }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d69e568e-9ac8-4c08-b32c-d93b43ba9172", @@ -10747,8 +12923,7 @@ "meta": { "external_id": "G0068", "refs": [ - "https://attack.mitre.org/groups/G0068", - "https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" + "https://attack.mitre.org/groups/G0068" ], "synonyms": [ "PLATINUM" @@ -10783,6 +12958,34 @@ ], "type": "uses" }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -10791,14 +12994,21 @@ "type": "uses" }, { - "dest-uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10819,35 +13029,7 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10861,7 +13043,7 @@ "type": "uses" }, { - "dest-uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10872,16 +13054,19 @@ "value": "PLATINUM - G0068" }, { - "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is an Iranian threat group that has primarily targeted Middle Eastern nations. Activity from this group was previously linked to [FIN7](https://attack.mitre.org/groups/G0046), but is believed to be a distinct group motivated by espionage. (Citation: Unit 42 MuddyWater Nov 2017)", + "description": "[MuddyWater](https://attack.mitre.org/groups/G0069) is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group's victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to [FIN7](https://attack.mitre.org/groups/G0046), but the group is believed to be a distinct group possibly motivated by espionage.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)", "meta": { "external_id": "G0069", "refs": [ "https://attack.mitre.org/groups/G0069", "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", "https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" ], "synonyms": [ "MuddyWater", + "Seedworm", "TEMP.Zagros" ] }, @@ -10900,6 +13085,34 @@ ], "type": "uses" }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ @@ -10907,6 +13120,69 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", "tags": [ @@ -10922,56 +13198,70 @@ "type": "uses" }, { - "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10983,6 +13273,34 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "269e8108-68c6-4f99-b911-14b2e765dec2", @@ -10994,10 +13312,12 @@ "external_id": "G0077", "refs": [ "https://attack.mitre.org/groups/G0077", - "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" + "https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east", + "https://www.dragos.com/blog/20180802Raspite.html" ], "synonyms": [ - "Leafminer" + "Leafminer", + "Raspite" ] }, "related": [ @@ -11015,34 +13335,6 @@ ], "type": "uses" }, - { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ @@ -11050,6 +13342,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", "tags": [ @@ -11058,14 +13357,14 @@ "type": "uses" }, { - "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11078,6 +13377,34 @@ ], "type": "uses" }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ @@ -11086,7 +13413,7 @@ "type": "uses" }, { - "dest-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", + "dest-uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11117,6 +13444,13 @@ ], "type": "uses" }, + { + "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", "tags": [ @@ -11125,21 +13459,7 @@ "type": "uses" }, { - "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122", + "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11153,14 +13473,21 @@ "type": "uses" }, { - "dest-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "dc31fe1e-d722-49da-8f5f-92c7b5aff534", + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11171,5 +13498,5 @@ "value": "DarkHydrus - G0079" } ], - "version": 13 + "version": 15 } diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index 9bbca20..bc1fbae 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -41,7 +41,7 @@ "value": "Hacking Team UEFI Rootkit - S0047" }, { - "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [Windows and Linux versions of X-Agent](https://attack.mitre.org/software/S0023).", + "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).", "meta": { "external_id": "S0314", "mitre_platforms": [ @@ -141,20 +141,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "tags": [ @@ -163,14 +149,28 @@ "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -184,7 +184,7 @@ "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -205,14 +205,14 @@ "type": "uses" }, { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -294,27 +294,6 @@ ], "type": "uses" }, - { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "tags": [ @@ -322,41 +301,6 @@ ], "type": "uses" }, - { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "2d646840-f6f5-4619-a5a8-29c8316bbac5", "tags": [ @@ -364,6 +308,48 @@ ], "type": "uses" }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", "tags": [ @@ -371,6 +357,20 @@ ], "type": "uses" }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ @@ -383,7 +383,128 @@ "value": "Pegasus for iOS - S0289" }, { - "description": "[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](http://attack.mitre.org/techniques/T1100) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. (Citation: Lee 2013) It has been used by several threat groups. (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)", + "description": "[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups. (Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)", + "meta": { + "external_id": "S0032", + "mitre_platforms": [ + "Windows", + "macOS" + ], + "refs": [ + "https://attack.mitre.org/software/S0032", + "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html", + "https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/", + "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/april/decoding-network-data-from-a-gh0st-rat-variant/" + ], + "synonyms": [ + "gh0st RAT" + ] + }, + "related": [ + { + "dest-uuid": "1b1ae63f-bcee-4aba-8994-6c60cee5e16f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "value": "gh0st RAT - S0032" + }, + { + "description": "[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1100) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. (Citation: Lee 2013) It has been used by several threat groups. (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)", "meta": { "external_id": "S0020", "mitre_platforms": [ @@ -407,6 +528,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -422,14 +550,49 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -447,8 +610,7 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0007", - "http://www.secureworks.com/cyber-threat-intelligence/threats/skeleton-key-malware-analysis/" + "https://attack.mitre.org/software/S0007" ], "synonyms": [ "Skeleton Key" @@ -518,27 +680,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -547,7 +688,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -566,6 +707,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", @@ -612,6 +774,181 @@ "uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", "value": "Cherry Picker - S0107" }, + { + "description": "[Zeus Panda](https://attack.mitre.org/software/S0330) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://attack.mitre.org/software/S0330)’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)", + "meta": { + "external_id": "S0330", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0330", + "https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More", + "https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" + ], + "synonyms": [ + "Zeus Panda" + ] + }, + "related": [ + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "198db886-47af-4f4c-bff5-11b891f85946", + "value": "Zeus Panda - S0330" + }, { "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)", "meta": { @@ -636,14 +973,21 @@ "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -662,13 +1006,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", @@ -704,13 +1041,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ @@ -725,6 +1055,13 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", "tags": [ @@ -773,13 +1110,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -795,7 +1125,7 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -807,6 +1137,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", @@ -899,14 +1236,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -916,6 +1253,161 @@ "uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", "value": "AutoIt backdoor - S0129" }, + { + "description": "[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written in visual basic.(Citation: Fortinet Agent Tesla April 2018)", + "meta": { + "external_id": "S0331", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0331", + "https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html", + "https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html", + "https://www.digitrustgroup.com/agent-tesla-keylogger/" + ], + "synonyms": [ + "Agent Tesla" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "e7a5229f-05eb-440e-b982-9a6d2b2b87c8", + "value": "Agent Tesla - S0331" + }, { "description": "[Power Loader](https://attack.mitre.org/software/S0177) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)", "meta": { @@ -962,7 +1454,7 @@ }, "related": [ { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -976,21 +1468,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1004,7 +1482,21 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1054,7 +1546,7 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1067,6 +1559,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ @@ -1074,6 +1573,41 @@ ], "type": "uses" }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -1088,59 +1622,128 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0", "value": "Smoke Loader - S0226" }, + { + "description": "[Linux Rabbit](https://attack.mitre.org/software/S0362) is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)\n", + "meta": { + "external_id": "S0362", + "mitre_platforms": [ + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S0362", + "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" + ], + "synonyms": [ + "Linux Rabbit" + ] + }, + "related": [ + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "0efefea5-78da-4022-92bc-d726139e8883", + "value": "Linux Rabbit - S0362" + }, + { + "description": "[LockerGoga ](https://attack.mitre.org/software/S0372) is ransomware that has been tied to various attacks on European companies. It was first reported upon in January 2019.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)", + "meta": { + "external_id": "S0372", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0372", + "https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/", + "https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/" + ], + "synonyms": [ + "LockerGoga " + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "5af7a825-2d9f-400d-931a-e00eb9e27f48", + "value": "LockerGoga - S0372" + }, { "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)", "meta": { @@ -1158,14 +1761,21 @@ }, "related": [ { - "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1185,27 +1795,6 @@ ], "type": "uses" }, - { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57", "tags": [ @@ -1213,6 +1802,27 @@ ], "type": "uses" }, + { + "dest-uuid": "62adb627-f647-498e-b4cc-41499361bacb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", "tags": [ @@ -1220,13 +1830,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "tags": [ @@ -1235,7 +1838,7 @@ "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1261,6 +1864,41 @@ ] }, "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ @@ -1268,6 +1906,34 @@ ], "type": "uses" }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -1275,6 +1941,151 @@ ], "type": "uses" }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8", + "value": "Gold Dragon - S0249" + }, + { + "description": "[Cobian RAT](https://attack.mitre.org/software/S0338) is a backdoor, remote access tool that has been observed since 2016.(Citation: Zscaler Cobian Aug 2017)", + "meta": { + "external_id": "S0338", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0338", + "https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" + ], + "synonyms": [ + "Cobian RAT" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "aa1462a1-d065-416c-b354-bedd04998c7f", + "value": "Cobian RAT - S0338" + }, + { + "description": "[Cardinal RAT](https://attack.mitre.org/software/S0348) is a potentially low volume remote access trojan (RAT) observed since December 2015. [Cardinal RAT](https://attack.mitre.org/software/S0348) is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.(Citation: PaloAlto CardinalRat Apr 2017)", + "meta": { + "external_id": "S0348", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0348", + "https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" + ], + "synonyms": [ + "Cardinal RAT" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -1282,6 +2093,62 @@ ], "type": "uses" }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -1297,19 +2164,81 @@ "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cf7b3a06-8b42-4c33-bbe9-012120027925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b879758f-bbc4-4cab-b5ba-177ac9b009b4", + "value": "Cardinal RAT - S0348" + }, + { + "description": "[Olympic Destroyer](https://attack.mitre.org/software/S0365) is malware that was first seen infecting computer systems at the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware appears to be to cause destructive impact to the affected systems. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. The malware has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018) ", + "meta": { + "external_id": "S0365", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0365", + "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" + ], + "synonyms": [ + "Olympic Destroyer" + ] + }, + "related": [ { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -1318,50 +2247,92 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], - "uuid": "b9799466-9dd7-4098-b2d6-f999ce50b9a8", - "value": "Gold Dragon - S0249" + "uuid": "3249e92a-870b-426d-8790-ba311c1abfb4", + "value": "Olympic Destroyer - S0365" }, { "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", @@ -1474,27 +2445,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ @@ -1502,13 +2452,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ @@ -1517,7 +2460,7 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1530,6 +2473,27 @@ ], "type": "uses" }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ @@ -1545,7 +2509,14 @@ "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1578,13 +2549,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ @@ -1592,13 +2556,6 @@ ], "type": "uses" }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ @@ -1606,13 +2563,6 @@ ], "type": "uses" }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ @@ -1620,20 +2570,6 @@ ], "type": "uses" }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -1647,6 +2583,41 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", @@ -1683,7 +2654,7 @@ "type": "uses" }, { - "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1696,6 +2667,34 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -1709,34 +2708,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", @@ -1794,6 +2765,20 @@ ], "type": "uses" }, + { + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", "tags": [ @@ -1815,20 +2800,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ @@ -1837,7 +2808,7 @@ "type": "uses" }, { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1903,6 +2874,34 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c6a146ae-9c63-4606-97ff-e261e76e8380", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8", @@ -1932,7 +2931,7 @@ "type": "uses" }, { - "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1945,26 +2944,26 @@ ], "type": "uses" }, - { - "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", @@ -2001,13 +3000,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ @@ -2030,7 +3022,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2044,14 +3043,14 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2065,14 +3064,14 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2106,21 +3105,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2133,6 +3118,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ @@ -2141,7 +3133,14 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2151,6 +3150,96 @@ "uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "value": "Trojan.Karagany - S0094" }, + { + "description": "[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a MacOS backdoor that has been used by [APT32](https://attack.mitre.org/groups/G0050).(Citation: TrendMicro MacOS April 2018)", + "meta": { + "external_id": "S0352", + "mitre_platforms": [ + "macOS" + ], + "refs": [ + "https://attack.mitre.org/software/S0352", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" + ], + "synonyms": [ + "OSX_OCEANLOTUS.D" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b00f90b6-c75c-4bfd-b813-ca9e6c9ebf29", + "value": "OSX_OCEANLOTUS.D - S0352" + }, { "description": "[T9000](https://attack.mitre.org/software/S0098) is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. (Citation: FireEye admin@338 March 2014) (Citation: Palo Alto T9000 Feb 2016)", "meta": { @@ -2182,13 +3271,6 @@ ], "type": "uses" }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ @@ -2197,56 +3279,7 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2260,7 +3293,63 @@ "type": "uses" }, { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2319,8 +3408,7 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0060", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + "https://attack.mitre.org/software/S0060" ], "synonyms": [ "Sys10" @@ -2349,7 +3437,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2363,14 +3451,14 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2423,83 +3511,6 @@ "uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", "value": "Lurid - S0010" }, - { - "description": "[gh0st](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by many groups. (Citation: FireEye Hacking Team)", - "meta": { - "external_id": "S0032", - "mitre_platforms": [ - "Windows", - "macOS" - ], - "refs": [ - "https://attack.mitre.org/software/S0032", - "https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html" - ], - "synonyms": [ - "gh0st" - ] - }, - "related": [ - { - "dest-uuid": "1b1ae63f-bcee-4aba-8994-6c60cee5e16f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - } - ], - "uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "value": "gh0st - S0032" - }, { "description": "[Dipsind](https://attack.mitre.org/software/S0200) is a malware family of backdoors that appear to be used exclusively by [PLATINUM](https://attack.mitre.org/groups/G0068). (Citation: Microsoft PLATINUM April 2016)", "meta": { @@ -2523,13 +3534,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ @@ -2544,6 +3548,20 @@ ], "type": "uses" }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ @@ -2558,13 +3576,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -2636,41 +3647,6 @@ ], "type": "uses" }, - { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -2678,13 +3654,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ @@ -2706,20 +3675,6 @@ ], "type": "uses" }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ @@ -2728,14 +3683,7 @@ "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2749,7 +3697,49 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2763,7 +3753,28 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2851,13 +3862,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -2866,7 +3870,14 @@ "type": "uses" }, { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2879,13 +3890,6 @@ ], "type": "uses" }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ @@ -2894,7 +3898,14 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2930,13 +3941,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -2944,41 +3948,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "tags": [ @@ -2987,7 +3956,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3000,6 +3969,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ @@ -3007,6 +3983,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ @@ -3015,7 +3998,21 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3028,12 +4025,26 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", @@ -3081,14 +4092,21 @@ "type": "uses" }, { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3108,20 +4126,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -3129,13 +4133,6 @@ ], "type": "uses" }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ @@ -3143,12 +4140,26 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", @@ -3193,14 +4204,14 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3282,7 +4293,7 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3296,7 +4307,7 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3309,13 +4320,6 @@ ], "type": "uses" }, - { - "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ @@ -3323,26 +4327,33 @@ ], "type": "uses" }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", @@ -3390,7 +4401,7 @@ "value": "Taidoor - S0011" }, { - "description": "[WEBC2](https://attack.mitre.org/software/S0109) is a backdoor used by [APT1](https://attack.mitre.org/groups/G0006) to retrieve a Web page from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)", + "description": "[WEBC2](https://attack.mitre.org/software/S0109) is a backdoor used by [APT1](https://attack.mitre.org/groups/G0006) to retrieve a Web page from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)", "meta": { "external_id": "S0109", "mitre_platforms": [ @@ -3398,7 +4409,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0109", - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" ], "synonyms": [ "WEBC2" @@ -3418,6 +4430,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "1d808f62-cf63-4063-9727-ff6132514c22", @@ -3466,7 +4492,35 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3493,20 +4547,6 @@ ], "type": "uses" }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ @@ -3515,21 +4555,7 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3543,7 +4569,21 @@ "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3556,20 +4596,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ @@ -3585,7 +4611,7 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3626,7 +4652,42 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3639,6 +4700,20 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", "tags": [ @@ -3654,21 +4729,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3682,21 +4743,7 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3709,40 +4756,19 @@ ], "type": "uses" }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", @@ -3805,21 +4831,21 @@ "type": "uses" }, { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3833,7 +4859,7 @@ "type": "uses" }, { - "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3847,7 +4873,7 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3867,13 +4893,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", "tags": [ @@ -3882,7 +4901,7 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3896,7 +4915,14 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -3930,6 +4956,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -3943,13 +4976,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", @@ -3987,7 +5013,14 @@ "type": "uses" }, { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4008,7 +5041,14 @@ "type": "uses" }, { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4035,6 +5075,13 @@ ], "type": "uses" }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -4043,14 +5090,7 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4062,20 +5102,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", @@ -4116,7 +5142,7 @@ "value": "Dendroid - S0301" }, { - "description": "[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) that uses modular plugins. (Citation: Lastline PlugX Analysis) It has been used by multiple threat groups. (Citation: FireEye Clandestine Fox Part 2) (Citation: New DragonOK) (Citation: Dell TG-3390)", + "description": "[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. (Citation: Lastline PlugX Analysis) (Citation: FireEye Clandestine Fox Part 2) (Citation: New DragonOK) (Citation: Dell TG-3390)", "meta": { "external_id": "S0013", "mitre_platforms": [ @@ -4124,13 +5150,15 @@ ], "refs": [ "https://attack.mitre.org/software/S0013", + "http://labs.lastline.com/an-analysis-of-plugx", "https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html", "http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/", "https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage", - "http://labs.lastline.com/an-analysis-of-plugx" + "http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf" ], "synonyms": [ "PlugX", + "DestroyRAT", "Sogu", "Kaba", "Korplug" @@ -4166,35 +5194,28 @@ "type": "uses" }, { - "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4208,28 +5229,21 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4243,7 +5257,49 @@ "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4255,13 +5311,62 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "value": "PlugX - S0013" }, { - "description": "[Shamoon](https://attack.mitre.org/software/S0140) is malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. The 2.0 version was seen in 2016 targeting Middle Eastern states. (Citation: FireEye Shamoon Nov 2016) (Citation: Palo Alto Shamoon Nov 2016)", + "description": "[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Justice\" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)", "meta": { "external_id": "S0140", "mitre_platforms": [ @@ -4269,8 +5374,10 @@ ], "refs": [ "https://attack.mitre.org/software/S0140", - "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html", - "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" + "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/", + "https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/", + "https://www.symantec.com/connect/blogs/shamoon-attacks", + "https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html" ], "synonyms": [ "Shamoon", @@ -4292,6 +5399,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ @@ -4300,7 +5414,63 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4321,84 +5491,7 @@ "type": "uses" }, { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4412,7 +5505,35 @@ "type": "uses" }, { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4472,13 +5593,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -4492,6 +5606,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", @@ -4542,7 +5663,14 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4563,14 +5691,14 @@ "type": "uses" }, { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4616,7 +5744,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0061", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "HDoor", @@ -4651,7 +5779,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0017", - "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" ], "synonyms": [ "BISCUIT" @@ -4671,6 +5800,69 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", @@ -4706,20 +5898,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -4727,6 +5905,41 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -4735,7 +5948,14 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4756,49 +5976,7 @@ "type": "uses" }, { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4812,21 +5990,35 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4878,7 +6070,7 @@ "value": "hcdLoader - S0071" }, { - "description": "[Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)", + "description": "[Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of\ntools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)", "meta": { "external_id": "S0081", "mitre_platforms": [ @@ -4886,7 +6078,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0081", - "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" + "https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html", + "https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf" ], "synonyms": [ "Elise", @@ -4917,21 +6110,7 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -4945,56 +6124,21 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5007,12 +6151,89 @@ ], "type": "uses" }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", @@ -5042,27 +6263,6 @@ ], "type": "uses" }, - { - "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -5070,34 +6270,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -5105,12 +6277,61 @@ ], "type": "uses" }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", @@ -5156,42 +6377,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5204,34 +6390,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ @@ -5240,42 +6398,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5288,6 +6411,41 @@ ], "type": "uses" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ @@ -5295,6 +6453,69 @@ ], "type": "uses" }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ @@ -5347,12 +6568,138 @@ ], "type": "uses" }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", @@ -5396,14 +6743,7 @@ "type": "uses" }, { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5424,7 +6764,7 @@ "type": "uses" }, { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5437,6 +6777,13 @@ ], "type": "uses" }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ @@ -5445,14 +6792,14 @@ "type": "uses" }, { - "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5485,13 +6832,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", "tags": [ @@ -5507,14 +6847,21 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5596,14 +6943,14 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5614,7 +6961,7 @@ "value": "adbupd - S0202" }, { - "description": "[CHOPSTICK](https://attack.mitre.org/software/S0023) is a malware family of modular backdoors used by [APT28](https://attack.mitre.org/groups/G0007). It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the [Android version of the malware](https://attack.mitre.org/software/S0314).", + "description": "[CHOPSTICK](https://attack.mitre.org/software/S0023) is a malware family of modular backdoors used by [APT28](https://attack.mitre.org/groups/G0007). It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the [X-Agent for Android](https://attack.mitre.org/software/S0314).", "meta": { "external_id": "S0023", "mitre_platforms": [ @@ -5626,10 +6973,12 @@ "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", - "https://www.justice.gov/file/1080281/download" + "https://www.justice.gov/file/1080281/download", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" ], "synonyms": [ "CHOPSTICK", + "Backdoor.SofacyX", "SPLM", "Xagent", "X-Agent", @@ -5672,20 +7021,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ @@ -5694,7 +7029,28 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5715,14 +7071,7 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5736,14 +7085,7 @@ "type": "uses" }, { - "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5757,7 +7099,28 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5768,7 +7131,7 @@ "value": "CHOPSTICK - S0023" }, { - "description": "[DroidJack RAT](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)", + "description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)", "meta": { "external_id": "S0320", "mitre_platforms": [ @@ -5792,14 +7155,14 @@ "type": "uses" }, { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5869,20 +7232,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ @@ -5890,6 +7239,27 @@ ], "type": "uses" }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -5898,14 +7268,21 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -5925,20 +7302,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", "tags": [ @@ -5946,34 +7309,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -5981,6 +7316,27 @@ ], "type": "uses" }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", "tags": [ @@ -5989,7 +7345,14 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6037,13 +7400,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -6051,20 +7407,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -6073,28 +7415,7 @@ "type": "uses" }, { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6114,12 +7435,54 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", @@ -6147,6 +7510,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c", @@ -6176,7 +7546,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6190,7 +7560,7 @@ "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6210,8 +7580,8 @@ "refs": [ "https://attack.mitre.org/software/S0240", "https://blog.talosintelligence.com/2017/04/introducing-rokrat.html", - "https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html", - "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" + "https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html", + "https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html" ], "synonyms": [ "ROKRAT" @@ -6219,7 +7589,28 @@ }, "related": [ { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6240,21 +7631,7 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6268,21 +7645,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6294,6 +7657,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "60a9c2f0-b7a5-4e8e-959c-e1a3ff314a5f", @@ -6323,13 +7700,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -6344,6 +7714,13 @@ ], "type": "uses" }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -6392,6 +7769,13 @@ ], "type": "uses" }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -6399,20 +7783,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -6421,7 +7791,21 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6460,6 +7844,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", @@ -6551,20 +7942,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ @@ -6572,12 +7949,26 @@ ], "type": "uses" }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", @@ -6651,7 +8042,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6665,28 +8056,7 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6700,14 +8070,21 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6721,7 +8098,21 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6748,28 +8139,7 @@ }, "related": [ { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6783,28 +8153,7 @@ "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6818,28 +8167,21 @@ "type": "uses" }, { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6859,48 +8201,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ @@ -6909,7 +8209,7 @@ "type": "uses" }, { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6923,14 +8223,49 @@ "type": "uses" }, { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6944,14 +8279,56 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -6965,7 +8342,21 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7014,14 +8405,14 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7062,35 +8453,7 @@ "type": "uses" }, { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7104,7 +8467,35 @@ "type": "uses" }, { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7115,7 +8506,7 @@ "value": "OwaAuth - S0072" }, { - "description": "[RogueRobin](https://attack.mitre.org/software/S0270) is a custom PowerShell-based payload used by [DarkHydrus](https://attack.mitre.org/groups/G0079). (Citation: Unit 42 DarkHydrus July 2018)", + "description": "[RogueRobin](https://attack.mitre.org/software/S0270) is a payload used by [DarkHydrus](https://attack.mitre.org/groups/G0079) that has been developed in PowerShell and C#. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)", "meta": { "external_id": "S0270", "mitre_platforms": [ @@ -7123,7 +8514,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0270", - "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" + "https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/", + "https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/" ], "synonyms": [ "RogueRobin" @@ -7131,35 +8523,7 @@ }, "related": [ { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7173,42 +8537,7 @@ "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7221,6 +8550,27 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -7229,7 +8579,7 @@ "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7241,6 +8591,76 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8ec6e3b4-b06d-4805-b6aa-af916acc2122", @@ -7271,7 +8691,7 @@ "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7285,7 +8705,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7395,14 +8815,21 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7416,7 +8843,7 @@ "type": "uses" }, { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7436,34 +8863,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -7479,7 +8878,28 @@ "type": "uses" }, { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7506,14 +8926,7 @@ }, "related": [ { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7526,6 +8939,13 @@ ], "type": "uses" }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", "tags": [ @@ -7534,14 +8954,14 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7575,13 +8995,6 @@ ], "type": "uses" }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -7597,7 +9010,7 @@ "type": "uses" }, { - "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7611,14 +9024,21 @@ "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7689,14 +9109,14 @@ "type": "uses" }, { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7868,14 +9288,7 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7889,14 +9302,21 @@ "type": "uses" }, { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7917,14 +9337,14 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -7934,6 +9354,89 @@ "uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "value": "NETEAGLE - S0034" }, + { + "description": "[Octopus](https://attack.mitre.org/software/S0340) is a Windows Trojan.(Citation: Securelist Octopus Oct 2018)", + "meta": { + "external_id": "S0340", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0340", + "https://securelist.com/octopus-infested-seas-of-central-asia/88200/" + ], + "synonyms": [ + "Octopus" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "e2031fd5-02c2-43d4-85e2-b64f474530c2", + "value": "Octopus - S0340" + }, { "description": "[SPACESHIP](https://attack.mitre.org/software/S0035) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)", "meta": { @@ -7965,14 +9468,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8029,21 +9532,7 @@ "type": "uses" }, { - "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8056,6 +9545,13 @@ ], "type": "uses" }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ @@ -8064,7 +9560,49 @@ "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8085,28 +9623,97 @@ "type": "uses" }, { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", + "value": "SeaDuke - S0053" + }, + { + "description": "[zwShell](https://attack.mitre.org/software/S0350) is a remote access tool (RAT) written in Delphi that has been used by [Night Dragon](https://attack.mitre.org/groups/G0014).(Citation: McAfee Night Dragon)", + "meta": { + "external_id": "S0350", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0350", + "https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" + ], + "synonyms": [ + "zwShell" + ] + }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8120,7 +9727,49 @@ "type": "uses" }, { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "54e8672d-5338-4ad1-954a-a7c986bee530", + "value": "zwShell - S0350" + }, + { + "description": "[BONDUPDATER](https://attack.mitre.org/software/S0360) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig Sep 2018)", + "meta": { + "external_id": "S0360", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0360", + "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" + ], + "synonyms": [ + "BONDUPDATER" + ] + }, + "related": [ + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8132,10 +9781,24 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], - "uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "value": "SeaDuke - S0053" + "uuid": "d5268dfb-ae2b-4e0e-ac07-02a460613d8a", + "value": "BONDUPDATER - S0360" }, { "description": "[FLASHFLOOD](https://attack.mitre.org/software/S0036) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)", @@ -8160,6 +9823,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "tags": [ @@ -8174,13 +9844,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -8232,6 +9895,13 @@ ], "type": "uses" }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ @@ -8239,20 +9909,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -8261,7 +9917,14 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8297,20 +9960,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ @@ -8318,6 +9967,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", "tags": [ @@ -8331,6 +9987,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", @@ -8364,6 +10027,65 @@ "uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", "value": "ASPXSpy - S0073" }, + { + "description": "[SamSam](https://attack.mitre.org/software/S0370) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.(Citation: US-CERT SamSam 2018)(Citation: Talos SamSam Jan 2018)(Citation: Sophos SamSam Apr 2018)(Citation: Symantec SamSam Oct 2018)", + "meta": { + "external_id": "S0370", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0370", + "https://www.us-cert.gov/ncas/alerts/AA18-337A", + "https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html", + "https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf", + "https://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks" + ], + "synonyms": [ + "SamSam", + "Samas" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "4d56e6e9-1a6d-46e3-896c-dfdf3cc96e62", + "value": "SamSam - S0370" + }, { "description": "[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)", "meta": { @@ -8394,34 +10116,6 @@ ], "type": "uses" }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "tags": [ @@ -8430,21 +10124,7 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8458,7 +10138,28 @@ "type": "uses" }, { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8471,6 +10172,27 @@ ], "type": "uses" }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ @@ -8492,34 +10214,6 @@ ], "type": "uses" }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ @@ -8527,6 +10221,27 @@ ], "type": "uses" }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -8535,7 +10250,21 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8575,48 +10304,6 @@ ], "type": "uses" }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ @@ -8632,7 +10319,35 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8645,12 +10360,26 @@ ], "type": "uses" }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", @@ -8680,13 +10409,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ @@ -8707,6 +10429,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", @@ -8725,10 +10454,13 @@ "https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/", "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf", "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government", + "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html", "https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" ], "synonyms": [ "JHUHUGIT", + "Trojan.Sofacy", "Seduploader", "JKEYSKW", "Sednit", @@ -8779,6 +10511,13 @@ ], "type": "uses" }, + { + "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -8786,27 +10525,6 @@ ], "type": "uses" }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -8815,42 +10533,7 @@ "type": "uses" }, { - "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8864,7 +10547,70 @@ "type": "uses" }, { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8885,7 +10631,7 @@ "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -8897,13 +10643,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", @@ -8951,6 +10690,20 @@ ], "type": "uses" }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ @@ -8958,6 +10711,27 @@ ], "type": "uses" }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -8972,27 +10746,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "tags": [ @@ -9000,27 +10753,6 @@ ], "type": "uses" }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -9028,6 +10760,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "tags": [ @@ -9043,42 +10782,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9092,7 +10796,42 @@ "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9136,14 +10875,14 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9180,13 +10919,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -9194,34 +10926,6 @@ ], "type": "uses" }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -9230,14 +10934,14 @@ "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9250,12 +10954,54 @@ ], "type": "uses" }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", @@ -9285,7 +11031,7 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9299,7 +11045,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9355,34 +11101,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -9390,27 +11108,6 @@ ], "type": "uses" }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -9418,12 +11115,61 @@ ], "type": "uses" }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", @@ -9467,14 +11213,14 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9536,14 +11282,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9583,6 +11329,13 @@ ], "type": "uses" }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -9596,13 +11349,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "8c553311-0baa-4146-997a-f79acef3d831", @@ -9617,7 +11363,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0058", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" ], "synonyms": [ "SslMM" @@ -9639,14 +11385,7 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9659,6 +11398,13 @@ ], "type": "uses" }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -9667,7 +11413,14 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9680,13 +11433,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ @@ -9706,8 +11452,7 @@ "Windows" ], "refs": [ - "https://attack.mitre.org/software/S0059", - "https://securelist.com/files/2015/05/TheNaikonAPT-MsnMM1.pdf" + "https://attack.mitre.org/software/S0059" ], "synonyms": [ "WinMM" @@ -9735,13 +11480,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ @@ -9750,7 +11488,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9762,6 +11500,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "22addc7b-b39f-483d-979a-1b35147da5de", @@ -9791,7 +11536,7 @@ "type": "uses" }, { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9805,7 +11550,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9853,14 +11598,14 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -9893,13 +11638,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -9907,41 +11645,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -9949,12 +11652,54 @@ ], "type": "uses" }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", @@ -9984,14 +11729,14 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10026,7 +11771,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10040,14 +11785,7 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10059,6 +11797,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", @@ -10088,14 +11833,14 @@ "type": "uses" }, { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10142,6 +11887,13 @@ ], "type": "uses" }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -10155,13 +11907,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", @@ -10187,34 +11932,6 @@ ], "type": "uses" }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -10230,7 +11947,14 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10242,6 +11966,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", @@ -10277,6 +12022,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ @@ -10291,13 +12043,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ @@ -10306,7 +12051,21 @@ "type": "uses" }, { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10325,20 +12084,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", @@ -10389,13 +12134,6 @@ ], "type": "uses" }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ @@ -10403,13 +12141,6 @@ ], "type": "uses" }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -10418,7 +12149,14 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10438,34 +12176,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -10473,13 +12183,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", "tags": [ @@ -10487,6 +12190,34 @@ ], "type": "uses" }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ @@ -10494,20 +12225,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -10516,14 +12233,42 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10556,48 +12301,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ @@ -10606,7 +12309,7 @@ "type": "uses" }, { - "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10619,6 +12322,13 @@ ], "type": "uses" }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -10627,7 +12337,42 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10688,13 +12433,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -10702,27 +12440,6 @@ ], "type": "uses" }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "tags": [ @@ -10731,7 +12448,14 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10743,6 +12467,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", @@ -10772,14 +12517,14 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10827,56 +12572,14 @@ "type": "uses" }, { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10897,35 +12600,35 @@ "type": "uses" }, { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10939,14 +12642,21 @@ "type": "uses" }, { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -10960,7 +12670,42 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11071,14 +12816,14 @@ "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11126,14 +12871,21 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11147,14 +12899,7 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11217,7 +12962,28 @@ "type": "uses" }, { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11237,20 +13003,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ @@ -11265,13 +13017,6 @@ ], "type": "uses" }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ @@ -11280,7 +13025,7 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11291,7 +13036,7 @@ "value": "Crimson - S0115" }, { - "description": "[XAgentOSX](https://attack.mitre.org/software/S0161) is a trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be a port of their standard [CHOPSTICK](https://attack.mitre.org/software/S0023) or XAgent trojan. (Citation: XAgentOSX)", + "description": "[XAgentOSX](https://attack.mitre.org/software/S0161) is a trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be a port of their standard [CHOPSTICK](https://attack.mitre.org/software/S0023) or XAgent trojan. (Citation: XAgentOSX 2017)", "meta": { "external_id": "S0161", "mitre_platforms": [ @@ -11299,10 +13044,12 @@ ], "refs": [ "https://attack.mitre.org/software/S0161", - "https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" + "https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" ], "synonyms": [ - "XAgentOSX" + "XAgentOSX", + "OSX.Sofacy" ] }, "related": [ @@ -11321,28 +13068,7 @@ "type": "uses" }, { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11355,27 +13081,6 @@ ], "type": "uses" }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -11389,6 +13094,48 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", @@ -11432,6 +13179,20 @@ ], "type": "uses" }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -11453,20 +13214,6 @@ ], "type": "uses" }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -11475,14 +13222,14 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11501,12 +13248,14 @@ ], "refs": [ "https://attack.mitre.org/software/S0117", - "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/", - "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" + "https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/", + "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf", + "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government" ], "synonyms": [ "XTunnel", + "Trojan.Shunnael", "X-Tunnel", "XAPS" ] @@ -11533,13 +13282,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", "tags": [ @@ -11548,7 +13290,21 @@ "type": "uses" }, { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11569,7 +13325,7 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11581,13 +13337,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", @@ -11637,20 +13386,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -11658,6 +13393,13 @@ ], "type": "uses" }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -11665,6 +13407,13 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", "tags": [ @@ -11701,14 +13450,14 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11722,7 +13471,7 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11733,7 +13482,7 @@ "value": "Nidiran - S0118" }, { - "description": "[CORALDECK](https://attack.mitre.org/software/S0212) is an exfiltration tool used by [ScarCruft](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", + "description": "[CORALDECK](https://attack.mitre.org/software/S0212) is an exfiltration tool used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0212", "mitre_platforms": [ @@ -11824,13 +13573,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", "tags": [ @@ -11838,26 +13580,33 @@ ], "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3d8e547d-9456-4f32-a895-dc86134e282f", "value": "Umbreon - S0221" }, { - "description": "[DOGCALL](https://attack.mitre.org/software/S0213) is a backdoor used by [ScarCruft](https://attack.mitre.org/groups/G0067) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)", + "description": "[DOGCALL](https://attack.mitre.org/software/S0213) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0213", "mitre_platforms": [ @@ -11887,7 +13636,7 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -11899,6 +13648,27 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", @@ -11981,8 +13751,7 @@ ], "refs": [ "https://attack.mitre.org/software/S0241", - "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/", - "https://blog.trendmicro.com/trendlabs-security-intelligence/ratankba-watering-holes-against-enterprises/" + "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" ], "synonyms": [ "RATANKBA" @@ -11990,63 +13759,7 @@ }, "related": [ { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12059,6 +13772,13 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -12067,7 +13787,28 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12088,14 +13829,42 @@ "type": "uses" }, { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12106,7 +13875,7 @@ "value": "RATANKBA - S0241" }, { - "description": "[Happywork](https://attack.mitre.org/software/S0214) is a downloader used by [ScarCruft](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)", + "description": "[HAPPYWORK](https://attack.mitre.org/software/S0214) is a downloader used by [APT37](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)", "meta": { "external_id": "S0214", "mitre_platforms": [ @@ -12184,21 +13953,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12212,7 +13967,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12226,14 +13981,28 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12267,14 +14036,14 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12295,21 +14064,7 @@ "type": "uses" }, { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12321,6 +14076,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", @@ -12356,6 +14125,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -12369,13 +14145,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", @@ -12425,6 +14194,13 @@ ], "type": "uses" }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ @@ -12439,13 +14215,6 @@ ], "type": "uses" }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -12497,104 +14266,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -12602,62 +14273,6 @@ ], "type": "uses" }, - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -12665,6 +14280,34 @@ ], "type": "uses" }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ @@ -12673,7 +14316,91 @@ "type": "uses" }, { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12687,7 +14414,49 @@ "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12698,7 +14467,7 @@ "value": "Remsec - S0125" }, { - "description": "[Zebrocy](https://attack.mitre.org/software/S0251) is a Trojan used by [APT28](https://attack.mitre.org/groups/G0007). [Zebrocy](https://attack.mitre.org/software/S0251) was seen used in attacks in early 2018. [Zebrocy](https://attack.mitre.org/software/S0251) comes in several programming language variants, including C++, Delphi, and AutoIt. (Citation: Palo Alto Sofacy 06-2018)", + "description": "[Zebrocy](https://attack.mitre.org/software/S0251) is a Trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, and VB.NET. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)", "meta": { "external_id": "S0251", "mitre_platforms": [ @@ -12706,20 +14475,15 @@ ], "refs": [ "https://attack.mitre.org/software/S0251", - "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" + "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/", + "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", + "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" ], "synonyms": [ "Zebrocy" ] }, "related": [ - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -12734,12 +14498,152 @@ ], "type": "uses" }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a4f57468-fbd5-49e4-8476-52088220b92d", @@ -12832,14 +14736,14 @@ "type": "uses" }, { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12853,14 +14757,14 @@ "type": "uses" }, { - "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12887,7 +14791,14 @@ }, "related": [ { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12901,28 +14812,14 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12943,7 +14840,14 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -12954,7 +14858,7 @@ "value": "Catchamas - S0261" }, { - "description": "[Komplex](https://attack.mitre.org/software/S0162) is a backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be developed in a similar manner to [XAgentOSX](https://attack.mitre.org/software/S0161) (Citation: XAgentOSX) (Citation: Sofacy Komplex Trojan).", + "description": "[Komplex](https://attack.mitre.org/software/S0162) is a backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be developed in a similar manner to [XAgentOSX](https://attack.mitre.org/software/S0161) (Citation: XAgentOSX 2017) (Citation: Sofacy Komplex Trojan).", "meta": { "external_id": "S0162", "mitre_platforms": [ @@ -13012,13 +14916,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -13027,7 +14924,7 @@ "type": "uses" }, { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13047,6 +14944,13 @@ ], "type": "uses" }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -13088,13 +14992,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -13103,14 +15000,7 @@ "type": "uses" }, { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13123,6 +15013,13 @@ ], "type": "uses" }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", "tags": [ @@ -13130,20 +15027,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -13152,7 +15035,7 @@ "type": "uses" }, { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13166,7 +15049,42 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13192,62 +15110,6 @@ ] }, "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -13262,12 +15124,68 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "11e36d5b-6a92-4bf9-8eb7-85eb24f59e22", @@ -13304,14 +15222,14 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13351,27 +15269,6 @@ ], "type": "uses" }, - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ @@ -13380,14 +15277,14 @@ "type": "uses" }, { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13408,21 +15305,14 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13436,7 +15326,35 @@ "type": "uses" }, { - "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13470,6 +15388,62 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ @@ -13484,55 +15458,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ @@ -13540,20 +15465,6 @@ ], "type": "uses" }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -13562,28 +15473,14 @@ "type": "uses" }, { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13597,14 +15494,42 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13616,13 +15541,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "e9595678-d269-469e-ae6b-75e49259de63", @@ -13700,6 +15618,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9", "tags": [ @@ -13708,7 +15633,7 @@ "type": "uses" }, { - "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13727,13 +15652,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f36b2598-515f-4345-84e5-5ccde253edbe", @@ -13774,20 +15692,6 @@ ], "type": "uses" }, - { - "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -13796,7 +15700,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13810,42 +15714,7 @@ "type": "uses" }, { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13859,7 +15728,14 @@ "type": "uses" }, { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13872,6 +15748,41 @@ ], "type": "uses" }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ @@ -13879,6 +15790,27 @@ ], "type": "uses" }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ @@ -13893,26 +15825,19 @@ ], "type": "uses" }, - { - "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", @@ -13949,7 +15874,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -13963,14 +15888,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14018,14 +15943,14 @@ "type": "uses" }, { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14059,14 +15984,7 @@ "type": "uses" }, { - "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14080,7 +15998,14 @@ "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14129,14 +16054,7 @@ "type": "uses" }, { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14150,7 +16068,14 @@ "type": "uses" }, { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14195,14 +16120,21 @@ "type": "uses" }, { - "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", + "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14215,20 +16147,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", "tags": [ @@ -14236,23 +16154,302 @@ ], "type": "uses" }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + } + ], + "uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", + "value": "Flame - S0143" + }, + { + "description": "[Xbash](https://attack.mitre.org/software/S0341) is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. [Xbash](https://attack.mitre.org/software/S0341) was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.(Citation: Unit42 Xbash Sept 2018)", + "meta": { + "external_id": "S0341", + "mitre_platforms": [ + "Windows", + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S0341", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" + ], + "synonyms": [ + "Xbash" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" }, { - "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" } ], - "uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "value": "Flame - S0143" + "uuid": "6a92d80f-cc65-45f6-aa66-3cdea6786b3c", + "value": "Xbash - S0341" + }, + { + "description": "[Final1stspy](https://attack.mitre.org/software/S0355) is a dropper family that has been used to deliver [DOGCALL](https://attack.mitre.org/software/S0213).(Citation: Unit 42 Nokki Oct 2018)", + "meta": { + "external_id": "S0355", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0355", + "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" + ], + "synonyms": [ + "Final1stspy" + ] + }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "a2282af0-f9dd-4373-9b92-eaf9e11e0c71", + "value": "Final1stspy - S0355" + }, + { + "description": "[Cannon](https://attack.mitre.org/software/S0351) is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. (Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)", + "meta": { + "external_id": "S0351", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0351", + "https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/", + "https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" + ], + "synonyms": [ + "Cannon" + ] + }, + "related": [ + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d20b397a-ea47-48a9-b503-2e2a3551e11d", + "value": "Cannon - S0351" }, { "description": "[HIDEDRV](https://attack.mitre.org/software/S0135) is a rootkit used by [APT28](https://attack.mitre.org/groups/G0007). It has been deployed along with [Downdelph](https://attack.mitre.org/software/S0134) to execute and hide that malware. (Citation: ESET Sednit Part 3) (Citation: Sekoia HideDRV Oct 2016)", @@ -14386,14 +16583,14 @@ "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14406,6 +16603,55 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ @@ -14413,6 +16659,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -14427,41 +16680,6 @@ ], "type": "uses" }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -14470,28 +16688,7 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14505,7 +16702,7 @@ "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14548,34 +16745,6 @@ ], "type": "uses" }, - { - "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -14583,34 +16752,6 @@ ], "type": "uses" }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", "tags": [ @@ -14626,7 +16767,14 @@ "type": "uses" }, { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14638,6 +16786,55 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", @@ -14680,13 +16877,6 @@ ], "type": "uses" }, - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ @@ -14700,13 +16890,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", "value": "Janicab - S0163" }, { - "description": "[CORESHELL](https://attack.mitre.org/software/S0137) is a downloader used by [APT28](https://attack.mitre.org/groups/G0007). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL. It has also been referred to as Sofacy, though that term has been used widely to refer to both the group [APT28](https://attack.mitre.org/groups/G0007) and malware families associated with the group. (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)", + "description": "[CORESHELL](https://attack.mitre.org/software/S0137) is a downloader used by [APT28](https://attack.mitre.org/groups/G0007). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)", "meta": { "external_id": "S0137", "mitre_platforms": [ @@ -14715,10 +16912,12 @@ "refs": [ "https://attack.mitre.org/software/S0137", "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf", - "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf" + "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf", + "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/" ], "synonyms": [ "CORESHELL", + "Sofacy", "SOURFACE" ] }, @@ -14744,6 +16943,20 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -14759,7 +16972,7 @@ "type": "uses" }, { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14773,21 +16986,7 @@ "type": "uses" }, { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14838,6 +17037,75 @@ "uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", "value": "FLIPSIDE - S0173" }, + { + "description": "[POWERTON](https://attack.mitre.org/software/S0371) is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by [APT33](https://attack.mitre.org/groups/G0064). At least two variants of the backdoor have been identified, with the later version containing improved functionality.(Citation: FireEye APT33 Guardrail)", + "meta": { + "external_id": "S0371", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0371", + "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" + ], + "synonyms": [ + "POWERTON" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "e85cae1a-bce3-4ac4-b36b-b00acac0567b", + "value": "POWERTON - S0371" + }, { "description": "[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)", "meta": { @@ -14862,14 +17130,14 @@ "type": "uses" }, { - "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14919,14 +17187,14 @@ "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -14952,6 +17220,13 @@ ] }, "related": [ + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ @@ -14966,13 +17241,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ @@ -15041,55 +17309,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -15097,34 +17316,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -15132,12 +17323,96 @@ ], "type": "uses" }, + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", @@ -15194,14 +17469,14 @@ "type": "uses" }, { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15214,6 +17489,13 @@ ], "type": "uses" }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -15221,13 +17503,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ @@ -15235,20 +17510,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -15262,6 +17523,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", @@ -15314,7 +17589,14 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15335,14 +17617,7 @@ "type": "uses" }, { - "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15446,13 +17721,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -15466,6 +17734,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", @@ -15501,20 +17776,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -15530,7 +17791,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15543,13 +17811,6 @@ ], "type": "uses" }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -15570,6 +17831,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", @@ -15605,62 +17880,6 @@ ], "type": "uses" }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -15668,34 +17887,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ @@ -15703,6 +17894,34 @@ ], "type": "uses" }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -15710,6 +17929,34 @@ ], "type": "uses" }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "tags": [ @@ -15723,6 +17970,34 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", @@ -15766,63 +18041,7 @@ "type": "uses" }, { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15836,14 +18055,14 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15856,27 +18075,6 @@ ], "type": "uses" }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "tags": [ @@ -15885,28 +18083,35 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -15919,12 +18124,82 @@ ], "type": "uses" }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", @@ -15974,20 +18249,6 @@ ], "type": "uses" }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ @@ -15995,55 +18256,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ @@ -16052,14 +18264,42 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16072,6 +18312,34 @@ ], "type": "uses" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", "tags": [ @@ -16080,7 +18348,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16120,6 +18395,13 @@ ], "type": "uses" }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -16134,13 +18416,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ @@ -16230,6 +18505,20 @@ ], "type": "uses" }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -16237,6 +18526,20 @@ ], "type": "uses" }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ @@ -16250,34 +18553,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", @@ -16320,6 +18595,13 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", "tags": [ @@ -16340,13 +18622,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", @@ -16376,14 +18651,14 @@ "type": "uses" }, { - "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16438,14 +18713,14 @@ "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16541,14 +18816,14 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16589,6 +18864,27 @@ ], "type": "uses" }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ @@ -16604,7 +18900,14 @@ "type": "uses" }, { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16617,40 +18920,12 @@ ], "type": "uses" }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", @@ -16681,13 +18956,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ @@ -16696,7 +18964,14 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16717,14 +18992,14 @@ "type": "uses" }, { - "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16778,20 +19053,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ @@ -16812,6 +19073,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", @@ -16850,14 +19125,35 @@ "type": "uses" }, { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16870,6 +19166,27 @@ ], "type": "uses" }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ @@ -16877,6 +19194,20 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -16892,63 +19223,7 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -16989,6 +19264,20 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", "tags": [ @@ -17010,26 +19299,12 @@ ], "type": "uses" }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", @@ -17080,13 +19355,6 @@ ], "type": "uses" }, - { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -17100,6 +19368,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", @@ -17139,7 +19414,7 @@ "type": "uses" }, { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17153,49 +19428,14 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17209,7 +19449,28 @@ "type": "uses" }, { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17230,14 +19491,28 @@ "type": "uses" }, { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17385,13 +19660,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", "tags": [ @@ -17400,14 +19668,21 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17441,7 +19716,7 @@ "type": "uses" }, { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17455,7 +19730,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17503,13 +19778,6 @@ ], "type": "uses" }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -17524,6 +19792,13 @@ ], "type": "uses" }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ @@ -17558,6 +19833,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b0f13390-cec7-4814-b37c-ccec01887faa", @@ -17572,10 +19854,13 @@ ], "refs": [ "https://attack.mitre.org/software/S0223", - "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/", + "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", + "https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" ], "synonyms": [ - "POWERSTATS" + "POWERSTATS", + "Powermud" ] }, "related": [ @@ -17586,27 +19871,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -17615,7 +19879,14 @@ "type": "uses" }, { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17628,13 +19899,6 @@ ], "type": "uses" }, - { - "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -17643,70 +19907,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17719,12 +19920,124 @@ ], "type": "uses" }, + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", @@ -17761,14 +20074,14 @@ "type": "uses" }, { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17843,6 +20156,55 @@ ], "type": "uses" }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -17857,34 +20219,6 @@ ], "type": "uses" }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ @@ -17893,21 +20227,7 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -17940,20 +20260,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -17961,12 +20267,26 @@ ], "type": "uses" }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d1183cb9-258e-4f2f-8415-50ac8252c49e", @@ -18010,27 +20330,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -18038,13 +20337,6 @@ ], "type": "uses" }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ @@ -18052,13 +20344,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -18066,12 +20351,47 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", @@ -18093,6 +20413,34 @@ ] }, "related": [ + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -18107,34 +20455,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", "tags": [ @@ -18143,14 +20463,14 @@ "type": "uses" }, { - "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18191,14 +20511,14 @@ "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18254,62 +20574,6 @@ ], "type": "uses" }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", "tags": [ @@ -18324,12 +20588,68 @@ ], "type": "uses" }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", @@ -18373,14 +20693,14 @@ "type": "uses" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18420,20 +20740,6 @@ ], "type": "uses" }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", "tags": [ @@ -18448,6 +20754,20 @@ ], "type": "uses" }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ @@ -18463,7 +20783,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18498,14 +20818,14 @@ "type": "uses" }, { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18519,14 +20839,14 @@ "type": "uses" }, { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18593,27 +20913,6 @@ ] }, "related": [ - { - "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ @@ -18621,55 +20920,6 @@ ], "type": "uses" }, - { - "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "tags": [ @@ -18677,17 +20927,219 @@ ], "type": "uses" }, + { + "dest-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "value": "SpyDealer - S0324" }, + { + "description": "[GreyEnergy](https://attack.mitre.org/software/S0342) is a backdoor written in C and compiled in Visual Studio. [GreyEnergy](https://attack.mitre.org/software/S0342) shares similarities with the [BlackEnergy](https://attack.mitre.org/software/S0089) malware and is thought to be the successor of it.(Citation: ESET GreyEnergy Oct 2018)", + "meta": { + "external_id": "S0342", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0342", + "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" + ], + "synonyms": [ + "GreyEnergy" + ] + }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "308b3d68-a084-4dfb-885a-3125e1a9c1e8", + "value": "GreyEnergy - S0342" + }, { "description": "[CrossRAT](https://attack.mitre.org/software/S0235) is a cross platform RAT.", "meta": { @@ -18706,13 +21158,6 @@ ] }, "related": [ - { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -18721,7 +21166,7 @@ "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18733,6 +21178,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a5e91d50-24fa-44ec-9894-39a88f658cea", @@ -18755,21 +21207,7 @@ }, "related": [ { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18782,20 +21220,6 @@ ], "type": "uses" }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -18816,6 +21240,34 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "60d50676-459a-47dd-92e9-a827a9fe9c58", @@ -18838,14 +21290,14 @@ }, "related": [ { - "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -18871,13 +21323,6 @@ ] }, "related": [ - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -18885,97 +21330,6 @@ ], "type": "uses" }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -18983,12 +21337,110 @@ ], "type": "uses" }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7ba0fc46-197d-466d-8b9f-f1c64d5d81e5", @@ -19011,21 +21463,7 @@ }, "related": [ { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19038,6 +21476,13 @@ ], "type": "uses" }, + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05", "tags": [ @@ -19060,7 +21505,14 @@ "type": "uses" }, { - "dest-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274", + "dest-uuid": "53263a67-075e-48fa-974b-91c5b5445db7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19087,42 +21539,7 @@ }, "related": [ { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19135,48 +21552,6 @@ ], "type": "uses" }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", "tags": [ @@ -19185,21 +21560,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19213,7 +21574,49 @@ "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19226,12 +21629,61 @@ ], "type": "uses" }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c2417bab-3189-4d4d-9d60-96de2cdaf0ab", @@ -19254,7 +21706,7 @@ }, "related": [ { - "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19268,7 +21720,35 @@ "type": "uses" }, { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19289,63 +21769,7 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19359,14 +21783,35 @@ "type": "uses" }, { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19378,6 +21823,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "1d1fce2f-0db5-402b-9843-4278a0694637", @@ -19399,13 +21858,6 @@ ] }, "related": [ - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -19420,6 +21872,13 @@ ], "type": "uses" }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -19455,14 +21914,7 @@ }, "related": [ { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19475,6 +21927,13 @@ ], "type": "uses" }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", "tags": [ @@ -19483,14 +21942,14 @@ "type": "uses" }, { - "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19501,31 +21960,35 @@ "value": "Skygofree - S0327" }, { - "description": "[jRAT](https://attack.mitre.org/software/S0283) is a cross-platform remote access tool that was first observed in November 2017. (Citation: jRAT Symantec Aug 2018)", + "description": "[jRAT](https://attack.mitre.org/software/S0283) is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of [jRAT](https://attack.mitre.org/software/S0283) have been distributed via a software-as-a-service platform, similar to an online subscription model.(Citation: Kaspersky Adwind Feb 2016) (Citation: jRAT Symantec Aug 2018)", "meta": { "external_id": "S0283", "mitre_platforms": [ "Linux", "Windows", - "macOS" + "macOS", + "Android" ], "refs": [ "https://attack.mitre.org/software/S0283", - "https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques" + "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf", + "https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques", + "https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf" ], "synonyms": [ "jRAT", + "JSocket", + "AlienSpy", + "Frutas", + "Sockrat", + "Unrecom", + "jFrutas", + "Adwind", + "jBiFrost", "Trojan.Maljava" ] }, "related": [ - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ @@ -19534,14 +21997,14 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19561,6 +22024,13 @@ ], "type": "uses" }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ @@ -19574,6 +22044,132 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "efece7e8-e40b-49c2-9f84-c55c5c93d05c", @@ -19595,34 +22191,6 @@ ] }, "related": [ - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ @@ -19630,41 +22198,6 @@ ], "type": "uses" }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ @@ -19673,7 +22206,14 @@ "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19686,6 +22226,27 @@ ], "type": "uses" }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -19693,12 +22254,54 @@ ], "type": "uses" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "069af411-9b24-4e85-b26c-623d035bbe84", @@ -19729,7 +22332,7 @@ "type": "uses" }, { - "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19743,14 +22346,14 @@ "type": "uses" }, { - "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "dest-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19777,6 +22380,20 @@ ] }, "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "tags": [ @@ -19792,7 +22409,14 @@ "type": "uses" }, { - "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19805,6 +22429,13 @@ ], "type": "uses" }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", "tags": [ @@ -19813,21 +22444,7 @@ "type": "uses" }, { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19841,7 +22458,14 @@ "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19855,7 +22479,42 @@ "type": "uses" }, { - "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19875,62 +22534,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ @@ -19959,21 +22562,14 @@ }, "related": [ { - "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -19987,14 +22583,21 @@ "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "dest-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20021,35 +22624,28 @@ }, "related": [ { - "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20063,7 +22659,42 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20084,49 +22715,7 @@ "type": "uses" }, { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20140,14 +22729,28 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20181,7 +22784,7 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20195,14 +22798,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20216,7 +22812,14 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20243,21 +22846,14 @@ }, "related": [ { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20277,6 +22873,13 @@ ], "type": "uses" }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ @@ -20285,14 +22888,14 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20306,7 +22909,7 @@ "type": "uses" }, { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20333,14 +22936,7 @@ }, "related": [ { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20354,7 +22950,14 @@ "type": "uses" }, { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20389,14 +22992,7 @@ }, "related": [ { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20410,42 +23006,14 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20459,14 +23027,28 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20494,7 +23076,14 @@ "type": "uses" }, { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20507,12 +23096,26 @@ ], "type": "uses" }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8e101fdd-9f7f-4916-bb04-6bd9e94c129c", @@ -20534,6 +23137,48 @@ ] }, "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -20548,34 +23193,6 @@ ], "type": "uses" }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -20589,20 +23206,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "53a42597-1974-4b8e-84fd-3675e8992053", @@ -20625,13 +23228,6 @@ ] }, "related": [ - { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ @@ -20639,6 +23235,20 @@ ], "type": "uses" }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ @@ -20646,6 +23256,13 @@ ], "type": "uses" }, + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ @@ -20660,13 +23277,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", "tags": [ @@ -20681,20 +23291,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ @@ -20703,7 +23299,7 @@ "type": "uses" }, { - "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20717,14 +23313,21 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee", + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20758,14 +23361,35 @@ }, "related": [ { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20784,27 +23408,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "bfd2738c-8b43-43c3-bc9f-d523c8e88bf4", @@ -20827,21 +23430,7 @@ }, "related": [ { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20854,13 +23443,6 @@ ], "type": "uses" }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", "tags": [ @@ -20869,49 +23451,7 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -20924,12 +23464,75 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0817aaf2-afea-4c32-9285-4dcd1df5bf14", @@ -21006,13 +23609,6 @@ ], "type": "uses" }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ @@ -21027,6 +23623,13 @@ ], "type": "uses" }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ @@ -21055,6 +23658,41 @@ ] }, "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ @@ -21063,14 +23701,21 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21090,13 +23735,6 @@ ], "type": "uses" }, - { - "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ @@ -21104,34 +23742,6 @@ ], "type": "uses" }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ @@ -21140,21 +23750,7 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21168,28 +23764,14 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21202,6 +23784,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", "tags": [ @@ -21210,21 +23799,49 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21250,20 +23867,6 @@ ] }, "related": [ - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ @@ -21272,7 +23875,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21285,6 +23888,20 @@ ], "type": "uses" }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", "tags": [ @@ -21300,49 +23917,14 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21355,12 +23937,47 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "92b55426-109f-4d93-899f-1833ce91ff90", @@ -21383,20 +24000,6 @@ ] }, "related": [ - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ @@ -21404,41 +24007,6 @@ ], "type": "uses" }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ @@ -21452,6 +24020,55 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fb4e3792-e915-4fdd-a9cd-92dfa2ace7aa", @@ -21474,28 +24091,14 @@ }, "related": [ { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21516,14 +24119,7 @@ "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21537,14 +24133,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21557,20 +24146,6 @@ ], "type": "uses" }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -21578,6 +24153,34 @@ ], "type": "uses" }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -21585,12 +24188,26 @@ ], "type": "uses" }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5189f018-fea2-45d7-b0ed-23f9ee0a46f3", @@ -21640,14 +24257,7 @@ }, "related": [ { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21661,7 +24271,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21674,6 +24284,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -21708,13 +24325,6 @@ ], "type": "uses" }, - { - "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a", "tags": [ @@ -21730,7 +24340,7 @@ "type": "uses" }, { - "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21744,7 +24354,14 @@ "type": "uses" }, { - "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21770,13 +24387,6 @@ ] }, "related": [ - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -21784,41 +24394,6 @@ ], "type": "uses" }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -21826,6 +24401,13 @@ ], "type": "uses" }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ @@ -21833,19 +24415,54 @@ ], "type": "uses" }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c8b6cc43-ce61-42ae-87f3-a5f10526f952", "value": "InnaputRAT - S0259" }, { - "description": "[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program that has mainly been used for targeting banking sites in Australia. TrickBot first emerged in the wild in September 2016 and appears to be a successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) is developed in the C++ programming language. (Citation: S2 Grupo TrickBot June 2017) (Citation: Fidelis TrickBot Oct 2016) (Citation: IBM TrickBot Nov 2016)", + "description": "[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program that has mainly been used for targeting banking sites in United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) is developed in the C++ programming language. (Citation: S2 Grupo TrickBot June 2017) (Citation: Fidelis TrickBot Oct 2016) (Citation: IBM TrickBot Nov 2016)", "meta": { "external_id": "S0266", "mitre_platforms": [ @@ -21857,6 +24474,7 @@ "https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre", "https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/", "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n", + "https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick" ], "synonyms": [ @@ -21867,14 +24485,28 @@ }, "related": [ { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21895,28 +24527,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21930,21 +24541,14 @@ "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21958,21 +24562,21 @@ "type": "uses" }, { - "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -21985,12 +24589,103 @@ ], "type": "uses" }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "00806466-754d-44ea-ad6f-0caf59cb8556", @@ -22005,22 +24700,17 @@ ], "refs": [ "https://attack.mitre.org/software/S0267", - "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" + "https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html", + "https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" ], "synonyms": [ - "FELIXROOT" + "FELIXROOT", + "GreyEnergy mini" ] }, "related": [ { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22033,41 +24723,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -22076,7 +24731,14 @@ "type": "uses" }, { - "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22090,7 +24752,28 @@ "type": "uses" }, { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22102,6 +24785,69 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "cf8df906-179c-4a78-bd6e-6605e30f6624", @@ -22126,35 +24872,7 @@ }, "related": [ { - "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00", + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22168,7 +24886,28 @@ "type": "uses" }, { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22180,6 +24919,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4b072c90-bc7a-432b-940e-016fc1c01761", @@ -22236,14 +24982,7 @@ }, "related": [ { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22257,14 +24996,21 @@ "type": "uses" }, { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22285,21 +25031,21 @@ "type": "uses" }, { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22313,14 +25059,14 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22334,7 +25080,7 @@ "type": "uses" }, { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22361,7 +25107,7 @@ }, "related": [ { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22375,56 +25121,7 @@ "type": "uses" }, { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22438,7 +25135,42 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22452,14 +25184,28 @@ "type": "uses" }, { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22486,14 +25232,7 @@ }, "related": [ { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22506,20 +25245,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", "tags": [ @@ -22527,12 +25252,33 @@ ], "type": "uses" }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4a98e44a-bd52-461e-af1e-a4457de87a36", @@ -22561,6 +25307,13 @@ ], "type": "uses" }, + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "tags": [ @@ -22574,13 +25327,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", @@ -22618,14 +25364,7 @@ "type": "uses" }, { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f", + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22639,7 +25378,14 @@ "type": "uses" }, { - "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22681,14 +25427,14 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0d95940f-9583-4e0f-824c-a42c1be47fad", + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22715,7 +25461,7 @@ }, "related": [ { - "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22729,21 +25475,7 @@ "type": "uses" }, { - "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22757,14 +25489,42 @@ "type": "uses" }, { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22784,26 +25544,12 @@ ], "type": "uses" }, - { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "c541efb4-e7b1-4ad6-9da8-b4e113f5dd42", @@ -22833,14 +25579,14 @@ "type": "uses" }, { - "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -22876,7 +25622,2878 @@ ], "uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe", "value": "NotCompatible - S0299" + }, + { + "description": "[UBoatRAT](https://attack.mitre.org/software/S0333) is a remote access tool that was identified in May 2017.(Citation: PaloAlto UBoatRAT Nov 2017)", + "meta": { + "external_id": "S0333", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0333", + "https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" + ], + "synonyms": [ + "UBoatRAT" + ] + }, + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "518bb5f1-91f4-4ff2-b09d-5a94e1ebe95f", + "value": "UBoatRAT - S0333" + }, + { + "description": "[DarkComet](https://attack.mitre.org/software/S0334) is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)", + "meta": { + "external_id": "S0334", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0334", + "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET", + "https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" + ], + "synonyms": [ + "DarkComet", + "DarkKomet", + "Fynloski", + "Krademok", + "FYNLOS" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "53ab35c2-d00e-491a-8753-41d35ae7e547", + "value": "DarkComet - S0334" + }, + { + "description": "[Exaramel](https://attack.mitre.org/software/S0343) is multi-platform backdoor for Linux and Windows systems.(Citation: ESET TeleBots Oct 2018)", + "meta": { + "external_id": "S0343", + "mitre_platforms": [ + "Linux", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0343", + "https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" + ], + "synonyms": [ + "Exaramel" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "051eaca1-958f-4091-9e5f-a9acd8f820b5", + "value": "Exaramel - S0343" + }, + { + "description": "[Carbon](https://attack.mitre.org/software/S0335) is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. [Carbon](https://attack.mitre.org/software/S0335) has been selectively used by [Turla](https://attack.mitre.org/groups/G0010) to target government and foreign affairs-related organizations in Central Asia.(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018)", + "meta": { + "external_id": "S0335", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0335", + "https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/", + "https://securelist.com/shedding-skin-turlas-fresh-faces/88069/" + ], + "synonyms": [ + "Carbon" + ] + }, + "related": [ + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b7e9880a-7a7c-4162-bddb-e28e8ef2bf1f", + "value": "Carbon - S0335" + }, + { + "description": "[NOKKI](https://attack.mitre.org/software/S0353) is a modular remote access tool. The earliest observed attack using [NOKKI](https://attack.mitre.org/software/S0353) was in January 2018. [NOKKI](https://attack.mitre.org/software/S0353) has significant code overlap with the [KONNI](https://attack.mitre.org/software/S0356) malware family. There is some evidence potentially linking [NOKKI](https://attack.mitre.org/software/S0353) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)", + "meta": { + "external_id": "S0353", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0353", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", + "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" + ], + "synonyms": [ + "NOKKI" + ] + }, + "related": [ + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "071d5d65-83ec-4a55-acfa-be7d5f28ba9a", + "value": "NOKKI - S0353" + }, + { + "description": "[NanoCore](https://attack.mitre.org/software/S0336) is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.(Citation: DigiTrust NanoCore Jan 2017)(Citation: Cofense NanoCore Mar 2018)(Citation: PaloAlto NanoCore Feb 2016)(Citation: Unit 42 Gorgon Group Aug 2018)", + "meta": { + "external_id": "S0336", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0336", + "https://www.digitrustgroup.com/nanocore-not-your-average-rat/", + "https://cofense.com/nanocore-rat-resurfaced-sewers/", + "https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/", + "https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" + ], + "synonyms": [ + "NanoCore" + ] + }, + "related": [ + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b4d80f8b-d2b9-4448-8844-4bef777ed676", + "value": "NanoCore - S0336" + }, + { + "description": "[Astaroth](https://attack.mitre.org/software/S0373) is a Trojan and information stealer known to affect companies in Europe and Brazil. It has been known publicly since at least late 2017. (Citation: Cybereason Astaroth Feb 2019) (Citation: Cofense Astaroth Sept 2018)", + "meta": { + "external_id": "S0373", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0373", + "https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research", + "https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" + ], + "synonyms": [ + "Astaroth" + ] + }, + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ebbe170d-aa74-4946-8511-9921243415a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d21a2069-23d5-4043-ad6d-64f6b644cb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "edb24a93-1f7a-4bbf-a738-1397a14662c6", + "value": "Astaroth - S0373" + }, + { + "description": "[BadPatch](https://attack.mitre.org/software/S0337) is a Windows Trojan that was used in a Gaza Hackers-linked campaign.(Citation: Unit 42 BadPatch Oct 2017)", + "meta": { + "external_id": "S0337", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0337", + "https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" + ], + "synonyms": [ + "BadPatch" + ] + }, + "related": [ + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "9af05de0-bc09-4511-a350-5eb8b06185c1", + "value": "BadPatch - S0337" + }, + { + "description": "[Micropsia](https://attack.mitre.org/software/S0339) is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)", + "meta": { + "external_id": "S0339", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0339", + "https://blog.talosintelligence.com/2017/06/palestine-delphi.html", + "https://blog.radware.com/security/2018/07/micropsia-malware/" + ], + "synonyms": [ + "Micropsia" + ] + }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "8c050cea-86e1-4b63-bf21-7af4fa483349", + "value": "Micropsia - S0339" + }, + { + "description": "[Azorult](https://attack.mitre.org/software/S0344) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://attack.mitre.org/software/S0344) has been observed in the wild as early as 2016.\nIn July 2018, [Azorult](https://attack.mitre.org/software/S0344) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://attack.mitre.org/software/S0344) has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)", + "meta": { + "external_id": "S0344", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0344", + "https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/", + "https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" + ], + "synonyms": [ + "Azorult" + ] + }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "f9b05f33-d45d-4e4d-aafe-c208d38a0080", + "value": "Azorult - S0344" + }, + { + "description": "[Denis](https://attack.mitre.org/software/S0354) is a Windows backdoor and Trojan.(Citation: Cybereason Oceanlotus May 2017)", + "meta": { + "external_id": "S0354", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0354", + "https://www.cybereason.com/blog/operation-cobalt-kitty-apt" + ], + "synonyms": [ + "Denis" + ] + }, + "related": [ + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "f25aab1a-0cef-4910-a85d-bb38b32ea41a", + "value": "Denis - S0354" + }, + { + "description": "[Seasalt](https://attack.mitre.org/software/S0345) is malware that has been linked to [APT1](https://attack.mitre.org/groups/G0006)'s 2010 operations. It shares some code similarities with [OceanSalt](https://attack.mitre.org/software/S0346).(Citation: Mandiant APT1 Appendix)(Citation: McAfee Oceansalt Oct 2018)", + "meta": { + "external_id": "S0345", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0345", + "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" + ], + "synonyms": [ + "Seasalt" + ] + }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b45747dc-87ca-4597-a245-7e16a61bc491", + "value": "Seasalt - S0345" + }, + { + "description": "[OceanSalt](https://attack.mitre.org/software/S0346) is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. [OceanSalt](https://attack.mitre.org/software/S0346) shares code similarity with [SpyNote RAT](https://attack.mitre.org/software/S0305), which has been linked to [APT1](https://attack.mitre.org/groups/G0006).(Citation: McAfee Oceansalt Oct 2018)", + "meta": { + "external_id": "S0346", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0346", + "https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" + ], + "synonyms": [ + "OceanSalt" + ] + }, + "related": [ + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "288fa242-e894-4c7e-ac86-856deedf5cea", + "value": "OceanSalt - S0346" + }, + { + "description": "[AuditCred](https://attack.mitre.org/software/S0347) is a malicious DLL that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) during their 2018 attacks.(Citation: TrendMicro Lazarus Nov 2018)", + "meta": { + "external_id": "S0347", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0347", + "https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/" + ], + "synonyms": [ + "AuditCred", + "Roptimizer" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "24b4ce59-eaac-4c8b-8634-9b093b7ccd92", + "value": "AuditCred - S0347" + }, + { + "description": "[SpeakUp](https://attack.mitre.org/software/S0374) is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. (Citation: CheckPoint SpeakUp Feb 2019)", + "meta": { + "external_id": "S0374", + "mitre_platforms": [ + "Linux", + "macOS" + ], + "refs": [ + "https://attack.mitre.org/software/S0374", + "https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" + ], + "synonyms": [ + "SpeakUp" + ] + }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "a5575606-9b85-4e3d-9cd2-40ef30e3672d", + "value": "SpeakUp - S0374" + }, + { + "description": "[KONNI](https://attack.mitre.org/software/S0356) is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. [KONNI](https://attack.mitre.org/software/S0356) has been linked to several campaigns involving North Korean themes.(Citation: Talos Konni May 2017) [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family. There is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)", + "meta": { + "external_id": "S0356", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0356", + "https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html", + "https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/", + "https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" + ], + "synonyms": [ + "KONNI" + ] + }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "86b92f6c-9c05-4c51-b361-4c7bb13e21a1", + "value": "KONNI - S0356" + }, + { + "description": "[Remexi](https://attack.mitre.org/software/S0375) is a Windows-based Trojan that was developed in the C programming language.(Citation: Securelist Remexi Jan 2019)", + "meta": { + "external_id": "S0375", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0375", + "https://securelist.com/chafer-used-remexi-malware/89538/" + ], + "synonyms": [ + "Remexi" + ] + }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "ecc2f65a-b452-4eaf-9689-7e181f17f7a5", + "value": "Remexi - S0375" + }, + { + "description": "[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)", + "meta": { + "external_id": "S0366", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0366", + "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/", + "https://www.us-cert.gov/ncas/alerts/TA17-132A", + "https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "https://www.secureworks.com/research/wcry-ransomware-analysis" + ], + "synonyms": [ + "WannaCry", + "WanaCry", + "WanaCrypt", + "WanaCrypt0r", + "WCry" + ] + }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "65917ae0-b854-4139-83fe-bf2441cf0196", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20fb2507-d71c-455d-9b6d-6104461cf26b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "value": "WannaCry - S0366" + }, + { + "description": "[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and IcedID. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)", + "meta": { + "external_id": "S0367", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0367", + "https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/", + "https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/", + "https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/", + "https://support.malwarebytes.com/docs/DOC-2295", + "https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor", + "https://www.us-cert.gov/ncas/alerts/TA18-201A", + "https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/", + "https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader", + "https://blog.talosintelligence.com/2019/01/return-of-emotet.html", + "https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf", + "https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/", + "https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html", + "https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/" + ], + "synonyms": [ + "Emotet", + "Geodo" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "32066e94-3112-48ca-b9eb-ba2b59d2f023", + "value": "Emotet - S0367" + }, + { + "description": "[HOPLIGHT](https://attack.mitre.org/software/S0376) is a backdoor Trojan that has reportedly been used by the North Korean government.(Citation: US-CERT HOPLIGHT Apr 2019)", + "meta": { + "external_id": "S0376", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0376", + "https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" + ], + "synonyms": [ + "HOPLIGHT" + ] + }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "454fe82d-6fd2-4ac6-91ab-28a33fe01369", + "value": "HOPLIGHT - S0376" + }, + { + "description": "[NotPetya](https://attack.mitre.org/software/S0368) is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though [NotPetya](https://attack.mitre.org/software/S0368) presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)", + "meta": { + "external_id": "S0368", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0368", + "https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html", + "https://www.us-cert.gov/ncas/alerts/TA17-181A" + ], + "synonyms": [ + "NotPetya", + "GoldenEye", + "Petrwrap", + "Nyetya" + ] + }, + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "5719af9d-6b16-46f9-9b28-fb019541ddbb", + "value": "NotPetya - S0368" + }, + { + "description": "[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)", + "meta": { + "external_id": "S0369", + "mitre_platforms": [ + "macOS" + ], + "refs": [ + "https://attack.mitre.org/software/S0369", + "https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/" + ], + "synonyms": [ + "CoinTicker" + ] + }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d1531eaa-9e17-473e-a680-3298469662c3", + "value": "CoinTicker - S0369" + }, + { + "description": "[Ebury](https://attack.mitre.org/software/S0377) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)", + "meta": { + "external_id": "S0377", + "mitre_platforms": [ + "Linux" + ], + "refs": [ + "https://attack.mitre.org/software/S0377", + "https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/", + "https://www.bleepingcomputer.com/news/security/russian-hacker-pleads-guilty-for-role-in-infamous-linux-ebury-malware/" + ], + "synonyms": [ + "Ebury" + ] + }, + "related": [ + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54456690-84de-4538-9101-643e26437e09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "d6b3fcd0-1c86-4350-96f0-965ed02fcc51", + "value": "Ebury - S0377" } ], - "version": 12 + "version": 14 } diff --git a/clusters/mitre-mobile-attack-attack-pattern.json b/clusters/mitre-mobile-attack-attack-pattern.json index f634fb8..c0a9a6f 100644 --- a/clusters/mitre-mobile-attack-attack-pattern.json +++ b/clusters/mitre-mobile-attack-attack-pattern.json @@ -1670,5 +1670,5 @@ "value": "Malicious Software Development Tools - MOB-T1065" } ], - "version": 4 + "version": 5 } diff --git a/clusters/mitre-mobile-attack-course-of-action.json b/clusters/mitre-mobile-attack-course-of-action.json index 32e4b1d..81b31ae 100644 --- a/clusters/mitre-mobile-attack-course-of-action.json +++ b/clusters/mitre-mobile-attack-course-of-action.json @@ -304,5 +304,5 @@ "value": "Encrypt Network Traffic - MOB-M1009" } ], - "version": 5 + "version": 6 } diff --git a/clusters/mitre-mobile-attack-malware.json b/clusters/mitre-mobile-attack-malware.json index 1c59431..8697db8 100644 --- a/clusters/mitre-mobile-attack-malware.json +++ b/clusters/mitre-mobile-attack-malware.json @@ -609,6 +609,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8", @@ -740,6 +747,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c", @@ -1103,5 +1117,5 @@ "value": "XcodeGhost - MOB-S0013" } ], - "version": 7 + "version": 8 } diff --git a/clusters/mitre-pre-attack-attack-pattern.json b/clusters/mitre-pre-attack-attack-pattern.json index ac865ae..66fd09b 100644 --- a/clusters/mitre-pre-attack-attack-pattern.json +++ b/clusters/mitre-pre-attack-attack-pattern.json @@ -2785,5 +2785,5 @@ "value": "Data Hiding - PRE-T1097" } ], - "version": 5 + "version": 6 } diff --git a/clusters/mitre-pre-attack-intrusion-set.json b/clusters/mitre-pre-attack-intrusion-set.json index ca083fe..ba875c6 100644 --- a/clusters/mitre-pre-attack-intrusion-set.json +++ b/clusters/mitre-pre-attack-intrusion-set.json @@ -263,6 +263,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", @@ -296,6 +303,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", @@ -355,5 +369,5 @@ "value": "APT17 - G0025" } ], - "version": 7 + "version": 8 } diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index 988757b..c64f5e9 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -111,7 +111,7 @@ "type": "uses" }, { - "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -124,104 +124,6 @@ ], "type": "uses" }, - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -229,62 +131,6 @@ ], "type": "uses" }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ @@ -292,13 +138,6 @@ ], "type": "uses" }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", "tags": [ @@ -306,34 +145,6 @@ ], "type": "uses" }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", "tags": [ @@ -342,7 +153,84 @@ "type": "uses" }, { - "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -356,7 +244,119 @@ "type": "uses" }, { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -460,14 +460,14 @@ "type": "uses" }, { - "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -480,13 +480,6 @@ ], "type": "uses" }, - { - "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", "tags": [ @@ -494,26 +487,33 @@ ], "type": "uses" }, - { - "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "value": "Mimikatz - S0002" }, { - "description": "[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)", + "description": "[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)(Citation: NCSC Joint Report Public Tools)", "meta": { "external_id": "S0040", "mitre_platforms": [ @@ -522,7 +522,8 @@ ], "refs": [ "https://attack.mitre.org/software/S0040", - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf" + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf", + "https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf" ], "synonyms": [ "HTRAN", @@ -543,6 +544,20 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", @@ -818,6 +833,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", @@ -865,14 +887,14 @@ "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -955,6 +977,13 @@ ], "type": "uses" }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", "tags": [ @@ -968,13 +997,6 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" - }, - { - "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" } ], "uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", @@ -1032,14 +1054,7 @@ }, "related": [ { - "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1052,6 +1067,13 @@ ], "type": "uses" }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", "tags": [ @@ -1059,48 +1081,6 @@ ], "type": "uses" }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", "tags": [ @@ -1109,7 +1089,35 @@ "type": "uses" }, { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1123,21 +1131,14 @@ "type": "uses" }, { - "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1151,7 +1152,28 @@ "type": "uses" }, { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1211,7 +1233,7 @@ "value": "PsExec - S0029" }, { - "description": "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) using net use commands, and interacting with services.", + "description": "The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)\n\n[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.", "meta": { "external_id": "S0039", "mitre_platforms": [ @@ -1236,21 +1258,7 @@ "type": "uses" }, { - "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1264,14 +1272,7 @@ "type": "uses" }, { - "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1284,6 +1285,34 @@ ], "type": "uses" }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, { "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ @@ -1291,26 +1320,19 @@ ], "type": "uses" }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "03342581-f790-4f03-ba41-e82e67392e23", @@ -1342,14 +1364,14 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1383,14 +1405,14 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1710,7 +1732,8 @@ "mitre_platforms": [ "Linux", "Windows", - "macOS" + "macOS", + "Android" ], "refs": [ "https://attack.mitre.org/software/S0192", @@ -1736,56 +1759,14 @@ "type": "uses" }, { - "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1799,42 +1780,7 @@ "type": "uses" }, { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1848,21 +1794,7 @@ "type": "uses" }, { - "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1883,7 +1815,28 @@ "type": "uses" }, { - "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1897,28 +1850,21 @@ "type": "uses" }, { - "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1932,14 +1878,7 @@ "type": "uses" }, { - "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -1951,11 +1890,151 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0fff2797-19cb-41ea-a5f1-8a9303b8158e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", "value": "Pupy - S0192" }, + { + "description": "[Expand](https://attack.mitre.org/software/S0361) is a Windows utility used to expand one or more compressed CAB files.(Citation: Microsoft Expand Utility) It has been used by [BBSRAT](https://attack.mitre.org/software/S0127) to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)", + "meta": { + "external_id": "S0361", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0361", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/expand", + "http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" + ], + "synonyms": [ + "Expand" + ] + }, + "related": [ + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "ca656c25-44f1-471b-9d9f-e2a3bbb84973", + "value": "Expand - S0361" + }, { "description": "[Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. [Tor](https://attack.mitre.org/software/S0183) utilizes \"Onion Routing,\" in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)", "meta": { @@ -2016,14 +2095,14 @@ "type": "uses" }, { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2068,7 +2147,7 @@ "value": "Responder - S0174" }, { - "description": "[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework compromised of [PowerShell](https://attack.mitre.org/techniques/T1086) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)", + "description": "[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1086) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)", "meta": { "external_id": "S0194", "mitre_platforms": [ @@ -2093,77 +2172,7 @@ "type": "uses" }, { - "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2177,7 +2186,7 @@ "type": "uses" }, { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2191,14 +2200,42 @@ "type": "uses" }, { - "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2212,14 +2249,56 @@ "type": "uses" }, { - "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2233,7 +2312,14 @@ "type": "uses" }, { - "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2300,6 +2386,13 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", @@ -2409,62 +2502,6 @@ ] }, "related": [ - { - "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, - { - "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "uses" - }, { "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", "tags": [ @@ -2473,7 +2510,14 @@ "type": "uses" }, { - "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2494,14 +2538,63 @@ "type": "uses" }, { - "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2538,6 +2631,365 @@ "uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", "value": "spwebmember - S0227" }, + { + "description": "[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in malware campaigns.(Citation: Riskiq Remcos Jan 2018)(Citation: Talos Remcos Aug 2018)", + "meta": { + "external_id": "S0332", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0332", + "https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/", + "https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html", + "https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html" + ], + "synonyms": [ + "Remcos" + ] + }, + "related": [ + { + "dest-uuid": "82caa33e-d11a-433a-94ea-9b5a5fbef81d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "7cd0bc75-055b-4098-a00e-83dc8beaff14", + "value": "Remcos - S0332" + }, + { + "description": "[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1086). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)", + "meta": { + "external_id": "S0378", + "mitre_platforms": [ + "Windows", + "Linux", + "macOS" + ], + "refs": [ + "https://attack.mitre.org/software/S0378", + "https://github.com/nettitude/PoshC2" + ], + "synonyms": [ + "PoshC2" + ] + }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "4b57c098-f043-4da2-83ef-7588a6d426bc", + "value": "PoshC2 - S0378" + }, { "description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)", "meta": { @@ -2583,14 +3035,14 @@ "type": "uses" }, { - "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "uses" }, { - "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], @@ -2606,7 +3058,671 @@ ], "uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", "value": "Xbot - S0298" + }, + { + "description": "[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1086) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)\n\n", + "meta": { + "external_id": "S0363", + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0363", + "https://s3.eu-west-1.amazonaws.com/ncsc-content/files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf", + "https://github.com/PowerShellEmpire/Empire", + "https://github.com/dstepanic/attck_empire" + ], + "synonyms": [ + "Empire", + "EmPyre", + "PowerShell Empire" + ] + }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ebb42bbe-62d7-47d7-a55f-3b08b61d792d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "3433a9e8-1c47-4320-b9bf-ed449061d1c3", + "value": "Empire - S0363" + }, + { + "description": "[RawDisk](https://attack.mitre.org/software/S0364) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.(Citation: EldoS RawDisk ITpro)(Citation: Novetta Blockbuster Destructive Malware)", + "meta": { + "external_id": "S0364", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0364", + "https://www.itprotoday.com/windows-78/eldos-provides-raw-disk-access-vista-and-xp", + "https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" + ], + "synonyms": [ + "RawDisk" + ] + }, + "related": [ + { + "dest-uuid": "2e114e45-2c50-404c-804a-3af9564d240e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b82f7d37-b826-4ec9-9391-8e121c78aed7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "3ffbdc1f-d2bf-41ab-91a2-c7b857e98079", + "value": "RawDisk - S0364" + }, + { + "description": "[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. [LaZagne](https://attack.mitre.org/software/S0349) is publicly available on GitHub.(Citation: GitHub LaZagne Dec 2018)", + "meta": { + "external_id": "S0349", + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0349", + "https://github.com/AlessandroZ/LaZagne" + ], + "synonyms": [ + "LaZagne" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "b76b2d94-60e4-4107-a903-4a3a7622fb3b", + "value": "LaZagne - S0349" + }, + { + "description": "[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)", + "meta": { + "external_id": "S0357", + "mitre_platforms": [ + "Linux", + "macOS", + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0357", + "https://www.secureauth.com/labs/open-source-tools/impacket" + ], + "synonyms": [ + "Impacket" + ] + }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "26c87906-d750-42c5-946c-d4162c73fc7b", + "value": "Impacket - S0357" + }, + { + "description": "[Ruler](https://attack.mitre.org/software/S0358) is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of [Ruler](https://attack.mitre.org/software/S0358) have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)", + "meta": { + "external_id": "S0358", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0358", + "https://github.com/sensepost/ruler", + "https://github.com/sensepost/notruler" + ], + "synonyms": [ + "Ruler" + ] + }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "90ac9266-68ce-46f2-b24f-5eb3b2a8ea38", + "value": "Ruler - S0358" + }, + { + "description": "[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)", + "meta": { + "external_id": "S0359", + "mitre_platforms": [ + "Windows" + ], + "refs": [ + "https://attack.mitre.org/software/S0359", + "https://ss64.com/nt/nltest.html" + ], + "synonyms": [ + "Nltest" + ] + }, + "related": [ + { + "dest-uuid": "767dbf9e-df3f-45cb-8998-4903ab5f80c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], + "uuid": "981acc4c-2ede-4b56-be6e-fa1a75f37acf", + "value": "Nltest - S0359" } ], - "version": 11 + "version": 13 }