From c49b3242a5ba858ff51f833c8cf9fe3a247b8390 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Tue, 16 Oct 2018 16:19:16 +0200 Subject: [PATCH 01/17] chg: mappings are now in the generated adoc plus massive performance improvement --- tools/adoc_galaxy.py | 105 ++++++++++++++++----------- tools/{gen.sh => gen_adoc_galaxy.sh} | 0 2 files changed, 63 insertions(+), 42 deletions(-) mode change 100644 => 100755 tools/adoc_galaxy.py rename tools/{gen.sh => gen_adoc_galaxy.sh} (100%) mode change 100644 => 100755 diff --git a/tools/adoc_galaxy.py b/tools/adoc_galaxy.py old mode 100644 new mode 100755 index bb01508..af0ead0 --- a/tools/adoc_galaxy.py +++ b/tools/adoc_galaxy.py @@ -1,4 +1,4 @@ -#!/usr/bin/env python +#!/usr/bin/env python3 # -*- coding: utf-8 -*- # # @@ -35,41 +35,50 @@ for f in os.listdir(pathClusters): clusters.sort() +# build a mapping between uuids and Clusters +cluster_uuids = {} +for cluster in clusters: + fullPathClusters = os.path.join(pathClusters, cluster) + with open(fullPathClusters) as fp: + c = json.load(fp) + for v in c['values']: + if 'uuid' not in v: + continue + cluster_uuids[v['uuid']] = 'misp-galaxy:{}="{}"'.format(c['type'], v['value']) + + argParser = argparse.ArgumentParser(description='Generate documentation from MISP galaxy clusters', epilog='Available galaxy clusters are {0}'.format(clusters)) argParser.add_argument('-v', action='store_true', help='Verbose mode') args = argParser.parse_args() -def header(adoc=False): - if adoc is False: - return False - +def header(): + doc = [] dedication = "\n[dedication]\n== Funding and Support\nThe MISP project is financially and resource supported by https://www.circl.lu/[CIRCL Computer Incident Response Center Luxembourg ].\n\nimage:{images-misp}logo.png[CIRCL logo]\n\nA CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as ***Improving MISP as building blocks for next-generation information sharing***.\n\nimage:{images-misp}en_cef.png[CEF funding]\n\nIf you are interested to co-fund projects around MISP, feel free to get in touch with us.\n\n" - doc = adoc - doc = doc + ":toc: right\n" - doc = doc + ":toclevels: 1\n" - doc = doc + ":toc-title: MISP Galaxy Cluster\n" - doc = doc + ":icons: font\n" - doc = doc + ":sectanchors:\n" - doc = doc + ":sectlinks:\n" - doc = doc + ":images-cdn: https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/\n" - doc = doc + ":images-misp: https://www.misp-project.org/assets/images/\n" - doc = doc + "\n= MISP Galaxy Clusters\n\n" - doc = doc + "= Introduction\n" - doc = doc + "\nimage::{images-cdn}misp-logo.png[MISP logo]\n\n" - doc = doc + "The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.\n\n" - doc = doc + "" - doc = "{}{}".format(doc, "\nMISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.\n") - doc = doc + "The following document is generated from the machine-readable JSON describing the https://github.com/MISP/misp-galaxy[MISP galaxy]." - doc = doc + "\n\n" - doc = doc + "<<<\n" - doc = doc + dedication - doc = doc + "<<<\n" - doc = doc + "= MISP galaxy\n" + doc += ":toc: right\n" + doc += ":toclevels: 1\n" + doc += ":toc-title: MISP Galaxy Cluster\n" + doc += ":icons: font\n" + doc += ":sectanchors:\n" + doc += ":sectlinks:\n" + doc += ":images-cdn: https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/\n" + doc += ":images-misp: https://www.misp-project.org/assets/images/\n" + doc += "\n= MISP Galaxy Clusters\n\n" + doc += "= Introduction\n" + doc += "\nimage::{images-cdn}misp-logo.png[MISP logo]\n\n" + doc += "The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.\n\n" + doc += "" + doc += "\nMISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme.\n" + doc += "The following document is generated from the machine-readable JSON describing the https://github.com/MISP/misp-galaxy[MISP galaxy]." + doc += "\n\n" + doc += "<<<\n" + doc += dedication + doc += "<<<\n" + doc += "= MISP galaxy\n" return doc -def asciidoc(content=False, adoc=None, t='title',title='', typename=''): - - adoc = adoc + "\n" +def asciidoc(content=False, t='title',title='', typename=''): + adoc = [] + adoc += "\n" output = "" if t == 'title': output = '== ' + content @@ -81,21 +90,31 @@ def asciidoc(content=False, adoc=None, t='title',title='', typename=''): output = '=== ' + content elif t == 'description': output = '\n{}\n'.format(content) - elif t == 'meta': + elif t == 'meta-synonyms': if 'synonyms' in content: for s in content['synonyms']: output = "{}\n* {}\n".format(output,s) output = '{} is also known as:\n{}\n'.format(title,output) + elif t == 'meta-refs': if 'refs' in content: output = '{}{}'.format(output,'\n.Table References\n|===\n|Links\n') for r in content['refs']: output = '{}|{}[{}]\n'.format(output, r, r) output = '{}{}'.format(output,'|===\n') - adoc = adoc + output + elif t == 'related': + for r in content: + try: + output = "{}\n* {}: {} with {}\n".format(output, r['type'], cluster_uuids[r['dest-uuid']], ', '.join(r['tags'])) + except Exception: + pass # ignore lookup errors + if output: + output = '{} has relationships with:\n{}\n'.format(title,output) + adoc += output return adoc -adoc = "" -print (header(adoc=adoc)) + +adoc = [] +adoc += header() for cluster in clusters: fullPathClusters = os.path.join(pathClusters, cluster) @@ -103,16 +122,18 @@ for cluster in clusters: c = json.load(fp) title = c['name'] typename = c['type'] - adoc = asciidoc(content=title, adoc=adoc, t='title') - adoc = asciidoc(content=c['description'], adoc=adoc, t='info', title=title, typename = typename) + adoc += asciidoc(content=title, t='title') + adoc += asciidoc(content=c['description'], t='info', title=title, typename = typename) if 'authors' in c: - adoc = asciidoc(content=c['authors'], adoc=adoc, t='author', title=title) + adoc += asciidoc(content=c['authors'], t='author', title=title) for v in c['values']: - adoc = asciidoc(content=v['value'], adoc=adoc, t='value', title=title) + adoc += asciidoc(content=v['value'], t='value', title=title) if 'description' in v: - adoc = asciidoc(content=v['description'], adoc=adoc, t='description') + adoc += asciidoc(content=v['description'], t='description') if 'meta' in v: - adoc = asciidoc(content=v['meta'], adoc=adoc, t='meta', title=v['value']) - - -print (adoc) + adoc += asciidoc(content=v['meta'], t='meta-synonyms', title=v['value']) + if 'related' in v: + adoc += asciidoc(content=v['related'], t='related', title=v['value']) + if 'meta' in v: + adoc += asciidoc(content=v['meta'], t='meta-refs', title=v['value']) +print (''.join(adoc)) diff --git a/tools/gen.sh b/tools/gen_adoc_galaxy.sh old mode 100644 new mode 100755 similarity index 100% rename from tools/gen.sh rename to tools/gen_adoc_galaxy.sh From c51ba2e86853b690ab4431bd4c41bc243a63b9e4 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 17 Oct 2018 08:08:58 +0200 Subject: [PATCH 02/17] chg: MITRE relationships included in the respective cluster. --- ...re-enterprise-attack-course-of-action.json | 1939 ++++++++++++++++- ...mitre-enterprise-attack-intrusion-set.json | 449 +++- clusters/mitre-enterprise-attack-malware.json | 1472 ++++++++++++- clusters/mitre-enterprise-attack-tool.json | 391 +++- .../mitre-mobile-attack-course-of-action.json | 130 +- clusters/mitre-mobile-attack-malware.json | 299 ++- clusters/mitre-mobile-attack-tool.json | 11 +- clusters/mitre-pre-attack-attack-pattern.json | 301 ++- clusters/mitre-pre-attack-intrusion-set.json | 55 +- ...e-enterprise-attack-relationship_galaxy.py | 102 - ...mitre-mobile-attack-relationship_galaxy.py | 101 - ...te_mitre-pre-attack-relationship_galaxy.py | 102 - .../v2.0/create_mitre_relationships.py | 97 + 13 files changed, 5126 insertions(+), 323 deletions(-) delete mode 100644 tools/mitre-cti/v2.0/create_mitre-enterprise-attack-relationship_galaxy.py delete mode 100644 tools/mitre-cti/v2.0/create_mitre-mobile-attack-relationship_galaxy.py delete mode 100644 tools/mitre-cti/v2.0/create_mitre-pre-attack-relationship_galaxy.py create mode 100755 tools/mitre-cti/v2.0/create_mitre_relationships.py diff --git a/clusters/mitre-enterprise-attack-course-of-action.json b/clusters/mitre-enterprise-attack-course-of-action.json index 7bb5c69..4c29ae1 100644 --- a/clusters/mitre-enterprise-attack-course-of-action.json +++ b/clusters/mitre-enterprise-attack-course-of-action.json @@ -13,6 +13,15 @@ "meta": { "external_id": "T1122" }, + "related": [ + { + "dest-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ff5d862a-ae6b-4833-8c15-e235d654d28e", "value": "Component Object Model Hijacking Mitigation - T1122" }, @@ -21,6 +30,15 @@ "meta": { "external_id": "T1041" }, + "related": [ + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "92c28497-2820-445e-9f3e-a03dd77dc0c8", "value": "Exfiltration Over Command and Control Channel Mitigation - T1041" }, @@ -29,6 +47,15 @@ "meta": { "external_id": "T1055" }, + "related": [ + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "74febc44-8955-4e4d-aca0-d4dad2f967d7", "value": "Process Injection Mitigation - T1055" }, @@ -37,6 +64,15 @@ "meta": { "external_id": "T1088" }, + "related": [ + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "beb45abb-11e8-4aef-9778-1f9ac249784f", "value": "Bypass User Account Control Mitigation - T1088" }, @@ -45,6 +81,15 @@ "meta": { "external_id": "T1059" }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f28a20fd-d173-4603-807e-2cb3f51bdf04", "value": "Command-Line Interface Mitigation - T1059" }, @@ -53,6 +98,15 @@ "meta": { "external_id": "T1038" }, + "related": [ + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "96913243-2b5e-4483-a65c-bb152ddd2f04", "value": "DLL Search Order Hijacking Mitigation - T1038" }, @@ -61,6 +115,15 @@ "meta": { "external_id": "T1065" }, + "related": [ + { + "dest-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a0d8db1d-a731-4428-8209-c07175f4b1fe", "value": "Uncommonly Used Port Mitigation - T1065" }, @@ -69,6 +132,15 @@ "meta": { "external_id": "T1135" }, + "related": [ + { + "dest-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1f34230d-b6ae-4dc7-8599-78c18820bd21", "value": "Network Share Discovery Mitigation - T1135" }, @@ -77,6 +149,15 @@ "meta": { "external_id": "T1121" }, + "related": [ + { + "dest-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a90da496-b460-47e8-92e7-cc36eb00bd9a", "value": "Regsvcs/Regasm Mitigation - T1121" }, @@ -85,6 +166,15 @@ "meta": { "external_id": "T1017" }, + "related": [ + { + "dest-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c88151a5-fe3f-4773-8147-d801587065a4", "value": "Application Deployment Software Mitigation - T1017" }, @@ -93,6 +183,15 @@ "meta": { "external_id": "T1043" }, + "related": [ + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7c1796c7-9fc3-4c3e-9416-527295bf5d95", "value": "Commonly Used Port Mitigation - T1043" }, @@ -101,6 +200,15 @@ "meta": { "external_id": "T1047" }, + "related": [ + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ba2ec548-fb75-4b8c-88d6-d91a77a943cf", "value": "Windows Management Instrumentation Mitigation - T1047" }, @@ -109,6 +217,15 @@ "meta": { "external_id": "T1179" }, + "related": [ + { + "dest-uuid": "66f73398-8394-4711-85e5-34c8540b22a5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7aee8ea0-0baa-4232-b379-5d9ce98352cf", "value": "Hooking Mitigation - T1179" }, @@ -117,6 +234,15 @@ "meta": { "external_id": "T1169" }, + "related": [ + { + "dest-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "23bff3ce-021c-4e7a-9aee-60fd40bc7c6c", "value": "Sudo Mitigation - T1169" }, @@ -125,6 +251,15 @@ "meta": { "external_id": "T1175" }, + "related": [ + { + "dest-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "910482b1-6749-4934-abcb-3e34d58294fc", "value": "Distributed Component Object Model Mitigation - T1175" }, @@ -133,6 +268,15 @@ "meta": { "external_id": "T1034" }, + "related": [ + { + "dest-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "e0703d4f-3972-424a-8277-84004817e024", "value": "Path Interception Mitigation - T1034" }, @@ -141,6 +285,15 @@ "meta": { "external_id": "T1061" }, + "related": [ + { + "dest-uuid": "a6525aec-acc4-47fe-92f9-b9b4de4b9228", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "aaa92b37-f96c-4a0a-859c-b1cb6faeb13d", "value": "Graphical User Interface Mitigation - T1061" }, @@ -149,6 +302,15 @@ "meta": { "external_id": "T1096" }, + "related": [ + { + "dest-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ac008435-af58-4f77-988a-c9b96c5920f5", "value": "NTFS File Attributes Mitigation - T1096" }, @@ -157,6 +319,15 @@ "meta": { "external_id": "T1066" }, + "related": [ + { + "dest-uuid": "00d0b012-8a03-410e-95de-5826bf542de6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "4b998a71-7b8f-4dcc-8f3f-277f2e740271", "value": "Indicator Removal from Tools Mitigation - T1066" }, @@ -165,6 +336,15 @@ "meta": { "external_id": "T1164" }, + "related": [ + { + "dest-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "61d02387-351a-453e-a575-160a9abc3e04", "value": "Re-opened Applications Mitigation - T1164" }, @@ -173,6 +353,15 @@ "meta": { "external_id": "T1159" }, + "related": [ + { + "dest-uuid": "dd901512-6e37-4155-943b-453e3777b125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "121b2863-5b97-4538-acb3-f8aae070ec13", "value": "Launch Agent Mitigation - T1159" }, @@ -181,6 +370,15 @@ "meta": { "external_id": "T1144" }, + "related": [ + { + "dest-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158", "value": "Gatekeeper Bypass Mitigation - T1144" }, @@ -189,6 +387,15 @@ "meta": { "external_id": "T1198" }, + "related": [ + { + "dest-uuid": "72b5ef57-325c-411b-93ca-a3ca6fa17e31", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ef273807-c465-4728-9cee-5823422f42ee", "value": "SIP and Trust Provider Hijacking Mitigation - T1198" }, @@ -197,6 +404,15 @@ "meta": { "external_id": "T1115" }, + "related": [ + { + "dest-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "19edfa02-1a5f-47e4-ad82-3288f57f64cf", "value": "Clipboard Data Mitigation - T1115" }, @@ -205,6 +421,15 @@ "meta": { "external_id": "T1027" }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a09375e5-63d2-4b65-8b0d-1cfe3e6304ca", "value": "Obfuscated Files or Information Mitigation - T1027" }, @@ -213,6 +438,15 @@ "meta": { "external_id": "T1136" }, + "related": [ + { + "dest-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "9a5b7194-88e0-4579-b82f-e3c27b8cca80", "value": "Create Account Mitigation - T1136" }, @@ -221,6 +455,15 @@ "meta": { "external_id": "T1192" }, + "related": [ + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ad7f983d-d5a8-4fce-a38c-b68eda61bf4e", "value": "Spearphishing Link Mitigation - T1192" }, @@ -229,6 +472,15 @@ "meta": { "external_id": "T1194" }, + "related": [ + { + "dest-uuid": "d3df754e-997b-4cf9-97d4-70feb3120847", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c861bcb1-946f-450d-ab75-d4e3c1103a56", "value": "Spearphishing via Service Mitigation - T1194" }, @@ -237,6 +489,15 @@ "meta": { "external_id": "T1060" }, + "related": [ + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "8b36d944-f274-4d46-9acd-dbba6927ce7a", "value": "Registry Run Keys / Start Folder Mitigation - T1060" }, @@ -245,6 +506,15 @@ "meta": { "external_id": "T1104" }, + "related": [ + { + "dest-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "514e7371-a344-4de7-8ec3-3aa42b801d52", "value": "Multi-Stage Channels Mitigation - T1104" }, @@ -253,6 +523,15 @@ "meta": { "external_id": "T1074" }, + "related": [ + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd", "value": "Data Staged Mitigation - T1074" }, @@ -261,6 +540,15 @@ "meta": { "external_id": "T1160" }, + "related": [ + { + "dest-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "402e92cd-5608-4f4b-9a34-a2c962e4bcd7", "value": "Launch Daemon Mitigation - T1160" }, @@ -269,6 +557,15 @@ "meta": { "external_id": "T1025" }, + "related": [ + { + "dest-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "39706d54-0d06-4a25-816a-78cc43455100", "value": "Data from Removable Media Mitigation - T1025" }, @@ -277,6 +574,15 @@ "meta": { "external_id": "T1147" }, + "related": [ + { + "dest-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "12cba7de-0a22-4a56-b51e-c514c67c3b43", "value": "Hidden Users Mitigation - T1147" }, @@ -285,6 +591,15 @@ "meta": { "external_id": "T1216" }, + "related": [ + { + "dest-uuid": "f6fe9070-7a65-49ea-ae72-76292f42cebe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "51048ba0-a5aa-41e7-bf5d-993cd217dfb2", "value": "Signed Script Proxy Execution Mitigation - T1216" }, @@ -293,6 +608,15 @@ "meta": { "external_id": "T1039" }, + "related": [ + { + "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d9727aee-48b8-4fdb-89e2-4c49746ba4dd", "value": "Data from Network Shared Drive Mitigation - T1039" }, @@ -301,6 +625,15 @@ "meta": { "external_id": "T1157" }, + "related": [ + { + "dest-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "dc43c2fe-355e-4a79-9570-3267b0992784", "value": "Dylib Hijacking Mitigation - T1157" }, @@ -309,6 +642,15 @@ "meta": { "external_id": "T1098" }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "fdb1ae84-7b00-4d3d-b7dc-c774beef6425", "value": "Account Manipulation Mitigation - T1098" }, @@ -317,6 +659,15 @@ "meta": { "external_id": "T1086" }, + "related": [ + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d0415180-51e9-40ce-b57c-c332b0b441f2", "value": "PowerShell Mitigation - T1086" }, @@ -325,6 +676,15 @@ "meta": { "external_id": "T1187" }, + "related": [ + { + "dest-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7009ba4d-83d4-4851-9fbb-e09e28497765", "value": "Forced Authentication Mitigation - T1187" }, @@ -333,6 +693,15 @@ "meta": { "external_id": "T1082" }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c620e3a1-fff5-424f-abea-d2b0f3616f67", "value": "System Information Discovery Mitigation - T1082" }, @@ -341,6 +710,15 @@ "meta": { "external_id": "T1211" }, + "related": [ + { + "dest-uuid": "fe926152-f431-4baf-956c-4ad3cb0bf23b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "37a3f3f5-76e6-43fe-b935-f1f494c95725", "value": "Exploitation for Defense Evasion Mitigation - T1211" }, @@ -349,6 +727,15 @@ "meta": { "external_id": "T1004" }, + "related": [ + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3", "value": "Winlogon Helper DLL Mitigation - T1004" }, @@ -357,6 +744,15 @@ "meta": { "external_id": "T1174" }, + "related": [ + { + "dest-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "00d7d21b-69d6-4797-88a2-c86f3fc97651", "value": "Password Filter DLL Mitigation - T1174" }, @@ -365,6 +761,15 @@ "meta": { "external_id": "T1128" }, + "related": [ + { + "dest-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "624d063d-cda8-4616-b4e4-54c04e427aec", "value": "Netsh Helper DLL Mitigation - T1128" }, @@ -373,6 +778,15 @@ "meta": { "external_id": "T1126" }, + "related": [ + { + "dest-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "94e95eeb-7cdb-4bd7-afba-f32fda303dbb", "value": "Network Share Connection Removal Mitigation - T1126" }, @@ -381,6 +795,15 @@ "meta": { "external_id": "T1090" }, + "related": [ + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d75a3d1b-b536-4f15-a23c-f4bcc17837b8", "value": "Connection Proxy Mitigation - T1090" }, @@ -389,6 +812,15 @@ "meta": { "external_id": "T1201" }, + "related": [ + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "49961e75-b493-423a-9ec7-ac2d6f55384a", "value": "Password Policy Discovery Mitigation - T1201" }, @@ -397,6 +829,15 @@ "meta": { "external_id": "T1217" }, + "related": [ + { + "dest-uuid": "5e4a2073-9643-44cb-a0b5-e7f4048446c7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1c0b39f9-a0c5-42b2-abd8-dc8f1eb74e67", "value": "Browser Bookmark Discovery Mitigation - T1217" }, @@ -405,6 +846,15 @@ "meta": { "external_id": "T1209" }, + "related": [ + { + "dest-uuid": "dce31a00-1e90-4655-b0f9-e2e71a748a87", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a1482e43-f3ff-4fbd-94de-ad1244738166", "value": "Time Providers Mitigation - T1209" }, @@ -413,6 +863,15 @@ "meta": { "external_id": "T1010" }, + "related": [ + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b", "value": "Application Window Discovery Mitigation - T1010" }, @@ -421,6 +880,15 @@ "meta": { "external_id": "T1133" }, + "related": [ + { + "dest-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2", "value": "External Remote Services Mitigation - T1133" }, @@ -429,6 +897,15 @@ "meta": { "external_id": "T1075" }, + "related": [ + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "bcee7b05-89a6-41a5-b7aa-fce4da7ede9e", "value": "Pass the Hash Mitigation - T1075" }, @@ -437,6 +914,15 @@ "meta": { "external_id": "T1087" }, + "related": [ + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "5c49bc54-9929-48ca-b581-7018219b5a97", "value": "Account Discovery Mitigation - T1087" }, @@ -445,6 +931,15 @@ "meta": { "external_id": "T1127" }, + "related": [ + { + "dest-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "823fbfe9-b015-4bf3-9e67-d340c7373ca0", "value": "Trusted Developer Utilities Mitigation - T1127" }, @@ -453,6 +948,15 @@ "meta": { "external_id": "T1097" }, + "related": [ + { + "dest-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "3a476d83-43eb-4fad-9b75-b1febd834e3d", "value": "Pass the Ticket Mitigation - T1097" }, @@ -461,6 +965,15 @@ "meta": { "external_id": "T1033" }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", "value": "System Owner/User Discovery Mitigation - T1033" }, @@ -469,6 +982,15 @@ "meta": { "external_id": "T1003" }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a", "value": "Credential Dumping Mitigation - T1003" }, @@ -477,6 +999,15 @@ "meta": { "external_id": "T1117" }, + "related": [ + { + "dest-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "12c13879-b7bd-4bc5-8def-aacec386d432", "value": "Regsvr32 Mitigation - T1117" }, @@ -485,6 +1016,15 @@ "meta": { "external_id": "T1093" }, + "related": [ + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43", "value": "Process Hollowing Mitigation - T1093" }, @@ -493,6 +1033,15 @@ "meta": { "external_id": "T1149" }, + "related": [ + { + "dest-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "6e7db820-9735-4545-bc64-039bc4ce354b", "value": "LC_MAIN Hijacking Mitigation - T1149" }, @@ -501,6 +1050,15 @@ "meta": { "external_id": "T1178" }, + "related": [ + { + "dest-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55", "value": "SID-History Injection Mitigation - T1178" }, @@ -509,6 +1067,15 @@ "meta": { "external_id": "T1165" }, + "related": [ + { + "dest-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "94927849-03e3-4a07-8f4c-9ee21b626719", "value": "Startup Items Mitigation - T1165" }, @@ -517,6 +1084,15 @@ "meta": { "external_id": "T1106" }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "56db6ccc-433d-4411-8383-c3fd7053e2c8", "value": "Execution through API Mitigation - T1106" }, @@ -525,6 +1101,15 @@ "meta": { "external_id": "T1080" }, + "related": [ + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f0a42cad-9b1f-44da-a672-718f18381018", "value": "Taint Shared Content Mitigation - T1080" }, @@ -533,6 +1118,15 @@ "meta": { "external_id": "T1108" }, + "related": [ + { + "dest-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f9b3e5d9-7454-4b7d-bce6-27620e19924e", "value": "Redundant Access Mitigation - T1108" }, @@ -541,6 +1135,15 @@ "meta": { "external_id": "T1172" }, + "related": [ + { + "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "62ae52c9-7197-4f5b-be1d-10d2e1df2c96", "value": "Domain Fronting Mitigation - T1172" }, @@ -549,6 +1152,15 @@ "meta": { "external_id": "T1193" }, + "related": [ + { + "dest-uuid": "6aac77c4-eaf2-4366-8c13-ce50ab951f38", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "8f6b5ca6-263a-4ea9-98f3-afd2a3cd8119", "value": "Spearphishing Attachment Mitigation - T1193" }, @@ -557,6 +1169,15 @@ "meta": { "external_id": "T1123" }, + "related": [ + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d", "value": "Audio Capture Mitigation - T1123" }, @@ -565,6 +1186,15 @@ "meta": { "external_id": "T1050" }, + "related": [ + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "b7b2c89c-09c1-4b71-ae7c-000ec2893aab", "value": "New Service Mitigation - T1050" }, @@ -573,6 +1203,15 @@ "meta": { "external_id": "T1191" }, + "related": [ + { + "dest-uuid": "7d6f590f-544b-45b4-9a42-e0805f342af3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "91816292-3686-4a6e-83c4-4c08513b9b57", "value": "CMSTP Mitigation - T1191" }, @@ -581,6 +1220,15 @@ "meta": { "external_id": "T1064" }, + "related": [ + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "57019a80-8523-46b6-be7d-f763a15a2cc6", "value": "Scripting Mitigation - T1064" }, @@ -589,6 +1237,15 @@ "meta": { "external_id": "T1150" }, + "related": [ + { + "dest-uuid": "06780952-177c-4247-b978-79c357fb311f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "2d704e56-e689-4011-b989-bf4e025a8727", "value": "Plist Modification Mitigation - T1150" }, @@ -597,6 +1254,15 @@ "meta": { "external_id": "T1085" }, + "related": [ + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "8c918d8a-11c5-4ffd-af10-e74bc06bdfae", "value": "Rundll32 Mitigation - T1085" }, @@ -605,6 +1271,15 @@ "meta": { "external_id": "T1214" }, + "related": [ + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "4490fee2-5c70-4db3-8db5-8d88767dbd55", "value": "Credentials in Registry Mitigation - T1214" }, @@ -613,6 +1288,15 @@ "meta": { "external_id": "T1188" }, + "related": [ + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "752db800-ea54-4e7a-b4c1-2a0292350ea7", "value": "Multi-hop Proxy Mitigation - T1188" }, @@ -621,6 +1305,15 @@ "meta": { "external_id": "T1008" }, + "related": [ + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "515f6584-fa98-44fe-a4e8-e428c7188514", "value": "Fallback Channels Mitigation - T1008" }, @@ -629,6 +1322,15 @@ "meta": { "external_id": "T1203" }, + "related": [ + { + "dest-uuid": "be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f2dcee22-c275-405e-87fd-48630a19dfba", "value": "Exploitation for Client Execution Mitigation - T1203" }, @@ -637,6 +1339,15 @@ "meta": { "external_id": "T1007" }, + "related": [ + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d8787791-d22e-45bb-a9a8-251d8d0a1ff2", "value": "System Service Discovery Mitigation - T1007" }, @@ -645,6 +1356,15 @@ "meta": { "external_id": "T1070" }, + "related": [ + { + "dest-uuid": "799ace7f-e227-4411-baa0-8868704f2a69", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "6cac62ce-550b-4793-8ee6-6a1b8836edb0", "value": "Indicator Removal on Host Mitigation - T1070" }, @@ -653,6 +1373,15 @@ "meta": { "external_id": "T1058" }, + "related": [ + { + "dest-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "9378f139-10ef-4e4b-b679-2255a0818902", "value": "Service Registry Permissions Weakness Mitigation - T1058" }, @@ -661,6 +1390,15 @@ "meta": { "external_id": "T1208" }, + "related": [ + { + "dest-uuid": "b39d03cb-7b98-41c4-a878-c40c1a913dc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a3e12b04-8598-4909-8855-2c97c1e7d549", "value": "Kerberoasting Mitigation - T1208" }, @@ -669,6 +1407,15 @@ "meta": { "external_id": "T1099" }, + "related": [ + { + "dest-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "5c167af7-c2cb-42c8-ae67-3fb275bf8488", "value": "Timestomp Mitigation - T1099" }, @@ -677,6 +1424,15 @@ "meta": { "external_id": "T1016" }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "684feec3-f9ba-4049-9d8f-52d52f3e0e40", "value": "System Network Configuration Discovery Mitigation - T1016" }, @@ -685,6 +1441,15 @@ "meta": { "external_id": "T1129" }, + "related": [ + { + "dest-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf", "value": "Execution through Module Load Mitigation - T1129" }, @@ -693,6 +1458,15 @@ "meta": { "external_id": "T1051" }, + "related": [ + { + "dest-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5", "value": "Shared Webroot Mitigation - T1051" }, @@ -701,6 +1475,15 @@ "meta": { "external_id": "T1053" }, + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd", "value": "Scheduled Task Mitigation - T1053" }, @@ -709,6 +1492,15 @@ "meta": { "external_id": "T1009" }, + "related": [ + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "16a8ac85-a06f-460f-ad22-910167bd7332", "value": "Binary Padding Mitigation - T1009" }, @@ -717,6 +1509,15 @@ "meta": { "external_id": "T1040" }, + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4", "value": "Network Sniffing Mitigation - T1040" }, @@ -725,6 +1526,15 @@ "meta": { "external_id": "T1022" }, + "related": [ + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "2a8de25c-f743-4348-b101-3ee33ab5871b", "value": "Data Encrypted Mitigation - T1022" }, @@ -733,6 +1543,15 @@ "meta": { "external_id": "T1032" }, + "related": [ + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a766ce73-5583-48f3-b7c0-0bb43c6ef8c7", "value": "Standard Cryptographic Protocol Mitigation - T1032" }, @@ -741,6 +1560,15 @@ "meta": { "external_id": "T1079" }, + "related": [ + { + "dest-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "24478001-2eb3-4b06-a02e-96b3d61d27ec", "value": "Multilayer Encryption Mitigation - T1079" }, @@ -749,6 +1577,15 @@ "meta": { "external_id": "T1036" }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae", "value": "Masquerading Mitigation - T1036" }, @@ -757,6 +1594,15 @@ "meta": { "external_id": "T1006" }, + "related": [ + { + "dest-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "902286b2-96cc-4dd7-931f-e7340c9961da", "value": "File System Logical Offsets Mitigation - T1006" }, @@ -765,6 +1611,15 @@ "meta": { "external_id": "T1021" }, + "related": [ + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "979e6485-7a2f-42bd-ae96-4e622c3cd173", "value": "Remote Services Mitigation - T1021" }, @@ -773,6 +1628,15 @@ "meta": { "external_id": "T1107" }, + "related": [ + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d", "value": "File Deletion Mitigation - T1107" }, @@ -781,6 +1645,15 @@ "meta": { "external_id": "T1002" }, + "related": [ + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "28adf6fd-ab6c-4553-9aa7-cef18a191f33", "value": "Data Compressed Mitigation - T1002" }, @@ -789,6 +1662,15 @@ "meta": { "external_id": "T1155" }, + "related": [ + { + "dest-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1e4ef2c7-ee96-4484-9baa-3b5777561301", "value": "AppleScript Mitigation - T1155" }, @@ -797,6 +1679,15 @@ "meta": { "external_id": "T1170" }, + "related": [ + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d2dce10b-3562-4d61-b2f5-7c6384b038e2", "value": "Mshta Mitigation - T1170" }, @@ -805,6 +1696,15 @@ "meta": { "external_id": "T1131" }, + "related": [ + { + "dest-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "943d370b-2054-44df-8be2-ab4139bde1c5", "value": "Authentication Package Mitigation - T1131" }, @@ -813,6 +1713,15 @@ "meta": { "external_id": "T1218" }, + "related": [ + { + "dest-uuid": "457c7820-d331-465a-915e-42f85500ccc4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "28c0f30c-32c3-4c6c-a474-74820e55854f", "value": "Signed Binary Proxy Execution Mitigation - T1218" }, @@ -821,6 +1730,15 @@ "meta": { "external_id": "T1139" }, + "related": [ + { + "dest-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ace4daee-f914-4707-be75-843f16da2edf", "value": "Bash History Mitigation - T1139" }, @@ -829,6 +1747,15 @@ "meta": { "external_id": "T1013" }, + "related": [ + { + "dest-uuid": "1f47e2fd-fa77-4f2f-88ee-e85df308f125", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b", "value": "Port Monitors Mitigation - T1013" }, @@ -837,6 +1764,15 @@ "meta": { "external_id": "T1183" }, + "related": [ + { + "dest-uuid": "62166220-e498-410f-a90a-19d4339d4e99", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "33f76731-b840-446f-bee0-53687dad24d9", "value": "Image File Execution Options Injection Mitigation - T1183" }, @@ -845,6 +1781,15 @@ "meta": { "external_id": "T1204" }, + "related": [ + { + "dest-uuid": "8c32eb4d-805f-4fc5-bf60-c4d476c131b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "548bf7ad-e19c-4d74-84bf-84ac4e57f505", "value": "User Execution Mitigation - T1204" }, @@ -853,6 +1798,15 @@ "meta": { "external_id": "T1161" }, + "related": [ + { + "dest-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "77fd4d73-6b79-4593-82e7-e4a439cc7604", "value": "LC_LOAD_DYLIB Addition Mitigation - T1161" }, @@ -861,6 +1815,15 @@ "meta": { "external_id": "T1185" }, + "related": [ + { + "dest-uuid": "544b0346-29ad-41e1-a808-501bb4193f47", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "94f6b4f5-b528-4f50-91d5-f66457c2f8f7", "value": "Man in the Browser Mitigation - T1185" }, @@ -869,6 +1832,15 @@ "meta": { "external_id": "T1180" }, + "related": [ + { + "dest-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "9da16278-c6c5-4410-8a6b-9c16ce8005b3", "value": "Screensaver Mitigation - T1180" }, @@ -877,6 +1849,15 @@ "meta": { "external_id": "T1015" }, + "related": [ + { + "dest-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c085476e-1964-4d7f-86e1-d8657a7741e8", "value": "Accessibility Features Mitigation - T1015" }, @@ -885,6 +1866,15 @@ "meta": { "external_id": "T1067" }, + "related": [ + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "96150c35-466f-4f0a-97a9-ae87ee27f751", "value": "Bootkit Mitigation - T1067" }, @@ -893,6 +1883,15 @@ "meta": { "external_id": "T1078" }, + "related": [ + { + "dest-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d45f03a8-790a-4f90-b956-cd7e5b8886bf", "value": "Valid Accounts Mitigation - T1078" }, @@ -901,6 +1900,15 @@ "meta": { "external_id": "T1176" }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "b52f41b9-ccf6-4da7-a6c0-167eeb71fbd8", "value": "Browser Extensions Mitigation - T1176" }, @@ -909,6 +1917,15 @@ "meta": { "external_id": "T1089" }, + "related": [ + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "388606d3-f38f-45bf-885d-a9dc9df3c8a8", "value": "Disabling Security Tools Mitigation - T1089" }, @@ -917,6 +1934,15 @@ "meta": { "external_id": "T1012" }, + "related": [ + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "0640214c-95af-4c04-a574-2a1ba6dda00b", "value": "Query Registry Mitigation - T1012" }, @@ -925,6 +1951,15 @@ "meta": { "external_id": "T1156" }, + "related": [ + { + "dest-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "4f170666-7edb-4489-85c2-9affa28a72e0", "value": ".bash_profile and .bashrc Mitigation - T1156" }, @@ -933,6 +1968,15 @@ "meta": { "external_id": "T1019" }, + "related": [ + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "25e53928-6f33-49b7-baee-8180578286f6", "value": "System Firmware Mitigation - T1019" }, @@ -941,6 +1985,15 @@ "meta": { "external_id": "T1026" }, + "related": [ + { + "dest-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "da987565-27b6-4b31-bbcd-74b909847116", "value": "Multiband Communication Mitigation - T1026" }, @@ -949,6 +2002,15 @@ "meta": { "external_id": "T1018" }, + "related": [ + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "9a902722-cecd-4fbe-a6c9-49333aa0f8c2", "value": "Remote System Discovery Mitigation - T1018" }, @@ -957,6 +2019,15 @@ "meta": { "external_id": "T1083" }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1", "value": "File and Directory Discovery Mitigation - T1083" }, @@ -965,6 +2036,15 @@ "meta": { "external_id": "T1215" }, + "related": [ + { + "dest-uuid": "6be14413-578e-46c1-8304-310762b3ecd5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "44155d14-ca75-4fdf-b033-ab3d732e2884", "value": "Kernel Modules and Extensions Mitigation - T1215" }, @@ -973,6 +2053,15 @@ "meta": { "external_id": "T1044" }, + "related": [ + { + "dest-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1022138b-497c-40e6-b53a-13351cbd4090", "value": "File System Permissions Weakness Mitigation - T1044" }, @@ -981,6 +2070,15 @@ "meta": { "external_id": "T1035" }, + "related": [ + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d5dce4b9-f1fa-4c03-aff9-ce177246cb64", "value": "Service Execution Mitigation - T1035" }, @@ -989,6 +2087,15 @@ "meta": { "external_id": "T1166" }, + "related": [ + { + "dest-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "073cc04d-ac46-4f5a-85d7-83a91ecd6a19", "value": "Setuid and Setgid Mitigation - T1166" }, @@ -997,6 +2104,15 @@ "meta": { "external_id": "T1154" }, + "related": [ + { + "dest-uuid": "b53dbcc6-147d-48bb-9df4-bcb8bb808ff6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "809b79cd-be78-4597-88d1-5496d1d9993a", "value": "Trap Mitigation - T1154" }, @@ -1005,6 +2121,15 @@ "meta": { "external_id": "T1092" }, + "related": [ + { + "dest-uuid": "64196062-5210-42c3-9a02-563a0d1797ef", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "b8d57b16-d8e2-428c-a645-1083795b3445", "value": "Communication Through Removable Media Mitigation - T1092" }, @@ -1013,6 +2138,15 @@ "meta": { "external_id": "T1111" }, + "related": [ + { + "dest-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "e8d22ec6-2236-48de-954b-974d17492782", "value": "Two-Factor Authentication Interception Mitigation - T1111" }, @@ -1021,6 +2155,15 @@ "meta": { "external_id": "T1177" }, + "related": [ + { + "dest-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7a6e5ca3-562f-4185-a323-f3b62b5b2e6b", "value": "LSASS Driver Mitigation - T1177" }, @@ -1029,6 +2172,15 @@ "meta": { "external_id": "T1095" }, + "related": [ + { + "dest-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "399d9038-b100-43ef-b28d-a5065106b935", "value": "Standard Non-Application Layer Protocol Mitigation - T1095" }, @@ -1037,6 +2189,15 @@ "meta": { "external_id": "T1030" }, + "related": [ + { + "dest-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ba06d68a-4891-4eb5-b634-152e05ec60ee", "value": "Data Transfer Size Limits Mitigation - T1030" }, @@ -1045,6 +2206,15 @@ "meta": { "external_id": "T1103" }, + "related": [ + { + "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "10571bf2-8073-4edf-a71c-23bad225532e", "value": "AppInit DLLs Mitigation - T1103" }, @@ -1053,6 +2223,15 @@ "meta": { "external_id": "T1118" }, + "related": [ + { + "dest-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ec418d1b-4963-439f-b055-f914737ef362", "value": "InstallUtil Mitigation - T1118" }, @@ -1061,6 +2240,15 @@ "meta": { "external_id": "T1023" }, + "related": [ + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a13e35cc-8c90-4d77-a965-5461042c1612", "value": "Shortcut Modification Mitigation - T1023" }, @@ -1069,6 +2257,15 @@ "meta": { "external_id": "T1094" }, + "related": [ + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f3d0c735-330f-43c2-8e8e-51bcfa51e8c3", "value": "Custom Command and Control Protocol Mitigation - T1094" }, @@ -1077,6 +2274,15 @@ "meta": { "external_id": "T1020" }, + "related": [ + { + "dest-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "2497ac92-e751-4391-82c6-1b86e34d0294", "value": "Automated Exfiltration Mitigation - T1020" }, @@ -1085,6 +2291,15 @@ "meta": { "external_id": "T1195" }, + "related": [ + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "97d8eadb-0459-4c1d-bf1a-e053bd75df61", "value": "Supply Chain Compromise Mitigation - T1195" }, @@ -1093,6 +2308,15 @@ "meta": { "external_id": "T1042" }, + "related": [ + { + "dest-uuid": "68c96494-1a50-403e-8844-69a6af278c68", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d7c49196-b40e-42bc-8eed-b803113692ed", "value": "Change Default File Association Mitigation - T1042" }, @@ -1101,6 +2325,15 @@ "meta": { "external_id": "T1120" }, + "related": [ + { + "dest-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1881da33-fdf2-4eea-afd0-e04caf9c000f", "value": "Peripheral Device Discovery Mitigation - T1120" }, @@ -1109,6 +2342,15 @@ "meta": { "external_id": "T1196" }, + "related": [ + { + "dest-uuid": "8df54627-376c-487c-a09c-7d2b5620f56e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "3a41b366-cfd6-4af2-a6e7-3c6e3c4ebcef", "value": "Control Panel Items Mitigation - T1196" }, @@ -1117,6 +2359,15 @@ "meta": { "external_id": "T1071" }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "addb3703-5a59-4461-9bcd-7e2b5d4e92a0", "value": "Standard Application Layer Protocol Mitigation - T1071" }, @@ -1125,6 +2376,15 @@ "meta": { "external_id": "T1148" }, + "related": [ + { + "dest-uuid": "086952c4-5b90-4185-b573-02bad8e11953", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "03c0c586-50ed-45a7-95f4-f496d7eb5330", "value": "HISTCONTROL Mitigation - T1148" }, @@ -1133,6 +2393,15 @@ "meta": { "external_id": "T1056" }, + "related": [ + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "da8a87d2-946d-4c34-9a30-709058b98996", "value": "Input Capture Mitigation - T1056" }, @@ -1141,6 +2410,15 @@ "meta": { "external_id": "T1162" }, + "related": [ + { + "dest-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "06824aa2-94a5-474c-97f6-57c2e983d885", "value": "Login Item Mitigation - T1162" }, @@ -1149,6 +2427,15 @@ "meta": { "external_id": "T1101" }, + "related": [ + { + "dest-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "9e57c770-5a39-49a2-bb91-253ba629e3ac", "value": "Security Support Provider Mitigation - T1101" }, @@ -1157,6 +2444,15 @@ "meta": { "external_id": "T1184" }, + "related": [ + { + "dest-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "41cff8e9-fd05-408e-b3d5-d98c54c20bcf", "value": "SSH Hijacking Mitigation - T1184" }, @@ -1165,6 +2461,15 @@ "meta": { "external_id": "T1057" }, + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f6469191-1814-4dbe-a081-2a6daf83a10b", "value": "Process Discovery Mitigation - T1057" }, @@ -1173,6 +2478,15 @@ "meta": { "external_id": "T1219" }, + "related": [ + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "af093bc8-7b59-4e2a-9da8-8e839b4c50c6", "value": "Remote Access Tools Mitigation - T1219" }, @@ -1181,6 +2495,15 @@ "meta": { "external_id": "T1091" }, + "related": [ + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e", "value": "Replication Through Removable Media Mitigation - T1091" }, @@ -1189,6 +2512,15 @@ "meta": { "external_id": "T1029" }, + "related": [ + { + "dest-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824", "value": "Scheduled Transfer Mitigation - T1029" }, @@ -1197,6 +2529,15 @@ "meta": { "external_id": "T1062" }, + "related": [ + { + "dest-uuid": "4be89c7c-ace6-4876-9377-c8d54cef3d63", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "2c3ce852-06a2-40ee-8fe6-086f6402a739", "value": "Hypervisor Mitigation - T1062" }, @@ -1205,6 +2546,15 @@ "meta": { "external_id": "T1119" }, + "related": [ + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "8bd1ae32-a686-48f4-a6f8-470287f76152", "value": "Automated Collection Mitigation - T1119" }, @@ -1213,6 +2563,15 @@ "meta": { "external_id": "T1052" }, + "related": [ + { + "dest-uuid": "e6415f09-df0e-48de-9aba-928c902b7549", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "e547ed6a-f1ca-40df-8613-2ce27927f145", "value": "Exfiltration Over Physical Medium Mitigation - T1052" }, @@ -1221,6 +2580,15 @@ "meta": { "external_id": "T1138" }, + "related": [ + { + "dest-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "cfc2d2fc-14ff-495f-bd99-585be47b804f", "value": "Application Shimming Mitigation - T1138" }, @@ -1229,6 +2597,15 @@ "meta": { "external_id": "T1168" }, + "related": [ + { + "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c47a9b55-8f61-4b82-b833-1db6242c754e", "value": "Local Job Scheduling Mitigation - T1168" }, @@ -1237,6 +2614,15 @@ "meta": { "external_id": "T1158" }, + "related": [ + { + "dest-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "84d633a4-dd93-40ca-8510-40238c021931", "value": "Hidden Files and Directories Mitigation - T1158" }, @@ -1245,6 +2631,15 @@ "meta": { "external_id": "T1151" }, + "related": [ + { + "dest-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "02f0f92a-0a51-4c94-9bda-6437b9a93f22", "value": "Space after Filename Mitigation - T1151" }, @@ -1253,6 +2648,15 @@ "meta": { "external_id": "T1137" }, + "related": [ + { + "dest-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "8ca6a5e0-aae5-49bc-8d07-f888c7dba9ea", "value": "Office Application Startup Mitigation - T1137" }, @@ -1261,6 +2665,15 @@ "meta": { "external_id": "T1132" }, + "related": [ + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "fcbe8424-eb3e-4794-b76d-e743f5a49b8b", "value": "Data Encoding Mitigation - T1132" }, @@ -1269,6 +2682,15 @@ "meta": { "external_id": "T1153" }, + "related": [ + { + "dest-uuid": "45d84c8b-c1e2-474d-a14d-69b5de0a2bc0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "5391ece4-8866-415d-9b5e-8dc5944f612a", "value": "Source Mitigation - T1153" }, @@ -1277,6 +2699,15 @@ "meta": { "external_id": "T1073" }, + "related": [ + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7a14d974-f3d9-4e4e-9b7d-980385762908", "value": "DLL Side-Loading Mitigation - T1073" }, @@ -1285,6 +2716,15 @@ "meta": { "external_id": "T1152" }, + "related": [ + { + "dest-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "e333cf16-5bfa-453e-8e6a-3a4c63d6bfcc", "value": "Launchctl Mitigation - T1152" }, @@ -1293,6 +2733,15 @@ "meta": { "external_id": "T1014" }, + "related": [ + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f", "value": "Rootkit Mitigation - T1014" }, @@ -1301,6 +2750,15 @@ "meta": { "external_id": "T1207" }, + "related": [ + { + "dest-uuid": "564998d8-ab3e-4123-93fb-eccaa6b9714a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "b70627f7-3b43-4c6f-8fc0-c918c41f8f72", "value": "DCShadow Mitigation - T1207" }, @@ -1309,6 +2767,15 @@ "meta": { "external_id": "T1112" }, + "related": [ + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ed202147-4026-4330-b5bd-1e8dfa8cf7cc", "value": "Modify Registry Mitigation - T1112" }, @@ -1317,6 +2784,15 @@ "meta": { "external_id": "T1124" }, + "related": [ + { + "dest-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "82d8e990-c901-4aed-8596-cc002e7eb307", "value": "System Time Discovery Mitigation - T1124" }, @@ -1325,6 +2801,15 @@ "meta": { "external_id": "T1190" }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "65da1eb6-d35d-4853-b280-98a76c0aef53", "value": "Exploit Public-Facing Application Mitigation - T1190" }, @@ -1333,6 +2818,15 @@ "meta": { "external_id": "T1182" }, + "related": [ + { + "dest-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "95c29444-49f9-49f7-8b20-bcd68d8fcaa6", "value": "AppCert DLLs Mitigation - T1182" }, @@ -1341,6 +2835,15 @@ "meta": { "external_id": "T1049" }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c1676218-c16a-41c9-8f7a-023779916e39", "value": "System Network Connections Discovery Mitigation - T1049" }, @@ -1349,6 +2852,15 @@ "meta": { "external_id": "T1173" }, + "related": [ + { + "dest-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "80c91478-ac87-434f-bee7-11f37aec4d74", "value": "Dynamic Data Exchange Mitigation - T1173" }, @@ -1357,6 +2869,15 @@ "meta": { "external_id": "T1171" }, + "related": [ + { + "dest-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "54246e2e-683f-4bf2-be4c-d7d5a60e7d22", "value": "LLMNR/NBT-NS Poisoning Mitigation - T1171" }, @@ -1365,6 +2886,15 @@ "meta": { "external_id": "T1113" }, + "related": [ + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "51b37302-b844-4c08-ac98-ae6955ed1f55", "value": "Screen Capture Mitigation - T1113" }, @@ -1373,6 +2903,15 @@ "meta": { "external_id": "T1077" }, + "related": [ + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "308855d1-078b-47ad-8d2a-8f9b2713ffb5", "value": "Windows Admin Shares Mitigation - T1077" }, @@ -1381,6 +2920,15 @@ "meta": { "external_id": "T1140" }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d01f473f-3cdc-4867-9e55-1de9cf1986f0", "value": "Deobfuscate/Decode Files or Information Mitigation - T1140" }, @@ -1389,6 +2937,15 @@ "meta": { "external_id": "T1210" }, + "related": [ + { + "dest-uuid": "9db0cf3a-a3c9-4012-8268-123b9db6fd82", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "14b63e6b-7531-4476-9e60-02cc5db48b62", "value": "Exploitation of Remote Services Mitigation - T1210" }, @@ -1397,6 +2954,15 @@ "meta": { "external_id": "T1146" }, + "related": [ + { + "dest-uuid": "d3046a90-580c-4004-8208-66915bc29830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "3e7018e9-7389-48e7-9208-0bdbcbba9483", "value": "Clear Command History Mitigation - T1146" }, @@ -1405,6 +2971,15 @@ "meta": { "external_id": "T1031" }, + "related": [ + { + "dest-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "fe0aeb41-1a51-4152-8467-628256ea6adf", "value": "Modify Existing Service Mitigation - T1031" }, @@ -1413,6 +2988,15 @@ "meta": { "external_id": "T1212" }, + "related": [ + { + "dest-uuid": "9c306d8d-cde7-4b4c-b6e8-d0bb16caca36", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "06160d81-62be-46e5-aa37-4b9c645ffa31", "value": "Exploitation for Credential Access Mitigation - T1212" }, @@ -1421,6 +3005,15 @@ "meta": { "external_id": "T1199" }, + "related": [ + { + "dest-uuid": "9fa07bef-9c81-421e-a8e5-ad4366c5a925", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "797312d4-8a84-4daf-9c56-57da4133c322", "value": "Trusted Relationship Mitigation - T1199" }, @@ -1429,6 +3022,15 @@ "meta": { "external_id": "T1206" }, + "related": [ + { + "dest-uuid": "2169ba87-1146-4fc7-a118-12b72251db7e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "dbf0186e-722d-4a0a-af6a-b3460f162f84", "value": "Sudo Caching Mitigation - T1206" }, @@ -1437,6 +3039,15 @@ "meta": { "external_id": "T1072" }, + "related": [ + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "160af6af-e733-4b6a-a04a-71c620ac0930", "value": "Third-party Software Mitigation - T1072" }, @@ -1445,6 +3056,15 @@ "meta": { "external_id": "T1125" }, + "related": [ + { + "dest-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d", "value": "Video Capture Mitigation - T1125" }, @@ -1453,6 +3073,15 @@ "meta": { "external_id": "T1181" }, + "related": [ + { + "dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "cba5667e-e3c6-44a4-811c-266dbc00e440", "value": "Extra Window Memory Injection Mitigation - T1181" }, @@ -1461,6 +3090,15 @@ "meta": { "external_id": "T1130" }, + "related": [ + { + "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "23061b40-a7b6-454f-8950-95d5ff80331c", "value": "Install Root Certificate Mitigation - T1130" }, @@ -1469,6 +3107,15 @@ "meta": { "external_id": "T1110" }, + "related": [ + { + "dest-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "4a99fecc-680b-448e-8fe7-8144c60d272c", "value": "Brute Force Mitigation - T1110" }, @@ -1477,6 +3124,15 @@ "meta": { "external_id": "T1142" }, + "related": [ + { + "dest-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "56648de3-8947-4559-90c4-eda10acc0f5a", "value": "Keychain Mitigation - T1142" }, @@ -1485,6 +3141,15 @@ "meta": { "external_id": "T1114" }, + "related": [ + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "383caaa3-c46a-4f61-b2e3-653eb132f0e7", "value": "Email Collection Mitigation - T1114" }, @@ -1493,6 +3158,15 @@ "meta": { "external_id": "T1197" }, + "related": [ + { + "dest-uuid": "c8e87b83-edbb-48d4-9295-4974897525b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "cb825b86-3f3b-4686-ba99-44878f5d3173", "value": "BITS Jobs Mitigation - T1197" }, @@ -1501,6 +3175,15 @@ "meta": { "external_id": "T1068" }, + "related": [ + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "92e6d080-ca3f-4f95-bc45-172a32c4e502", "value": "Exploitation for Privilege Escalation Mitigation - T1068" }, @@ -1509,6 +3192,15 @@ "meta": { "external_id": "T1105" }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "cdecc44a-1dbf-4c1f-881c-f21e3f47272a", "value": "Remote File Copy Mitigation - T1105" }, @@ -1517,6 +3209,15 @@ "meta": { "external_id": "T1202" }, + "related": [ + { + "dest-uuid": "3b0e52ce-517a-4614-a523-1bd5deef6c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1e614ba5-2fc5-4464-b512-2ceafb14d76d", "value": "Indirect Command Execution Mitigation - T1202" }, @@ -1525,6 +3226,15 @@ "meta": { "external_id": "T1048" }, + "related": [ + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "0e5bdf42-a7f7-4d16-a074-4915bd262f80", "value": "Exfiltration Over Alternative Protocol Mitigation - T1048" }, @@ -1533,6 +3243,15 @@ "meta": { "external_id": "T1145" }, + "related": [ + { + "dest-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f27ef4f2-71fe-48b6-b7f4-02dcac14320e", "value": "Private Keys Mitigation - T1145" }, @@ -1541,6 +3260,15 @@ "meta": { "external_id": "T1163" }, + "related": [ + { + "dest-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c3cf2312-3aab-4aaf-86e6-ab3505430482", "value": "Rc.common Mitigation - T1163" }, @@ -1549,6 +3277,15 @@ "meta": { "external_id": "T1134" }, + "related": [ + { + "dest-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c61fee9f-16fb-4f8c-bbf0-869093fcd4a6", "value": "Access Token Manipulation Mitigation - T1134" }, @@ -1557,6 +3294,15 @@ "meta": { "external_id": "T1143" }, + "related": [ + { + "dest-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "fae44eea-caa7-42b7-a2e2-0c815ba81b9a", "value": "Hidden Window Mitigation - T1143" }, @@ -1565,6 +3311,15 @@ "meta": { "external_id": "T1076" }, + "related": [ + { + "dest-uuid": "51dea151-0898-4a45-967c-3ebee0420484", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "53b3b027-bed3-480c-9101-1247047d0fe6", "value": "Remote Desktop Protocol Mitigation - T1076" }, @@ -1573,6 +3328,15 @@ "meta": { "external_id": "T1213" }, + "related": [ + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "13cad982-35e3-4340-9095-7124b653df4b", "value": "Data from Information Repositories Mitigation - T1213" }, @@ -1581,6 +3345,15 @@ "meta": { "external_id": "T1102" }, + "related": [ + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "4689b9fb-dca4-473e-831b-34717ad50c97", "value": "Web Service Mitigation - T1102" }, @@ -1589,6 +3362,15 @@ "meta": { "external_id": "T1141" }, + "related": [ + { + "dest-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df", "value": "Input Prompt Mitigation - T1141" }, @@ -1597,6 +3379,15 @@ "meta": { "external_id": "T1046" }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d256cb63-b021-4b4a-bb6d-1b42eea179a3", "value": "Network Service Scanning Mitigation - T1046" }, @@ -1605,6 +3396,15 @@ "meta": { "external_id": "T1084" }, + "related": [ + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "0bc3ce00-83bc-4a92-a042-79ffbc6af259", "value": "Windows Management Instrumentation Event Subscription Mitigation - T1084" }, @@ -1613,6 +3413,15 @@ "meta": { "external_id": "T1005" }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7ee0879d-ce4f-4f54-a96b-c532dfb98ffd", "value": "Data from Local System Mitigation - T1005" }, @@ -1621,6 +3430,15 @@ "meta": { "external_id": "T1024" }, + "related": [ + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "a569295c-a093-4db4-9fb4-7105edef85ad", "value": "Custom Cryptographic Protocol Mitigation - T1024" }, @@ -1629,6 +3447,15 @@ "meta": { "external_id": "T1081" }, + "related": [ + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "0472af99-f25c-4abe-9fce-010fa3450e72", "value": "Credentials in Files Mitigation - T1081" }, @@ -1637,6 +3464,15 @@ "meta": { "external_id": "T1205" }, + "related": [ + { + "dest-uuid": "451a9977-d255-43c9-b431-66de80130c8c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "f6b7c116-0821-4eb7-9b24-62bd09b3e575", "value": "Port Knocking Mitigation - T1205" }, @@ -1645,6 +3481,15 @@ "meta": { "external_id": "T1189" }, + "related": [ + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7a4d0054-53cd-476f-88af-955dddc80ee0", "value": "Drive-by Compromise Mitigation - T1189" }, @@ -1653,6 +3498,15 @@ "meta": { "external_id": "T1069" }, + "related": [ + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "dd9a85ad-6a92-4986-a215-b01d0ce7b987", "value": "Permission Groups Discovery Mitigation - T1069" }, @@ -1661,6 +3515,15 @@ "meta": { "external_id": "T1037" }, + "related": [ + { + "dest-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2", "value": "Logon Scripts Mitigation - T1037" }, @@ -1669,6 +3532,15 @@ "meta": { "external_id": "T1116" }, + "related": [ + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "82fbc58b-171d-4a2d-9a20-c6b2a716bd08", "value": "Code Signing Mitigation - T1116" }, @@ -1677,6 +3549,15 @@ "meta": { "external_id": "T1200" }, + "related": [ + { + "dest-uuid": "d40239b3-05ff-46d8-9bdd-b46d13463ef9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "54e8722d-2faf-4b1b-93b6-6cbf9551669f", "value": "Hardware Additions Mitigation - T1200" }, @@ -1685,6 +3566,15 @@ "meta": { "external_id": "T1028" }, + "related": [ + { + "dest-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "3e9f8875-d2f7-4380-a578-84393bd3b025", "value": "Windows Remote Management Mitigation - T1028" }, @@ -1693,6 +3583,15 @@ "meta": { "external_id": "T1100" }, + "related": [ + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "bcc91b8c-f104-4710-964e-1d5409666736", "value": "Web Shell Mitigation - T1100" }, @@ -1701,6 +3600,15 @@ "meta": { "external_id": "T1186" }, + "related": [ + { + "dest-uuid": "c1a452f3-6499-4c12-b7e9-a6a0a102af76", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31", "value": "Process Doppelgänging Mitigation - T1186" }, @@ -1709,6 +3617,15 @@ "meta": { "external_id": "T1001" }, + "related": [ + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e", "value": "Data Obfuscation Mitigation - T1001" }, @@ -1717,6 +3634,15 @@ "meta": { "external_id": "T1045" }, + "related": [ + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "c95c8b5c-b431-43c9-9557-f494805e2502", "value": "Software Packing Mitigation - T1045" }, @@ -1725,9 +3651,18 @@ "meta": { "external_id": "T1063" }, + "related": [ + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "bd2554b8-634f-4434-a986-9b49c29da2ae", "value": "Security Software Discovery Mitigation - T1063" } ], - "version": 4 -} + "version": 5 +} \ No newline at end of file diff --git a/clusters/mitre-enterprise-attack-intrusion-set.json b/clusters/mitre-enterprise-attack-intrusion-set.json index 46d59a7..b47a847 100644 --- a/clusters/mitre-enterprise-attack-intrusion-set.json +++ b/clusters/mitre-enterprise-attack-intrusion-set.json @@ -27,6 +27,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", @@ -44,6 +51,15 @@ "Group5" ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", "value": "Group5 - G0043" }, @@ -67,6 +83,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", @@ -91,6 +114,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", @@ -108,6 +138,15 @@ "RTM" ] }, + "related": [ + { + "dest-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f", "value": "RTM - G0048" }, @@ -145,6 +184,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d1acfbb3-647b-4723-9154-800ec119006e", @@ -216,6 +262,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f9c06633-dcff-48a1-8588-759e7cec5694", @@ -250,6 +303,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", @@ -289,6 +349,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", @@ -314,6 +381,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", @@ -340,6 +414,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", @@ -379,6 +460,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", @@ -403,6 +491,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", @@ -427,6 +522,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ae41895a-243f-4a65-b99b-d85022326c31", @@ -451,6 +553,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "62a64fd3-aaf7-4d09-a375-d6f8bb118481", @@ -487,6 +596,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4a2ce82e-1a74-468a-a6fb-bbead541383c", @@ -631,6 +747,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "025bdaa9-897d-4bad-afa6-013ba5734653", @@ -655,6 +778,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", @@ -679,6 +809,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", @@ -721,6 +858,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", @@ -746,6 +890,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", @@ -797,6 +948,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", @@ -840,6 +998,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", @@ -864,6 +1029,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0", @@ -883,6 +1055,15 @@ "FIN5" ] }, + "related": [ + { + "dest-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "value": "FIN5 - G0053" }, @@ -900,6 +1081,15 @@ "BlackOasis" ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "da49b9f1-ca99-443f-9728-0a074db66850", "value": "BlackOasis - G0063" }, @@ -915,6 +1105,15 @@ "Taidoor" ] }, + "related": [ + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46", "value": "Taidoor - G0015" }, @@ -979,6 +1178,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", @@ -996,6 +1202,15 @@ "Ke3chang" ] }, + "related": [ + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "value": "Ke3chang - G0004" }, @@ -1027,6 +1242,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", @@ -1052,6 +1274,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "269e8108-68c6-4f99-b911-14b2e765dec2", @@ -1088,6 +1317,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", @@ -1127,6 +1363,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", @@ -1224,6 +1467,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", @@ -1258,6 +1508,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", @@ -1282,6 +1539,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f", @@ -1318,6 +1582,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", @@ -1343,6 +1614,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", @@ -1360,6 +1638,15 @@ "Equation" ] }, + "related": [ + { + "dest-uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9", "value": "Equation - G0020" }, @@ -1375,6 +1662,15 @@ "Darkhotel" ] }, + "related": [ + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", "value": "Darkhotel - G0012" }, @@ -1398,6 +1694,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", @@ -1422,6 +1725,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", @@ -1446,6 +1756,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "894aab42-3371-47b1-8859-a4a074c804c8", @@ -1473,6 +1790,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", @@ -1497,6 +1821,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", @@ -1515,6 +1846,15 @@ "TG-1314" ] }, + "related": [ + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", "value": "Threat Group-1314 - G0028" }, @@ -1547,6 +1887,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", @@ -1576,6 +1923,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "d742a578-d70e-4d0e-96a6-02a9c30204e6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "03506554-5f37-4f8f-9ce4-0e9f01a1b484", @@ -1604,6 +1958,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", @@ -1636,6 +1997,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", @@ -1662,6 +2030,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", @@ -1697,6 +2072,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", @@ -1776,6 +2158,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", @@ -1801,6 +2190,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fd19bd82-1b14-49a1-a176-6cdc46b8a826", @@ -1833,6 +2229,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c", @@ -1860,6 +2263,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "4061e78c-1284-44b4-9116-73e4ac3912f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", @@ -1892,6 +2302,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "20138b9d-1aac-4a26-8654-a36b6bbf2bba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fbd29c89-18ba-4c2d-b792-51c0adee049f", @@ -1933,6 +2350,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", @@ -1959,6 +2383,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7113eaa5-ba79-4fb3-b68a-398ee9cd698e", @@ -1985,6 +2416,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", @@ -2009,11 +2447,18 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "value": "Gamaredon Group - G0047" } ], - "version": 5 -} + "version": 6 +} \ No newline at end of file diff --git a/clusters/mitre-enterprise-attack-malware.json b/clusters/mitre-enterprise-attack-malware.json index 0def529..89fe9ae 100644 --- a/clusters/mitre-enterprise-attack-malware.json +++ b/clusters/mitre-enterprise-attack-malware.json @@ -28,6 +28,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", @@ -52,6 +59,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", @@ -72,6 +86,15 @@ "NemesisGemina" ] }, + "related": [ + { + "dest-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "value": "CosmicDuke - S0050" }, @@ -87,6 +110,15 @@ "H1N1" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "value": "H1N1 - S0132" }, @@ -102,6 +134,15 @@ "SPACESHIP" ] }, + "related": [ + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "8b880b41-5139-4807-baa9-309690218719", "value": "SPACESHIP - S0035" }, @@ -124,6 +165,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", @@ -163,6 +211,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", @@ -188,6 +243,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", @@ -220,6 +282,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", @@ -244,6 +313,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", @@ -261,6 +337,15 @@ "Pisloader" ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "value": "Pisloader - S0124" }, @@ -291,6 +376,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", @@ -315,6 +407,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "705f0783-5f7d-4491-b6b7-9628e6e006d2", @@ -332,6 +431,15 @@ "Starloader" ] }, + "related": [ + { + "dest-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", "value": "Starloader - S0188" }, @@ -365,6 +473,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", @@ -382,6 +497,15 @@ "Hacking Team UEFI Rootkit" ] }, + "related": [ + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", "value": "Hacking Team UEFI Rootkit - S0047" }, @@ -427,6 +551,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "73a4793a-ce55-4159-b2a6-208ef29b326f", @@ -444,6 +575,15 @@ "httpclient" ] }, + "related": [ + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", "value": "httpclient - S0068" }, @@ -474,6 +614,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", @@ -492,6 +639,15 @@ "CCBkdr" ] }, + "related": [ + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "b0f13390-cec7-4814-b37c-ccec01887faa", "value": "CCBkdr - S0222" }, @@ -514,6 +670,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", @@ -531,6 +694,15 @@ "Psylo" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", "value": "Psylo - S0078" }, @@ -547,6 +719,15 @@ "Custom HDoor" ] }, + "related": [ + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", "value": "HDoor - S0061" }, @@ -577,6 +758,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "3f18edba-28f4-4bb9-82c3-8aa60dcac5f7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0c824410-58ff-49b2-9cf2-1c96b182bdf0", @@ -608,6 +796,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", @@ -632,6 +827,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "49abab73-3c5c-476e-afd5-69b5c732d845", @@ -656,6 +858,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", @@ -680,6 +889,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", @@ -705,6 +921,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "92d7da27-2d91-488e-a00c-059dc162766d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", @@ -737,6 +960,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4ab44516-ad75-4e43-a280-705dc0420e2f", @@ -754,6 +984,15 @@ "PinchDuke" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", "value": "PinchDuke - S0048" }, @@ -772,6 +1011,15 @@ "CloudLook" ] }, + "related": [ + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", "value": "CloudDuke - S0054" }, @@ -817,6 +1065,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", @@ -841,6 +1096,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "22addc7b-b39f-483d-979a-1b35147da5de", @@ -858,6 +1120,15 @@ "MobileOrder" ] }, + "related": [ + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "value": "MobileOrder - S0079" }, @@ -880,6 +1151,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", @@ -904,6 +1182,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "68dca94f-c11d-421e-9287-7c501108e18c", @@ -928,6 +1213,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "211cfe9f-2676-4e1c-a5f5-2c8091da2a68", @@ -945,6 +1237,15 @@ "FakeM" ] }, + "related": [ + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "bb3c1098-d654-4620-bf40-694386d28921", "value": "FakeM - S0076" }, @@ -960,6 +1261,15 @@ "SHIPSHAPE" ] }, + "related": [ + { + "dest-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", "value": "SHIPSHAPE - S0028" }, @@ -983,6 +1293,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", @@ -1021,6 +1338,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", @@ -1052,6 +1376,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", @@ -1076,6 +1407,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "1d808f62-cf63-4063-9727-ff6132514c22", @@ -1120,6 +1458,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", @@ -1144,6 +1489,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", @@ -1168,6 +1520,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", @@ -1200,6 +1559,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f108215f-3487-489d-be8b-80e346d32518", @@ -1224,6 +1590,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", @@ -1262,6 +1635,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", @@ -1301,6 +1681,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", @@ -1325,6 +1712,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "30208d3e-0d6b-43c8-883e-44462a514619", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", @@ -1342,6 +1736,15 @@ "ZLib" ] }, + "related": [ + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "value": "ZLib - S0086" }, @@ -1364,6 +1767,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", @@ -1392,6 +1802,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", @@ -1412,6 +1829,15 @@ "NetDuke" ] }, + "related": [ + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", "value": "HAMMERTOSS - S0037" }, @@ -1449,6 +1875,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b42378e0-f147-496f-992a-26a49705395b", @@ -1473,6 +1906,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4189a679-72ed-4a89-a57c-7f689712ecf8", @@ -1498,6 +1938,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", @@ -1515,6 +1962,15 @@ "POWERSTATS" ] }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "e8545794-b98c-492b-a5b3-4b5a02682e37", "value": "POWERSTATS - S0223" }, @@ -1530,6 +1986,15 @@ "Ixeshe" ] }, + "related": [ + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", "value": "Ixeshe - S0015" }, @@ -1545,6 +2010,15 @@ "BADNEWS" ] }, + "related": [ + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "e9595678-d269-469e-ae6b-75e49259de63", "value": "BADNEWS - S0128" }, @@ -1560,6 +2034,15 @@ "FLIPSIDE" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", "value": "FLIPSIDE - S0173" }, @@ -1584,6 +2067,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", @@ -1608,6 +2098,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", @@ -1635,6 +2132,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", @@ -1656,6 +2160,15 @@ "EuroAPT" ] }, + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "value": "CozyCar - S0046" }, @@ -1671,6 +2184,15 @@ "Mivast" ] }, + "related": [ + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", "value": "Mivast - S0080" }, @@ -1688,6 +2210,15 @@ "NETWIRE" ] }, + "related": [ + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "2a70812b-f1ef-44db-8578-a496a227aef2", "value": "NETWIRE - S0198" }, @@ -1703,6 +2234,15 @@ "ISMInjector" ] }, + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", "value": "ISMInjector - S0189" }, @@ -1719,6 +2259,15 @@ "Vasport" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "f4d8a2d6-c684-453a-8a14-cf4a94f755c5", "value": "Vasport - S0207" }, @@ -1734,6 +2283,15 @@ "Cherry Picker" ] }, + "related": [ + { + "dest-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", "value": "Cherry Picker - S0107" }, @@ -1767,6 +2325,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", @@ -1792,6 +2357,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "48523614-309e-43bf-a2b8-705c2b45d7b2", @@ -1816,6 +2388,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", @@ -1840,6 +2419,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8ab98e25-1672-4b5f-a2fb-e60f08a5ea9e", @@ -1880,6 +2466,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", @@ -1897,6 +2490,15 @@ "Agent.btz" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", "value": "Agent.btz - S0092" }, @@ -1919,6 +2521,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", @@ -1943,6 +2552,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", @@ -1967,6 +2583,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "414dc555-c79e-4b24-a2da-9b607f7eaf16", @@ -1994,6 +2617,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", @@ -2018,6 +2648,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", @@ -2048,6 +2685,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3d8e547d-9456-4f32-a895-dc86134e282f", @@ -2066,6 +2710,15 @@ "Wingbird" ] }, + "related": [ + { + "dest-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "value": "Wingbird - S0176" }, @@ -2082,6 +2735,15 @@ "Nerex" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "c251e4a5-9a2e-4166-8e42-442af75c3b9a", "value": "Nerex - S0210" }, @@ -2111,6 +2773,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", @@ -2128,6 +2797,15 @@ "AutoIt backdoor" ] }, + "related": [ + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", "value": "AutoIt backdoor - S0129" }, @@ -2150,6 +2828,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", @@ -2169,6 +2854,15 @@ "Win32/Agent.UAW" ] }, + "related": [ + { + "dest-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", "value": "Power Loader - S0177" }, @@ -2191,6 +2885,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", @@ -2215,6 +2916,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8c553311-0baa-4146-997a-f79acef3d831", @@ -2233,6 +2941,15 @@ "PUNCHBUGGY" ] }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "5c6ed2dc-37f4-40ea-b2e1-4c76140a388c", "value": "PUNCHBUGGY - S0196" }, @@ -2249,6 +2966,15 @@ "Matroyshka" ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "value": "Matroyshka - S0167" }, @@ -2273,6 +2999,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", @@ -2299,6 +3032,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "06d735e7-1db1-4dbe-ab4b-acbe419f902b", @@ -2316,6 +3056,15 @@ "Trojan.Karagany" ] }, + "related": [ + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "value": "Trojan.Karagany - S0094" }, @@ -2338,6 +3087,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", @@ -2388,6 +3144,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", @@ -2413,6 +3176,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "310f437b-29e7-4844-848c-7220868d074a", @@ -2430,6 +3200,15 @@ "MiniDuke" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "value": "MiniDuke - S0051" }, @@ -2452,6 +3231,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", @@ -2485,6 +3271,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", @@ -2509,6 +3302,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "01a5a209-b94c-450b-b7f9-946497d91055", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", @@ -2533,6 +3333,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", @@ -2564,6 +3371,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", @@ -2604,6 +3418,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", @@ -2628,6 +3449,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", @@ -2646,6 +3474,15 @@ "Pasam" ] }, + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "e811ff6a-4cef-4856-a6ae-a7daf9ed39ae", "value": "Pasam - S0208" }, @@ -2662,6 +3499,15 @@ "Trojan.Zeroaccess" ] }, + "related": [ + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "552462b9-ae79-49dd-855c-5973014e157f", "value": "Zeroaccess - S0027" }, @@ -2678,6 +3524,15 @@ "Linfo" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "e9e9bfe2-76f4-4870-a2a1-b7af89808613", "value": "Linfo - S0211" }, @@ -2693,6 +3548,15 @@ "Skeleton Key" ] }, + "related": [ + { + "dest-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", "value": "Skeleton Key - S0007" }, @@ -2717,6 +3581,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", @@ -2748,6 +3619,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", @@ -2766,6 +3644,15 @@ "Briba" ] }, + "related": [ + { + "dest-uuid": "478aa214-2ca7-4ec0-9978-18798e514790", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "79499993-a8d6-45eb-b343-bf58dea5bdde", "value": "Briba - S0204" }, @@ -2795,6 +3682,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", @@ -2819,6 +3713,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", @@ -2843,6 +3744,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", @@ -2868,6 +3776,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c", @@ -2885,6 +3800,15 @@ "BOOTRASH" ] }, + "related": [ + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3", "value": "BOOTRASH - S0114" }, @@ -2902,6 +3826,15 @@ "China Chopper" ] }, + "related": [ + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "value": "China Chopper - S0020" }, @@ -2917,6 +3850,15 @@ "Wiper" ] }, + "related": [ + { + "dest-uuid": "92a78814-b191-47ca-909c-1ccfe3777414", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085", "value": "Wiper - S0041" }, @@ -2932,6 +3874,15 @@ "Unknown Logger" ] }, + "related": [ + { + "dest-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "value": "Unknown Logger - S0130" }, @@ -2954,6 +3905,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", @@ -2978,6 +3936,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0852567d-7958-4f4b-8947-4f840ec8d57d", @@ -3002,6 +3967,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", @@ -3076,6 +4048,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", @@ -3107,6 +4086,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", @@ -3133,6 +4119,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", @@ -3157,6 +4150,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "53d47b09-09c2-4015-8d37-6633ecd53f79", @@ -3174,6 +4174,15 @@ "FLASHFLOOD" ] }, + "related": [ + { + "dest-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", "value": "FLASHFLOOD - S0036" }, @@ -3189,6 +4198,15 @@ "TINYTYPHON" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", "value": "TINYTYPHON - S0131" }, @@ -3212,6 +4230,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", @@ -3238,6 +4263,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", @@ -3269,6 +4301,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", @@ -3305,6 +4344,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", @@ -3336,6 +4382,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", @@ -3353,6 +4406,15 @@ "S-Type" ] }, + "related": [ + { + "dest-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "value": "S-Type - S0085" }, @@ -3367,6 +4429,15 @@ "Chaos" ] }, + "related": [ + { + "dest-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "5bcd5511-6756-4824-a692-e8bb109364af", "value": "Chaos - S0220" }, @@ -3396,6 +4467,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", @@ -3413,6 +4491,15 @@ "RemoteCMD" ] }, + "related": [ + { + "dest-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", "value": "RemoteCMD - S0166" }, @@ -3442,6 +4529,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", @@ -3461,6 +4555,15 @@ "Gameover ZeuS" ] }, + "related": [ + { + "dest-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", "value": "P2P ZeuS - S0016" }, @@ -3487,6 +4590,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "46944654-fcc1-4f63-9dad-628102376586", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", @@ -3519,6 +4629,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", @@ -3550,6 +4667,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", @@ -3566,6 +4690,15 @@ "adbupd" ] }, + "related": [ + { + "dest-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "0f1ad2ef-41d4-4b7a-9304-ddae68ea3005", "value": "adbupd - S0202" }, @@ -3589,6 +4722,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", @@ -3608,6 +4748,15 @@ "Truvasys" ] }, + "related": [ + { + "dest-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", "value": "Truvasys - S0178" }, @@ -3639,6 +4788,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", @@ -3663,6 +4819,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", @@ -3680,6 +4843,15 @@ "CallMe" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", "value": "CallMe - S0077" }, @@ -3696,6 +4868,15 @@ "HIDEDRV" ] }, + "related": [ + { + "dest-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", "value": "HIDEDRV - S0135" }, @@ -3711,6 +4892,15 @@ "Mis-Type" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "value": "Mis-Type - S0084" }, @@ -3733,6 +4923,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "95047f03-4811-4300-922e-1ba937d53a61", @@ -3751,6 +4948,15 @@ "ASPXTool" ] }, + "related": [ + { + "dest-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", "value": "ASPXSpy - S0073" }, @@ -3765,6 +4971,15 @@ "Dipsind" ] }, + "related": [ + { + "dest-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "e170995d-4f61-4f17-b60e-04f9a06ee517", "value": "Dipsind - S0200" }, @@ -3780,6 +4995,15 @@ "SEASHARPEE" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "0998045d-f96e-4284-95ce-3c8219707486", "value": "SEASHARPEE - S0185" }, @@ -3796,6 +5020,15 @@ "Sykipot" ] }, + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "value": "Sykipot - S0018" }, @@ -3818,6 +5051,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", @@ -3835,6 +5075,15 @@ "OSInfo" ] }, + "related": [ + { + "dest-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "value": "OSInfo - S0165" }, @@ -3850,6 +5099,15 @@ "HOMEFRY" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "7451bcf9-e6e6-4a70-bc3d-1599173d0035", "value": "HOMEFRY - S0232" }, @@ -3873,6 +5131,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "830c9528-df21-472c-8c14-a036bf17d665", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", @@ -3890,6 +5155,15 @@ "Emissary" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "value": "Emissary - S0082" }, @@ -3907,6 +5181,15 @@ "PSVC" ] }, + "related": [ + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "c4de7d83-e875-4c88-8b5d-06c41e5b7e79", "value": "PUNCHTRACK - S0197" }, @@ -3924,6 +5207,15 @@ "PhotoMiner" ] }, + "related": [ + { + "dest-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234", "value": "Miner-C - S0133" }, @@ -3946,6 +5238,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", @@ -3964,6 +5263,15 @@ "Backdoor.APT.FakeWinHTTPHelper" ] }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", "value": "BUBBLEWRAP - S0043" }, @@ -3986,6 +5294,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", @@ -4010,6 +5325,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", @@ -4028,6 +5350,15 @@ "Backdoor.Nidiran" ] }, + "related": [ + { + "dest-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", "value": "Nidiran - S0118" }, @@ -4043,6 +5374,15 @@ "Trojan.Mebromi" ] }, + "related": [ + { + "dest-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", "value": "Trojan.Mebromi - S0001" }, @@ -4065,6 +5405,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "3c02fb1f-cbdb-48f5-abaf-8c81d6e0c322", @@ -4082,6 +5429,15 @@ "OwaAuth" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "value": "OwaAuth - S0072" }, @@ -4097,6 +5453,15 @@ "ROCKBOOT" ] }, + "related": [ + { + "dest-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", "value": "ROCKBOOT - S0112" }, @@ -4112,6 +5477,15 @@ "MURKYTOP" ] }, + "related": [ + { + "dest-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "049ff071-0b3c-4712-95d2-d21c6aa54501", "value": "MURKYTOP - S0233" }, @@ -4134,6 +5508,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", @@ -4150,6 +5531,15 @@ "JPIN" ] }, + "related": [ + { + "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "de6cb631-52f6-4169-a73b-7965390b0c30", "value": "JPIN - S0201" }, @@ -4165,6 +5555,15 @@ "LOWBALL" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", "value": "LOWBALL - S0042" }, @@ -4181,6 +5580,15 @@ "Wiarp" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "039814a0-88de-46c5-a4fb-b293db21880a", "value": "Wiarp - S0206" }, @@ -4197,6 +5605,15 @@ "BLACKCOFFEE" ] }, + "related": [ + { + "dest-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "value": "BLACKCOFFEE - S0069" }, @@ -4229,6 +5646,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "94379dec-5c87-49db-b36e-66abc0b81344", @@ -4258,6 +5682,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", @@ -4293,6 +5724,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", @@ -4319,6 +5757,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", @@ -4343,6 +5788,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", @@ -4424,6 +5876,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", @@ -4441,9 +5900,18 @@ "ELMER" ] }, + "related": [ + { + "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", "value": "ELMER - S0064" } ], - "version": 6 -} + "version": 7 +} \ No newline at end of file diff --git a/clusters/mitre-enterprise-attack-tool.json b/clusters/mitre-enterprise-attack-tool.json index be28260..7ca5e71 100644 --- a/clusters/mitre-enterprise-attack-tool.json +++ b/clusters/mitre-enterprise-attack-tool.json @@ -28,6 +28,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "96fd6cc4-a693-4118-83ec-619e5352d07d", @@ -46,6 +53,15 @@ "at.exe" ] }, + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", "value": "at - S0110" }, @@ -62,6 +78,15 @@ "route.exe" ] }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", "value": "route - S0103" }, @@ -77,6 +102,15 @@ "Tasklist" ] }, + "related": [ + { + "dest-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "value": "Tasklist - S0057" }, @@ -93,6 +127,15 @@ "WCE" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "value": "Windows Credential Editor - S0005" }, @@ -108,6 +151,15 @@ "Responder" ] }, + "related": [ + { + "dest-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", "value": "Responder - S0174" }, @@ -124,6 +176,15 @@ "schtasks.exe" ] }, + "related": [ + { + "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "c9703cd3-141c-43a0-a926-380082be5d04", "value": "schtasks - S0111" }, @@ -146,6 +207,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", @@ -163,6 +231,15 @@ "ifconfig" ] }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", "value": "ifconfig - S0101" }, @@ -178,6 +255,15 @@ "BITSAdmin" ] }, + "related": [ + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "64764dc6-a032-495f-8250-1e4c06bdc163", "value": "BITSAdmin - S0190" }, @@ -201,6 +287,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", @@ -218,6 +311,15 @@ "xCmd" ] }, + "related": [ + { + "dest-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", "value": "xCmd - S0123" }, @@ -233,6 +335,15 @@ "MimiPenguin" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27", "value": "MimiPenguin - S0179" }, @@ -248,6 +359,15 @@ "SDelete" ] }, + "related": [ + { + "dest-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "d8d19e33-94fd-4aa3-b94a-08ee801a2153", "value": "SDelete - S0195" }, @@ -264,6 +384,15 @@ "systeminfo.exe" ] }, + "related": [ + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "value": "Systeminfo - S0096" }, @@ -280,6 +409,15 @@ "netsh.exe" ] }, + "related": [ + { + "dest-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "value": "netsh - S0108" }, @@ -296,6 +434,15 @@ "dsquery.exe" ] }, + "related": [ + { + "dest-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", "value": "dsquery - S0105" }, @@ -318,6 +465,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", @@ -336,6 +490,15 @@ "ping.exe" ] }, + "related": [ + { + "dest-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "value": "Ping - S0097" }, @@ -351,6 +514,15 @@ "Fgdump" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", "value": "Fgdump - S0120" }, @@ -366,6 +538,15 @@ "Lslsass" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", "value": "Lslsass - S0121" }, @@ -381,6 +562,15 @@ "Pass-The-Hash Toolkit" ] }, + "related": [ + { + "dest-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", "value": "Pass-The-Hash Toolkit - S0122" }, @@ -397,6 +587,15 @@ "ftp.exe" ] }, + "related": [ + { + "dest-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", "value": "FTP - S0095" }, @@ -413,6 +612,15 @@ "ipconfig.exe" ] }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "value": "ipconfig - S0100" }, @@ -429,6 +637,15 @@ "nbtstat.exe" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "b35068ec-107a-4266-bda8-eb7036267aea", "value": "nbtstat - S0102" }, @@ -452,6 +669,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", @@ -469,6 +693,15 @@ "Tor" ] }, + "related": [ + { + "dest-uuid": "7d751199-05fa-4a72-920f-85df4506c76c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", "value": "Tor - S0183" }, @@ -485,6 +718,15 @@ "netstat.exe" ] }, + "related": [ + { + "dest-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "value": "netstat - S0104" }, @@ -500,6 +742,15 @@ "pwdump" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", "value": "pwdump - S0006" }, @@ -515,6 +766,15 @@ "Cachedump" ] }, + "related": [ + { + "dest-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", "value": "Cachedump - S0119" }, @@ -530,6 +790,15 @@ "Forfiles" ] }, + "related": [ + { + "dest-uuid": "7bc57495-ea59-4380-be31-a64af124ef18", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "90ec2b22-7061-4469-b539-0989ec4f96c2", "value": "Forfiles - S0193" }, @@ -547,6 +816,15 @@ "net.exe" ] }, + "related": [ + { + "dest-uuid": "b6075259-dba3-44e9-87c7-e954f37ec0d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "03342581-f790-4f03-ba41-e82e67392e23", "value": "Net - S0039" }, @@ -570,6 +848,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ffe742ed-9100-4686-9e00-c331da544787", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", @@ -595,6 +880,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", @@ -613,6 +905,15 @@ "arp.exe" ] }, + "related": [ + { + "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "30489451-5886-4c46-90c9-0dff9adc5252", "value": "Arp - S0099" }, @@ -632,6 +933,15 @@ "cmd.exe" ] }, + "related": [ + { + "dest-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "value": "cmd - S0106" }, @@ -647,6 +957,15 @@ "Havij" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "fbd727ea-c0dc-42a9-8448-9e12962d1ab5", "value": "Havij - S0224" }, @@ -664,6 +983,15 @@ "PowerSploit" ] }, + "related": [ + { + "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "13cd9151-83b7-410d-9f98-25d0f0d1d80d", "value": "PowerSploit - S0194" }, @@ -678,6 +1006,15 @@ "meek" ] }, + "related": [ + { + "dest-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", "value": "meek - S0175" }, @@ -695,6 +1032,15 @@ "reg.exe" ] }, + "related": [ + { + "dest-uuid": "2edd9d6a-5674-4326-a600-ba56de467286", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "value": "Reg - S0075" }, @@ -710,6 +1056,15 @@ "spwebmember" ] }, + "related": [ + { + "dest-uuid": "d28ef391-8ed4-45dc-bc4a-2f43abf54416", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "33b9e38f-103c-412d-bdcf-904a91fff1e4", "value": "spwebmember - S0227" }, @@ -732,6 +1087,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "cb69b20d-56d0-41ab-8440-4a4b251614d4", @@ -749,6 +1111,15 @@ "sqlmap" ] }, + "related": [ + { + "dest-uuid": "3f886f2a-874f-4333-b794-aa6075009b1c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "9a2640c2-9f43-46fe-b13f-bde881e55555", "value": "sqlmap - S0225" }, @@ -785,6 +1156,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", @@ -802,9 +1180,18 @@ "Invoke-PSImage" ] }, + "related": [ + { + "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "b52d6583-14a2-4ddc-8527-87fd2142558f", "value": "Invoke-PSImage - S0231" } ], - "version": 6 -} + "version": 7 +} \ No newline at end of file diff --git a/clusters/mitre-mobile-attack-course-of-action.json b/clusters/mitre-mobile-attack-course-of-action.json index 63b5548..ad091ce 100644 --- a/clusters/mitre-mobile-attack-course-of-action.json +++ b/clusters/mitre-mobile-attack-course-of-action.json @@ -13,6 +13,15 @@ "meta": { "external_id": "MOB-M1010" }, + "related": [ + { + "dest-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433", "value": "Deploy Compromised Device Detection Method - MOB-M1010" }, @@ -21,6 +30,15 @@ "meta": { "external_id": "MOB-M1014" }, + "related": [ + { + "dest-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "e829ee51-1caf-4665-ba15-7f8979634124", "value": "Interconnection Filtering - MOB-M1014" }, @@ -29,6 +47,15 @@ "meta": { "external_id": "MOB-M1008" }, + "related": [ + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "d2a199d2-dfea-4d0c-987d-6195ed17be9c", "value": "Use Device-Provided Credential Storage - MOB-M1008" }, @@ -37,6 +64,15 @@ "meta": { "external_id": "MOB-M1006" }, + "related": [ + { + "dest-uuid": "a0464539-e1b7-4455-a355-12495987c300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", "value": "Use Recent OS Version - MOB-M1006" }, @@ -45,6 +81,15 @@ "meta": { "external_id": "MOB-M1001" }, + "related": [ + { + "dest-uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "value": "Security Updates - MOB-M1001" }, @@ -53,6 +98,15 @@ "meta": { "external_id": "MOB-M1003" }, + "related": [ + { + "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "value": "Lock Bootloader - MOB-M1003" }, @@ -61,6 +115,15 @@ "meta": { "external_id": "MOB-M1004" }, + "related": [ + { + "dest-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321", "value": "System Partition Integrity - MOB-M1004" }, @@ -69,6 +132,15 @@ "meta": { "external_id": "MOB-M1002" }, + "related": [ + { + "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c", "value": "Attestation - MOB-M1002" }, @@ -77,6 +149,15 @@ "meta": { "external_id": "MOB-M1007" }, + "related": [ + { + "dest-uuid": "8e27551a-5080-4148-a584-c64348212e4f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9", "value": "Caution with Device Administrator Access - MOB-M1007" }, @@ -85,6 +166,15 @@ "meta": { "external_id": "MOB-M1013" }, + "related": [ + { + "dest-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "value": "Application Developer Guidance - MOB-M1013" }, @@ -93,6 +183,15 @@ "meta": { "external_id": "MOB-M1005" }, + "related": [ + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "1553b156-6767-47f7-9eb4-2a692505666d", "value": "Application Vetting - MOB-M1005" }, @@ -101,6 +200,15 @@ "meta": { "external_id": "MOB-M1011" }, + "related": [ + { + "dest-uuid": "a0464539-e1b7-4455-a355-12495987c300", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", "value": "User Guidance - MOB-M1011" }, @@ -109,6 +217,15 @@ "meta": { "external_id": "MOB-M1012" }, + "related": [ + { + "dest-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", "value": "Enterprise Policy - MOB-M1012" }, @@ -117,9 +234,18 @@ "meta": { "external_id": "MOB-M1009" }, + "related": [ + { + "dest-uuid": "393e8c12-a416-4575-ba90-19cc85656796", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "mitigates" + } + ], "uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", "value": "Encrypt Network Traffic - MOB-M1009" } ], - "version": 3 -} + "version": 4 +} \ No newline at end of file diff --git a/clusters/mitre-mobile-attack-malware.json b/clusters/mitre-mobile-attack-malware.json index 7539090..58ad3eb 100644 --- a/clusters/mitre-mobile-attack-malware.json +++ b/clusters/mitre-mobile-attack-malware.json @@ -27,6 +27,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", @@ -44,6 +51,15 @@ "Trojan-SMS.AndroidOS.Agent.ao" ] }, + "related": [ + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17", "value": "Trojan-SMS.AndroidOS.Agent.ao - MOB-S0023" }, @@ -65,6 +81,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "667e5707-3843-4da8-bd34-88b922526f0d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878", @@ -82,6 +105,15 @@ "KeyRaider" ] }, + "related": [ + { + "dest-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "value": "KeyRaider - MOB-S0004" }, @@ -98,6 +130,15 @@ "BrainTest" ] }, + "related": [ + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", "value": "BrainTest - MOB-S0009" }, @@ -123,6 +164,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c80a6bef-b3ce-44d0-b113-946e93124898", @@ -140,6 +188,15 @@ "DressCode" ] }, + "related": [ + { + "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", "value": "DressCode - MOB-S0016" }, @@ -156,6 +213,15 @@ "Adups" ] }, + "related": [ + { + "dest-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "value": "Adups - MOB-S0025" }, @@ -186,6 +252,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", @@ -203,6 +276,15 @@ "RuMMS" ] }, + "related": [ + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "936be60d-90eb-4c36-9247-4b31128432c4", "value": "RuMMS - MOB-S0029" }, @@ -225,6 +307,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c8770c81-c29f-40d2-a140-38544206b2b4", @@ -242,6 +331,15 @@ "Trojan-SMS.AndroidOS.OpFake.a" ] }, + "related": [ + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "d89c132d-7752-4c7f-9372-954a71522985", "value": "Trojan-SMS.AndroidOS.OpFake.a - MOB-S0024" }, @@ -264,6 +362,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e", @@ -281,6 +386,15 @@ "MazarBOT" ] }, + "related": [ + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", "value": "MazarBOT - MOB-S0019" }, @@ -297,6 +411,15 @@ "Gooligan" ] }, + "related": [ + { + "dest-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "20d56cd6-8dff-4871-9889-d32d254816de", "value": "Gooligan - MOB-S0006" }, @@ -312,6 +435,15 @@ "OldBoot" ] }, + "related": [ + { + "dest-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc", "value": "OldBoot - MOB-S0001" }, @@ -333,6 +465,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", @@ -351,6 +490,15 @@ "DroidJack RAT" ] }, + "related": [ + { + "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "value": "DroidJack RAT - MOB-S0036" }, @@ -366,6 +514,15 @@ "HummingWhale" ] }, + "related": [ + { + "dest-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f", "value": "HummingWhale - MOB-S0037" }, @@ -381,6 +538,15 @@ "ANDROIDOS_ANSERVER.A" ] }, + "related": [ + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8", "value": "ANDROIDOS_ANSERVER.A - MOB-S0026" }, @@ -396,6 +562,15 @@ "Trojan-SMS.AndroidOS.FakeInst.a" ] }, + "related": [ + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "28e39395-91e7-4f02-b694-5e079c964da9", "value": "Trojan-SMS.AndroidOS.FakeInst.a - MOB-S0022" }, @@ -411,6 +586,15 @@ "NotCompatible" ] }, + "related": [ + { + "dest-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe", "value": "NotCompatible - MOB-S0015" }, @@ -454,6 +638,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "56660521-6db4-4e5a-a927-464f22954b7c", @@ -471,6 +662,15 @@ "Twitoor" ] }, + "related": [ + { + "dest-uuid": "6a3f6490-9c44-40de-b059-e5940f246673", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c", "value": "Twitoor - MOB-S0018" }, @@ -486,6 +686,15 @@ "OBAD" ] }, + "related": [ + { + "dest-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde", "value": "OBAD - MOB-S0002" }, @@ -501,6 +710,15 @@ "Android/Chuli.A" ] }, + "related": [ + { + "dest-uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", "value": "Android/Chuli.A - MOB-S0020" }, @@ -516,6 +734,15 @@ "PJApps" ] }, + "related": [ + { + "dest-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "c709da93-20c3-4d17-ab68-48cba76b2137", "value": "PJApps - MOB-S0007" }, @@ -531,6 +758,15 @@ "AndroidOverlayMalware" ] }, + "related": [ + { + "dest-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7", "value": "AndroidOverlayMalware - MOB-S0012" }, @@ -546,6 +782,15 @@ "ZergHelper" ] }, + "related": [ + { + "dest-uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", "value": "ZergHelper - MOB-S0003" }, @@ -561,6 +806,15 @@ "SpyNote RAT" ] }, + "related": [ + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", "value": "SpyNote RAT - MOB-S0021" }, @@ -576,6 +830,15 @@ "RCSAndroid" ] }, + "related": [ + { + "dest-uuid": "6c49d50f-494d-4150-b774-a655022d20a6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "value": "RCSAndroid - MOB-S0011" }, @@ -598,6 +861,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", @@ -614,6 +884,15 @@ "YiSpecter" ] }, + "related": [ + { + "dest-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9", "value": "YiSpecter - MOB-S0027" }, @@ -645,6 +924,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", @@ -663,9 +949,18 @@ "XcodeGhost" ] }, + "related": [ + { + "dest-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9", "value": "XcodeGhost - MOB-S0013" } ], - "version": 5 -} + "version": 6 +} \ No newline at end of file diff --git a/clusters/mitre-mobile-attack-tool.json b/clusters/mitre-mobile-attack-tool.json index b1f4c97..e895d9a 100644 --- a/clusters/mitre-mobile-attack-tool.json +++ b/clusters/mitre-mobile-attack-tool.json @@ -41,11 +41,18 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", "value": "Xbot - MOB-S0014" } ], - "version": 5 -} + "version": 6 +} \ No newline at end of file diff --git a/clusters/mitre-pre-attack-attack-pattern.json b/clusters/mitre-pre-attack-attack-pattern.json index 20ebdb2..6e2f84c 100644 --- a/clusters/mitre-pre-attack-attack-pattern.json +++ b/clusters/mitre-pre-attack-attack-pattern.json @@ -33,6 +33,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1108" ] }, + "related": [ + { + "dest-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39", "value": "Obfuscate infrastructure - PRE-T1108" }, @@ -173,6 +182,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1025" ] }, + "related": [ + { + "dest-uuid": "7718e92f-b011-4f88-b822-ae245a1de407", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", "value": "Identify job postings and needs/gaps - PRE-T1025" }, @@ -369,6 +387,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1077" ] }, + "related": [ + { + "dest-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", "value": "Analyze organizational skillsets and deficiencies - PRE-T1077" }, @@ -439,6 +466,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1026" ] }, + "related": [ + { + "dest-uuid": "af358cad-eb71-4e91-a752-236edc237dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", "value": "Conduct social engineering - PRE-T1026" }, @@ -453,6 +489,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1106" ] }, + "related": [ + { + "dest-uuid": "286cc500-4291-45c2-99a1-e760db176402", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", "value": "Acquire and/or use 3rd party infrastructure services - PRE-T1106" }, @@ -481,6 +526,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1074" ] }, + "related": [ + { + "dest-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", "value": "Analyze organizational skillsets and deficiencies - PRE-T1074" }, @@ -509,6 +563,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1109" ] }, + "related": [ + { + "dest-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983", "value": "Acquire or compromise 3rd party signing certificates - PRE-T1109" }, @@ -593,6 +656,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1023" ] }, + "related": [ + { + "dest-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "78e41091-d10d-4001-b202-89612892b6ff", "value": "Identify supply chains - PRE-T1023" }, @@ -635,6 +707,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1060" ] }, + "related": [ + { + "dest-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", "value": "Identify business relationships - PRE-T1060" }, @@ -747,6 +828,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1049" ] }, + "related": [ + { + "dest-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549", "value": "Identify business relationships - PRE-T1049" }, @@ -803,6 +893,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1088" ] }, + "related": [ + { + "dest-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", "value": "Dynamic DNS - PRE-T1088" }, @@ -929,6 +1028,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1037" ] }, + "related": [ + { + "dest-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "856a9371-4f0f-4ea9-946e-f3144204240f", "value": "Determine 3rd party infrastructure services - PRE-T1037" }, @@ -957,6 +1065,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1141" ] }, + "related": [ + { + "dest-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", "value": "Friend/Follow/Connect to targets of interest - PRE-T1141" }, @@ -1027,6 +1144,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1084" ] }, + "related": [ + { + "dest-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "286cc500-4291-45c2-99a1-e760db176402", "value": "Acquire and/or use 3rd party infrastructure services - PRE-T1084" }, @@ -1265,6 +1391,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1055" ] }, + "related": [ + { + "dest-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7718e92f-b011-4f88-b822-ae245a1de407", "value": "Identify job postings and needs/gaps - PRE-T1055" }, @@ -1279,6 +1414,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1056" ] }, + "related": [ + { + "dest-uuid": "af358cad-eb71-4e91-a752-236edc237dae", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", "value": "Conduct social engineering - PRE-T1056" }, @@ -1293,6 +1437,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1053" ] }, + "related": [ + { + "dest-uuid": "59369f72-3005-4e54-9095-3d00efcece73", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", "value": "Identify supply chains - PRE-T1053" }, @@ -1321,6 +1474,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1111" ] }, + "related": [ + { + "dest-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", "value": "Compromise 3rd party infrastructure to support delivery - PRE-T1111" }, @@ -1335,6 +1497,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1086" ] }, + "related": [ + { + "dest-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6", "value": "Obfuscate infrastructure - PRE-T1086" }, @@ -1517,6 +1688,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1121" ] }, + "related": [ + { + "dest-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33", "value": "Friend/Follow/Connect to targets of interest - PRE-T1121" }, @@ -1559,6 +1739,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1054" ] }, + "related": [ + { + "dest-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "028ad431-84c5-4eb7-a364-2b797c234f88", "value": "Acquire OSINT data sets and information - PRE-T1054" }, @@ -1629,6 +1818,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1061" ] }, + "related": [ + { + "dest-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05", "value": "Determine 3rd party infrastructure services - PRE-T1061" }, @@ -1657,6 +1855,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1089" ] }, + "related": [ + { + "dest-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", "value": "Compromise 3rd party infrastructure to support delivery - PRE-T1089" }, @@ -1769,6 +1976,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1087" ] }, + "related": [ + { + "dest-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59", "value": "Acquire or compromise 3rd party signing certificates - PRE-T1087" }, @@ -1881,6 +2097,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1024" ] }, + "related": [ + { + "dest-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", "value": "Acquire OSINT data sets and information - PRE-T1024" }, @@ -1895,6 +2120,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1085" ] }, + "related": [ + { + "dest-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "1a295f87-af63-4d94-b130-039d6221fb11", "value": "Acquire and/or use 3rd party software services - PRE-T1085" }, @@ -1923,6 +2157,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1044" ] }, + "related": [ + { + "dest-uuid": "7718e92f-b011-4f88-b822-ae245a1de407", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "0722cd65-0c83-4c89-9502-539198467ab1", "value": "Identify job postings and needs/gaps - PRE-T1044" }, @@ -1951,6 +2194,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1107" ] }, + "related": [ + { + "dest-uuid": "1a295f87-af63-4d94-b130-039d6221fb11", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", "value": "Acquire and/or use 3rd party software services - PRE-T1107" }, @@ -1979,6 +2231,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1110" ] }, + "related": [ + { + "dest-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", "value": "Dynamic DNS - PRE-T1110" }, @@ -2021,6 +2282,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1043" ] }, + "related": [ + { + "dest-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", "value": "Acquire OSINT data sets and information - PRE-T1043" }, @@ -2077,6 +2347,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1066" ] }, + "related": [ + { + "dest-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", "value": "Analyze organizational skillsets and deficiencies - PRE-T1066" }, @@ -2147,6 +2426,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1042" ] }, + "related": [ + { + "dest-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "59369f72-3005-4e54-9095-3d00efcece73", "value": "Identify supply chains - PRE-T1042" }, @@ -2357,6 +2645,15 @@ "https://attack.mitre.org/pre-attack/index.php/Technique/PRE-T1045" ] }, + "related": [ + { + "dest-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], "uuid": "af358cad-eb71-4e91-a752-236edc237dae", "value": "Conduct social engineering - PRE-T1045" }, @@ -2445,5 +2742,5 @@ "value": "Data Hiding - PRE-T1097" } ], - "version": 3 -} + "version": 4 +} \ No newline at end of file diff --git a/clusters/mitre-pre-attack-intrusion-set.json b/clusters/mitre-pre-attack-intrusion-set.json index ae7fd50..4212740 100644 --- a/clusters/mitre-pre-attack-intrusion-set.json +++ b/clusters/mitre-pre-attack-intrusion-set.json @@ -20,6 +20,15 @@ "APT16" ] }, + "related": [ + { + "dest-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" + } + ], "uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", "value": "APT16 - G0023" }, @@ -59,6 +68,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", @@ -142,6 +158,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", @@ -170,6 +193,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", @@ -197,6 +227,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", @@ -223,6 +260,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", @@ -269,11 +313,18 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "uses" } ], "uuid": "090242d7-73fc-4738-af68-20162f7a5aae", "value": "APT17 - G0025" } ], - "version": 4 -} + "version": 5 +} \ No newline at end of file diff --git a/tools/mitre-cti/v2.0/create_mitre-enterprise-attack-relationship_galaxy.py b/tools/mitre-cti/v2.0/create_mitre-enterprise-attack-relationship_galaxy.py deleted file mode 100644 index ea372f5..0000000 --- a/tools/mitre-cti/v2.0/create_mitre-enterprise-attack-relationship_galaxy.py +++ /dev/null @@ -1,102 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- - -import json -import re -import os -import argparse - -parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/enterprise-attack/relationship folder') -parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one") -args = parser.parse_args() - -values = [] - -path = "relationship/" -for element in os.listdir(path): - with open(path+element) as json_data: - d = json.load(json_data) - json_data.close() - - temp = d['objects'][0] - source = temp['source_ref'] - target = temp['target_ref'] - relationship = temp['relationship_type'] - - if source.startswith('attack-pattern'): - paths = "attack-pattern/" - elif source.startswith('course-of-action'): - paths = "course-of-action/" - elif source.startswith('identity'): - paths = "identity/" - elif source.startswith('intrusion-set'): - paths = "intrusion-set/" - elif source.startswith('malware'): - paths = "malware/" - elif source.startswith('marking-definition'): - paths = "marking-definition/" - elif source.startswith('tool'): - paths = "tool/" - else: - print('Invalid value') - continue - - with open(paths+source+'.json') as json_data: - s = json.load(json_data) - json_data.close() - - if target.startswith('attack-pattern'): - patht = "attack-pattern/" - elif target.startswith('course-of-action'): - patht = "course-of-action/" - elif target.startswith('identity'): - patht = "identity/" - elif target.startswith('intrusion-set'): - patht = "intrusion-set/" - elif target.startswith('malware'): - patht = "malware/" - elif target.startswith('marking-definition'): - patht = "marking-definition/" - elif target.startswith('tool'): - patht = "tool/" - else: - print('Invalid value') - continue - - with open(patht+target+'.json') as json_data: - t = json.load(json_data) - json_data.close() - - value = {} - value['meta'] = {} - value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] - value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:] - value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:] - value['value'] = s['objects'][0]['name'] + ' (' + s['objects'][0]['external_references'][0]['external_id'] + ') ' + relationship + ' ' + t['objects'][0]['name'] + ' (' + t['objects'][0]['external_references'][0]['external_id'] + ')' - # value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name'] - values.append(value) - -galaxy = {} -galaxy['name'] = "Enterprise Attack - Relationship" -galaxy['type'] = "mitre-enterprise-attack-relationship" -galaxy['description'] = "Mitre Relationship" -galaxy['uuid' ] = "fc404638-1707-11e8-a5cf-b78b9b562766" -galaxy['version'] = args.version -galaxy['icon'] = "link" -galaxy['namespace'] = "mitre-attack" - -cluster = {} -cluster['name'] = "Enterprise Attack - Relationship" -cluster['type'] = "mitre-enterprise-attack-relationship" -cluster['description'] = "MITRE Relationship" -cluster['version'] = args.version -cluster['source'] = "https://github.com/mitre/cti" -cluster['uuid' ] = "fc605f90-1707-11e8-9d6a-9f165ac2ab5c" -cluster['authors'] = ["MITRE"] -cluster['values'] = values - -with open('generate/galaxies/mitre-enterprise-attack-relationship.json', 'w') as galaxy_file: - json.dump(galaxy, galaxy_file, indent=4) - -with open('generate/clusters/mitre-enterprise-attack-relationship.json', 'w') as cluster_file: - json.dump(cluster, cluster_file, indent=4) diff --git a/tools/mitre-cti/v2.0/create_mitre-mobile-attack-relationship_galaxy.py b/tools/mitre-cti/v2.0/create_mitre-mobile-attack-relationship_galaxy.py deleted file mode 100644 index 98906a8..0000000 --- a/tools/mitre-cti/v2.0/create_mitre-mobile-attack-relationship_galaxy.py +++ /dev/null @@ -1,101 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- - -import json -import re -import os -import argparse - -parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/mobile-attack/relationship folder') -parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one") -args = parser.parse_args() - -values = [] - -path = "relationship/" -for element in os.listdir(path): - with open(path+element) as json_data: - d = json.load(json_data) - json_data.close() - - temp = d['objects'][0] - source = temp['source_ref'] - target = temp['target_ref'] - relationship = temp['relationship_type'] - - if source.startswith('attack-pattern'): - paths = "attack-pattern/" - elif source.startswith('course-of-action'): - paths = "course-of-action/" - elif source.startswith('identity'): - paths = "identity/" - elif source.startswith('intrusion-set'): - paths = "intrusion-set/" - elif source.startswith('malware'): - paths = "malware/" - elif source.startswith('marking-definition'): - paths = "marking-definition/" - elif source.startswith('tool'): - paths = "tool/" - else: - print('Invalid value') - continue - - with open(paths+source+'.json') as json_data: - s = json.load(json_data) - json_data.close() - - if target.startswith('attack-pattern'): - patht = "attack-pattern/" - elif target.startswith('course-of-action'): - patht = "course-of-action/" - elif target.startswith('identity'): - patht = "identity/" - elif target.startswith('intrusion-set'): - patht = "intrusion-set/" - elif target.startswith('malware'): - patht = "malware/" - elif target.startswith('marking-definition'): - patht = "marking-definition/" - elif target.startswith('tool'): - patht = "tool/" - else: - print('Invalid value') - continue - - with open(patht+target+'.json') as json_data: - t = json.load(json_data) - json_data.close() - - value = {} - value['meta'] = {} - value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] - value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:] - value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:] - value['value'] = s['objects'][0]['name'] + ' (' + s['objects'][0]['external_references'][0]['external_id'] + ') ' + relationship + ' ' + t['objects'][0]['name'] + ' (' + t['objects'][0]['external_references'][0]['external_id'] + ')' - values.append(value) - -galaxy = {} -galaxy['name'] = "Mobile Attack - Relationship" -galaxy['type'] = "mitre-mobile-attack-relationship" -galaxy['description'] = "Mitre Relationship" -galaxy['uuid' ] = "fc8471aa-1707-11e8-b306-33cbe96a1ede" -galaxy['version'] = args.version -galaxy['icon'] = "link" -galaxy['namespace'] = "mitre-attack" - -cluster = {} -cluster['name'] = "Mobile Attack - Relationship" -cluster['type'] = "mitre-mobile-attack-relationship" -cluster['description'] = "MITRE Relationship" -cluster['version'] = args.version -cluster['source'] = "https://github.com/mitre/cti" -cluster['uuid' ] = "02f1fc42-1708-11e8-a4f2-eb70472c5901" -cluster['authors'] = ["MITRE"] -cluster['values'] = values - -with open('generate/galaxies/mitre-mobile-attack-relationship.json', 'w') as galaxy_file: - json.dump(galaxy, galaxy_file, indent=4) - -with open('generate/clusters/mitre-mobile-attack-relationship.json', 'w') as cluster_file: - json.dump(cluster, cluster_file, indent=4) diff --git a/tools/mitre-cti/v2.0/create_mitre-pre-attack-relationship_galaxy.py b/tools/mitre-cti/v2.0/create_mitre-pre-attack-relationship_galaxy.py deleted file mode 100644 index 42ba2c9..0000000 --- a/tools/mitre-cti/v2.0/create_mitre-pre-attack-relationship_galaxy.py +++ /dev/null @@ -1,102 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- - -import json -import re -import os -import argparse - -parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/pre-attack/relationship folder') -parser.add_argument("-v", "--version", type=int, required=True, help="Version of the galaxy. Please increment the previous one") -args = parser.parse_args() - -values = [] - -path = "relationship/" -for element in os.listdir(path): - with open(path+element) as json_data: - d = json.load(json_data) - json_data.close() - - temp = d['objects'][0] - source = temp['source_ref'] - target = temp['target_ref'] - relationship = temp['relationship_type'] - - if source.startswith('attack-pattern'): - paths = "attack-pattern/" - elif source.startswith('course-of-action'): - paths = "course-of-action/" - elif source.startswith('identity'): - paths = "identity/" - elif source.startswith('intrusion-set'): - paths = "intrusion-set/" - elif source.startswith('malware'): - paths = "malware/" - elif source.startswith('marking-definition'): - paths = "marking-definition/" - elif source.startswith('tool'): - paths = "tool/" - else: - print('Invalid value') - continue - - with open(paths+source+'.json') as json_data: - s = json.load(json_data) - json_data.close() - - if target.startswith('attack-pattern'): - patht = "attack-pattern/" - elif target.startswith('course-of-action'): - patht = "course-of-action/" - elif target.startswith('identity'): - patht = "identity/" - elif target.startswith('intrusion-set'): - patht = "intrusion-set/" - elif target.startswith('malware'): - patht = "malware/" - elif target.startswith('marking-definition'): - patht = "marking-definition/" - elif target.startswith('tool'): - patht = "tool/" - else: - print('Invalid value') - continue - - with open(patht+target+'.json') as json_data: - t = json.load(json_data) - json_data.close() - - value = {} - value['meta'] = {} - value['uuid'] = re.search('--(.*)$', temp['id']).group(0)[2:] - value['meta']['source-uuid'] = re.search('--(.*)$', s['objects'][0]['id']).group(0)[2:] - value['meta']['target-uuid'] = re.search('--(.*)$', t['objects'][0]['id']).group(0)[2:] - value['value'] = s['objects'][0]['name'] + ' (' + s['objects'][0]['external_references'][0]['external_id'] + ') ' + relationship + ' ' + t['objects'][0]['name'] + ' (' + t['objects'][0]['external_references'][0]['external_id'] + ')' - # value['value'] = s['objects'][0]['name'] + ' ' + relationship + ' ' + t['objects'][0]['name'] - values.append(value) - -galaxy = {} -galaxy['name'] = "Pre Attack - Relationship" -galaxy['type'] = "mitre-pre-attack-relationship" -galaxy['description'] = "Mitre Relationship" -galaxy['uuid' ] = "1f8e3bae-1708-11e8-8e97-4bd2150e5aae" -galaxy['version'] = args.version -galaxy['icon'] = "link" -galaxy['namespace'] = "mitre-attack" - -cluster = {} -cluster['name'] = "Pre Attack - Relationship" -cluster['type'] = "mitre-pre-attack-relationship" -cluster['description'] = "MITRE Relationship" -cluster['version'] = args.version -cluster['source'] = "https://github.com/mitre/cti" -cluster['uuid' ] = "1ffd3108-1708-11e8-9f98-67b378d9094c" -cluster['authors'] = ["MITRE"] -cluster['values'] = values - -with open('generate/galaxies/mitre-pre-attack-relationship.json', 'w') as galaxy_file: - json.dump(galaxy, galaxy_file, indent=4) - -with open('generate/clusters/mitre-pre-attack-relationship.json', 'w') as cluster_file: - json.dump(cluster, cluster_file, indent=4) diff --git a/tools/mitre-cti/v2.0/create_mitre_relationships.py b/tools/mitre-cti/v2.0/create_mitre_relationships.py new file mode 100755 index 0000000..2aa87fe --- /dev/null +++ b/tools/mitre-cti/v2.0/create_mitre_relationships.py @@ -0,0 +1,97 @@ +#!/usr/bin/env python3 + + +import json +import re +import os +import argparse + +parser = argparse.ArgumentParser(description='Create a couple galaxy/cluster with cti\'s relationship\nMust be in the mitre/cti/enterprise-attack/relationship folder') +parser.add_argument("-p", "--path", required=True, help="Path of the mitre/cti folder") +args = parser.parse_args() + + + +# read out all clusters and map them based on uuid + + +# build a mapping between uuids and Clusters +clusters = [] +pathClusters = '../../../clusters' +for f in os.listdir(pathClusters): + if '.json' in f: + clusters.append(f) +clusters.sort() + +cluster_uuids = {} +for cluster in clusters: + fullPathClusters = os.path.join(pathClusters, cluster) + with open(fullPathClusters) as fp: + c = json.load(fp) + for v in c['values']: + if 'uuid' not in v: + continue + cluster_uuids[v['uuid']] = cluster + + +# read out all STIX mappings and store them in a list +stix_relations = {} +for subfolder in ['mobile-attack', 'pre-attack', 'enterprise-attack']: + curr_dir = os.path.join(args.path, subfolder, 'relationship') + for stix_fname in os.listdir(curr_dir): + with open(os.path.join(curr_dir, stix_fname)) as f: + json_data = json.load(f) + for o in json_data['objects']: + rel_type = o['relationship_type'] + dest_uuid = re.findall(r'--([0-9a-f-]+)', o['target_ref']).pop() + uuid = re.findall(r'--([0-9a-f-]+)', o['source_ref']).pop() + tags = [] + galaxy_fname = cluster_uuids[uuid] + # print("{} \t {} \t {} \t {}".format(rel_type, uuid, dest_uuid, galaxy_fname)) + if not stix_relations.get(galaxy_fname): + stix_relations[galaxy_fname] = {} + stix_relations[galaxy_fname][uuid] = { + "dest-uuid": dest_uuid, + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": rel_type + } + + +# for each correlation per galaxy-file , +# open the file, +# add the relationship, +# and save the galaxy file +for galaxy_fname, relations in stix_relations.items(): + print("############# {}".format(galaxy_fname)) + with open(os.path.join(pathClusters, galaxy_fname)) as f_in: + file_json = json.load(f_in) + + for k, v in relations.items(): + # print("{} \t {}".format(k, v)) + for cluster in file_json['values']: + if cluster['uuid'] == k: + # skip if mapping already exists + skip = False + if 'related' in cluster: + for r in cluster['related']: + if r['dest-uuid'] == v['dest-uuid']: + print(" Mapping already exists! skipping... {}".format(v)) + skip = True + break + if skip: + break + if 'related' not in cluster: + cluster['related'] = [] + cluster['related'].append(v) + print(" Adding mapping: {}".format(v)) + break + + # increment version + file_json['version'] += 1 + + with open(os.path.join(pathClusters, galaxy_fname), 'w') as f_out: + json.dump(file_json, f_out, indent=2, sort_keys=True, ensure_ascii=False) + + file_json = None From 2bb4df134b8d230c06a395ad0d6cb0ec6055d8a7 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 17 Oct 2018 08:20:12 +0200 Subject: [PATCH 03/17] chg: removal of older unused relationships --- .../mitre-enterprise-attack-relationship.json | 17277 ---------------- .../mitre-mobile-attack-relationship.json | 1973 -- clusters/mitre-pre-attack-relationship.json | 925 - .../mitre-enterprise-attack-relationship.json | 9 - .../mitre-mobile-attack-relationship.json | 9 - galaxies/mitre-pre-attack-relationship.json | 9 - 6 files changed, 20202 deletions(-) delete mode 100644 clusters/mitre-enterprise-attack-relationship.json delete mode 100644 clusters/mitre-mobile-attack-relationship.json delete mode 100644 clusters/mitre-pre-attack-relationship.json delete mode 100644 galaxies/mitre-enterprise-attack-relationship.json delete mode 100644 galaxies/mitre-mobile-attack-relationship.json delete mode 100644 galaxies/mitre-pre-attack-relationship.json diff --git a/clusters/mitre-enterprise-attack-relationship.json b/clusters/mitre-enterprise-attack-relationship.json deleted file mode 100644 index 39d53a8..0000000 --- a/clusters/mitre-enterprise-attack-relationship.json +++ /dev/null @@ -1,17277 +0,0 @@ -{ - "authors": [ - "MITRE" - ], - "description": "MITRE Relationship", - "name": "Enterprise Attack - Relationship", - "source": "https://github.com/mitre/cti", - "type": "mitre-enterprise-attack-relationship", - "uuid": "fc605f90-1707-11e8-9d6a-9f165ac2ab5c", - "values": [ - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78" - }, - "uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633", - "value": "menuPass (G0045) uses EvilGrab (S0152)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "ea61c268-d0d1-4cbe-8b26-16f70f515a04", - "value": "Remsec (S0125) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "0998045d-f96e-4284-95ce-3c8219707486", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "04ecc705-0027-4dda-85fe-d6ce028ef05e", - "value": "SEASHARPEE (S0185) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "41d61146-4a42-4897-b4a1-a706130a322d", - "value": "APT3 (G0022) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "ed2c177c-18fc-4bfd-9169-48af1557a542", - "value": "Cherry Picker (S0107) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "ab3ac76f-5ddc-44dc-bb2f-670d6bf08e0b", - "value": "Shamoon (S0140) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c" - }, - "uuid": "eb91c7d8-2cfb-4d8b-905a-d146bc8178e2", - "value": "BRONZE BUTLER (G0060) uses Pass the Ticket (T1097)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" - }, - "uuid": "bd83109f-198a-43b0-a4c9-c13dd671c2da", - "value": "OilRig (G0049) uses Remote Services (T1021)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "644b6c21-90f0-43b7-8da4-7f6f24ddabb6", - "value": "APT28 (G0007) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "d7e57ff2-f14b-44fa-97e3-8bc976cb9bd5", - "value": "Remsec (S0125) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "ee5e40d0-f72e-4e0b-8b10-cd5c2057cdc0", - "value": "ISMInjector (S0189) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" - }, - "uuid": "5599906d-5be3-420c-9f84-e762d85c2511", - "value": "EvilGrab (S0152) uses Audio Capture (T1123)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "47f521b8-37e4-489d-b6eb-25f35de80aae", - "value": "Magic Hound (G0059) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "a317b097-b819-441b-b344-9f129ba6cb40", - "value": "FIN6 (G0037) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "e76b1b21-17c1-4e3b-ac3a-92fb8afc4130", - "value": "APT34 (G0057) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "62c8913c-c193-4feb-ab58-88343838336d", - "value": "MiniDuke (S0051) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" - }, - "uuid": "f879eea1-2a05-484d-adbb-c3504813fc5d", - "value": "Ke3chang (G0004) uses ipconfig (S0100)" - }, - { - "meta": { - "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "8447c89e-a743-430e-8ef5-41abfcde1a01", - "value": "Group5 (G0043) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4" - }, - "uuid": "b349ef5f-4a05-4eef-afe4-1543b8c832fa", - "value": "Sandworm Team (G0034) uses BlackEnergy (S0089)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "b6fc7740-4e5f-4f4c-8b1e-d0e3368eee03", - "value": "ADVSTORESHELL (S0045) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2" - }, - "uuid": "55f58d30-b633-4094-97bb-6ab872c0f480", - "value": "APT32 (G0050) uses SOUNDBITE (S0157)" - }, - { - "meta": { - "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "70a93fc8-83c0-4407-8224-ae447af1235a", - "value": "WinMM (S0059) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "521146dd-185d-4a8c-a3b4-b3caedbc7a14", - "value": "DownPaper (S0186) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "160af6af-e733-4b6a-a04a-71c620ac0930", - "target-uuid": "92a78814-b191-47ca-909c-1ccfe3777414" - }, - "uuid": "b0d10c67-94bf-4bb3-8122-6f4d9e8106c1", - "value": "Third-party Software Mitigation (T1072) mitigates Third-party Software (T1072)" - }, - { - "meta": { - "source-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "0d9114a6-6452-4668-95eb-f91bcb300d2d", - "value": "TEXTMATE (S0146) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "4d68b3eb-9689-4a6d-b6ab-367fbc5ddade", - "value": "Deep Panda (G0009) uses Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "0a507d28-ef6b-417b-a968-e82608e8b6a8", - "value": "Magic Hound (G0059) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf", - "target-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65" - }, - "uuid": "ef2b823b-2fb1-442a-9d91-cf088242f6a6", - "value": "Execution through Module Load Mitigation (T1129) mitigates Execution through Module Load (T1129)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "c327c333-46c4-4e23-81e0-2f0e07c24c11", - "value": "BACKSPACE (S0031) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "fb6a804a-1929-4c13-a78d-1cf724c09e77", - "value": "RIPTIDE (S0003) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "target-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5" - }, - "uuid": "a4106a52-b3e7-4aa9-b2ca-125f206dbf91", - "value": "Scarlet Mimic (G0029) uses CallMe (S0077)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "da395019-238a-4c4e-b4cd-43947e8aa019", - "value": "FIN6 (G0037) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "af883d09-3f26-4267-9081-4783447e3283", - "value": "gh0st (S0032) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "d0b2e189-e764-44ec-9373-2f23212f6a45", - "value": "RawPOS (S0169) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "115562b8-9d7c-435e-af6e-0be6249742d0", - "value": "Lazarus Group (G0032) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "22ccfcb8-cb4a-4b9e-bc2d-c0bd2701e2e9", - "value": "APT28 (G0007) uses Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "78b504a4-2bdd-44dd-b954-a7fa120f1efd", - "value": "Flame (S0143) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "510c2f8c-4570-4c19-8c36-7004f8bbf561", - "value": "Stealth Falcon (G0038) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", - "target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c" - }, - "uuid": "27b05a62-5310-40d9-9e49-b4dce3afad55", - "value": "Darkhotel (G0012) uses Taint Shared Content (T1080)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "a8b248fe-a27c-40fd-83d5-f4382035d656", - "value": "APT3 (G0022) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "c8b0afbb-12eb-4b45-a1e1-b11755de2976", - "value": "StreamEx (S0142) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "78364654-f94c-4b7b-b5ec-19bedb58ec4f", - "value": "APT34 (G0057) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "28adf6fd-ab6c-4553-9aa7-cef18a191f33", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "ea46cbd0-7134-4ede-a117-47380ddd9b5c", - "value": "Data Compressed Mitigation (T1002) mitigates Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "70bc1a16-3c57-4198-b2f9-c7f27bec271c", - "value": "APT32 (G0050) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "6ab291a5-8061-4ad4-a6a7-07a6142e4c27", - "value": "Lazarus Group (G0032) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "3a9abcd5-52ba-44f1-96a5-1593f816b9f0", - "value": "CHOPSTICK (S0023) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "21717b6b-1fc6-4619-9877-bb36237a8efd", - "value": "Lurid (S0010) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "5bb90849-cdfe-4cc0-9ca3-128f17b2a1d1", - "value": "Helminth (S0170) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "2025480a-6d91-4ef5-a6ea-cc025c8aecfb", - "value": "ZLib (S0086) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "57e6eba5-cb21-4a0d-b524-4981f49037b1", - "value": "Flame (S0143) uses Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "a29d9514-3284-4ac2-a93a-e17750519534", - "value": "PlugX (S0013) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "1e2baacb-9033-49a9-890a-f48c87ab1531", - "value": "HAMMERTOSS (S0037) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "11de35bf-195d-4097-a27a-d2e2b7c433b3", - "value": "Volgmer (S0180) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "fdc4c379-e6e6-4454-933d-2a9a4a78cf98", - "value": "TinyZBot (S0004) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e" - }, - "uuid": "70dc6b5c-c524-429e-a6ab-0dd40f0482c1", - "value": "Deep Panda (G0009) uses Sakula (S0074)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "93812c9c-39f1-4bf6-adda-601d0ffd88bf", - "value": "BBSRAT (S0127) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" - }, - "uuid": "d07f2da6-6497-414f-96c1-9dd60155b169", - "value": "OSInfo (S0165) uses Network Share Discovery (T1135)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "dd9c1644-259d-4980-8058-fdc3c72fac7b", - "value": "JHUHUGIT (S0044) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "6b0b404e-7e1b-4f8f-8b78-85016f36f8e9", - "value": "RTM (S0148) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "c0e78590-0266-43e0-8fb5-efd95556c20c", - "value": "ADVSTORESHELL (S0045) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "d5166d3e-246b-473c-9ff0-c5cc97dd91de", - "value": "BlackEnergy (S0089) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "e0bc7e9b-aec8-4e78-baed-f635ee7bd196", - "value": "FIN6 (G0037) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "6a58662b-4eb1-4172-b387-13e9b574368a", - "value": "DustySky (S0062) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "c39e878e-a496-4271-9998-2d5c9511e0a4", - "value": "Kasidet (S0088) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "9a286577-ccfc-4793-96ce-02c17dc0f4ae", - "value": "Cobalt Strike (S0154) uses Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "7a6e5ca3-562f-4185-a323-f3b62b5b2e6b", - "target-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352" - }, - "uuid": "bdd223c2-8d3a-4c99-b261-402b7daaace5", - "value": "LSASS Driver Mitigation (T1177) mitigates LSASS Driver (T1177)" - }, - { - "meta": { - "source-uuid": "96150c35-466f-4f0a-97a9-ae87ee27f751", - "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" - }, - "uuid": "49dd2ac1-cd3a-46db-89d7-307c65971a3d", - "value": "Bootkit Mitigation (T1067) mitigates Bootkit (T1067)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "38ea7367-26e7-4a6a-b735-e98e3a35450a", - "value": "Shamoon (S0140) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "147e009d-48db-40bc-999c-70aa1e770a0c", - "value": "Remsec (S0125) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "target-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a" - }, - "uuid": "08d91d3c-b7c7-4cbc-a4eb-29edd3be3e3a", - "value": "APT30 (G0013) uses SHIPSHAPE (S0028)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "a49ed7b1-8160-48ae-a65f-feeb4747c522", - "value": "Volgmer (S0180) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "570c8981-9a08-4c4f-8927-a22148bb880e", - "value": "Dragonfly (G0035) uses Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "43edea0b-efb8-41ab-bdda-f5aa62de439f", - "value": "Remsec (S0125) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "707d131d-39ff-4ea0-a8ef-63dd7ca2a854", - "value": "Komplex (S0162) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "4de4a09b-5727-4462-b288-23278e74634e", - "value": "FIN10 (G0051) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "0d8aa058-426a-45c9-af5b-898746ae5862", - "value": "Crimson (S0115) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "0d3e115b-ff08-4bff-8802-be3d21cec68f", - "value": "Prikormka (S0113) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "2843ccc2-4869-48a0-8967-b9856a778a2c", - "value": "Felismus (S0171) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "5c167af7-c2cb-42c8-ae67-3fb275bf8488", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "4fa2cbf0-9721-4bbe-86b4-334848cd3dd6", - "value": "Timestomp Mitigation (T1099) mitigates Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "c9dca829-6417-4121-9462-650ac852b8c2", - "value": "BlackEnergy (S0089) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "4923be5e-dd24-4289-adca-e9dbf545b9c2", - "value": "OilRig (G0049) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2d659138-90e5-4b67-8956-02120d99506f", - "value": "3PARA RAT (S0066) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "61047751-c353-4190-bc37-19ad959bc35e", - "value": "Gazer (S0168) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "a88332d2-d03f-4139-b11c-19e82459189b", - "value": "POWRUNER (S0184) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "ae9befd5-d8b7-4492-9b47-422a40d610cc", - "value": "GeminiDuke (S0049) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" - }, - "uuid": "13984eec-6c33-4bab-a22c-5c061ddd6e44", - "value": "APT1 (G0006) uses ipconfig (S0100)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "6586cae6-bf7a-4b1d-ab5c-53106d1db5c4", - "value": "ChChes (S0144) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "a9727d1b-777a-4c3e-8bcc-e0cbff7431d8", - "value": "CosmicDuke (S0050) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "a58ad2d1-7200-4ba8-9c24-fc640306ea2f", - "value": "RTM (G0048) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd" - }, - "uuid": "27e7f34e-9750-4cf0-8260-33f2996ee38c", - "value": "APT29 (G0016) uses Domain Fronting (T1172)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "45a89f5b-a7de-46c9-93d6-15f2170128e4", - "value": "APT34 (G0057) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "d2dce10b-3562-4d61-b2f5-7c6384b038e2", - "target-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec" - }, - "uuid": "2e3b8b06-5148-4313-8b1b-d75789838c84", - "value": "Mshta Mitigation (T1170) mitigates Mshta (T1170)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "1b51b49a-1f3a-4b5d-aea3-989e9ccb72ad", - "value": "Cobalt Strike (S0154) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "3f8a74a9-55fe-4f9c-bddb-00b715ca3668", - "value": "RedLeaves (S0153) uses DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2121683c-ab01-4212-b2d2-af290dd8ed17", - "value": "SNUGRIDE (S0159) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a" - }, - "uuid": "3b3435a2-6a24-4527-be6f-03d09ef2b917", - "value": "Putter Panda (G0024) uses 3PARA RAT (S0066)" - }, - { - "meta": { - "source-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "90e64a7a-42e6-4b95-ae85-5ac324d7f6e2", - "value": "Starloader (S0188) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "982d9af7-45bb-4cc0-9819-aaadb3304783", - "value": "Lurid (S0010) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "fb866766-d3a5-46f6-9d0e-afc6bd1c7962", - "value": "cmd (S0106) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "f19234f6-5b59-4229-aae1-70df380a076a", - "value": "Backdoor.Oldrea (S0093) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "21caad94-1568-4e40-8e38-c0f7e854aede", - "value": "Patchwork (G0040) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "b8d57b16-d8e2-428c-a645-1083795b3445", - "target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef" - }, - "uuid": "cf699238-7091-4d79-9741-d792152f37c1", - "value": "Communication Through Removable Media Mitigation (T1092) mitigates Communication Through Removable Media (T1092)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "bbf116bf-6f8a-44f4-9d98-db6ccbbff333", - "value": "Carbanak (G0008) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "284ffb1b-ad42-468e-9897-94c25024f0d4", - "value": "ADVSTORESHELL (S0045) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "8e69c855-db70-4b5e-866b-f9ce0b786156", - "value": "Group5 (G0043) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "ae370b88-fd93-4803-a154-aa3debf2327b", - "value": "httpclient (S0068) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "ed522c9c-038b-43c0-af66-e81b954104f2", - "value": "POWRUNER (S0184) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "d4d35e55-6a09-47ef-8de5-160468276025", - "value": "at (S0110) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "3094a14f-ccd2-4ba4-a3f6-c6d2721f02db", - "value": "APT28 (G0007) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4" - }, - "uuid": "f758836e-91b2-4651-ba72-d827553b668c", - "value": "POSHSPY (S0150) uses Windows Management Instrumentation Event Subscription (T1084)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "fe9c9381-99d7-4798-ab41-3e5cdbda5e21", - "value": "Turla (G0010) uses Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "6d2d4146-bf9e-4b75-9a23-052c09e99eeb", - "value": "CosmicDuke (S0050) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e" - }, - "uuid": "99800503-d535-4fae-a318-dfa034dca663", - "value": "menuPass (G0045) uses cmd (S0106)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "f661bda3-d524-44b3-aeb0-d8dd8879a569", - "value": "APT3 (G0022) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c", - "target-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad" - }, - "uuid": "34ebfdf4-ef2c-4a6c-8bfa-69704d8f7694", - "value": "PROMETHIUM (G0056) uses Truvasys (S0178)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "1ec53623-4050-498b-ba9e-f149d203036c", - "value": "Emissary (S0082) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "b7930db8-2cb9-4ecf-b3d3-7425f99140d8", - "value": "Mimikatz (S0002) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "a423dc5c-c506-4cc5-b65c-0c9269d18fb6", - "value": "XTunnel (S0117) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "57e1f6b0-7fbd-49b4-8f5d-876b759437ac", - "value": "Trojan.Karagany (S0094) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "7b5919ce-efab-45d1-855b-f827d7489b2b", - "value": "Nidiran (S0118) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "8797579b-e3be-4209-a71b-255a4d08243d", - "value": "DragonOK (G0017) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "50271beb-48b1-411e-86b5-990b4cbb1fb5", - "value": "ZLib (S0086) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "6a0f3ebb-c805-402f-bb2e-aac2f8d174fa", - "value": "Downdelph (S0134) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "53cc6b0b-66ec-4f7d-a725-f65b076b5428", - "value": "ADVSTORESHELL (S0045) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "837af41c-0553-4d1d-a38e-e43e2aad5c35", - "value": "SeaDuke (S0053) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "8baf3f0d-0ab4-4691-8ef7-8b9af8a8069c", - "value": "Remsec (S0125) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "c3d3bb7d-65cc-4915-bc28-492d341e6dbd", - "value": "CallMe (S0077) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565" - }, - "uuid": "fd518b7a-b35d-4689-89f6-525efbeee18f", - "value": "OilRig (G0049) uses FTP (S0095)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "87b74ba7-99c4-464c-86d2-1dd8c8b578b1", - "value": "Turla (G0010) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "e79c65f4-f9d2-4568-96a4-b6e00d3bad71", - "value": "Daserf (S0187) uses Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "6fdc3210-9754-4157-b386-8fcd680e732c", - "value": "Deep Panda (G0009) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "a564f3da-349a-4e65-826c-8ca60bc920bf", - "value": "gh0st (S0032) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "4ce5e752-97d6-4803-a49c-0f905729a133", - "value": "Threat Group-3390 (G0027) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "a23ab6bc-e5cc-46a9-b77f-747ae6fc6a9b", - "value": "Mis-Type (S0084) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "dea36846-b8ad-4926-a242-9fa2d12069c8", - "value": "menuPass (G0045) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" - }, - "uuid": "137e1ddc-403b-49b5-a214-20b82bab446e", - "value": "Remsec (S0125) uses Exfiltration Over Physical Medium (T1052)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "46f853ea-3f45-4570-a155-826bec98456d", - "value": "APT28 (G0007) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "abee00d3-8417-468b-84a4-40c7d0ac4f7d", - "value": "S-Type (S0085) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "067814b5-aa57-45e0-9bdf-5536b077c224", - "value": "APT29 (G0016) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "c80250a5-79c0-4a46-a0e3-49d6bcd574c6", - "value": "Sys10 (S0060) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "7a783e7e-a735-42d7-874d-633b37e21033", - "value": "APT34 (G0057) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "49af09c8-1460-485d-9f09-dacea47fa016", - "value": "Kasidet (S0088) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be" - }, - "uuid": "bceada36-e6ba-49b9-b9f8-99e37e6cbf9e", - "value": "APT28 (G0007) uses OLDBAIT (S0138)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "7fbb56bf-cadd-4663-8067-f233d4c9c751", - "value": "S-Type (S0085) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "757bed64-558b-4ea7-84b9-b82d8b23f9b2", - "value": "APT1 (G0006) uses Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "dd9a85ad-6a92-4986-a215-b01d0ce7b987", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "4d6def4b-69cf-4dca-848b-53de73536ad6", - "value": "Permission Groups Discovery Mitigation (T1069) mitigates Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "b8e50d79-c024-4dc1-aad2-d7181fbbf1bb", - "value": "MoonWind (S0149) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "7b529102-f95c-4ca1-a5c4-5a3497ab3674", - "value": "Ke3chang (G0004) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "5e6e745f-d756-4b6e-90e1-3adcf848570b", - "value": "Shamoon (S0140) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "4a6248d4-4fa1-404a-abed-84e9b7c32dbe", - "value": "Turla (G0010) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "target-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b" - }, - "uuid": "79934567-99e6-4184-8b04-717a1b401006", - "value": "Scarlet Mimic (G0029) uses Psylo (S0078)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "ab687dca-2741-4920-a71e-e0e0444809c5", - "value": "Lazarus Group (G0032) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "9b36e877-e637-46b8-bdf1-def74c977472", - "value": "Remsec (S0125) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "110690db-fd9b-425a-9269-ec082f0af3f9", - "value": "Magic Hound (G0059) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "5077f774-95a4-459e-b88c-cb3a4dd5c8c6", - "value": "Reaver (S0172) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "62ae52c9-7197-4f5b-be1d-10d2e1df2c96", - "target-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd" - }, - "uuid": "b41c70df-0955-408c-90ee-7acad8b080e1", - "value": "Domain Fronting Mitigation (T1172) mitigates Domain Fronting (T1172)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73" - }, - "uuid": "5e9bee3d-ea86-4715-9fdc-199e10ef2161", - "value": "APT28 (G0007) uses ADVSTORESHELL (S0045)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" - }, - "uuid": "c354d751-4688-49c5-9f9a-0d2bc705f645", - "value": "Threat Group-3390 (G0027) uses ipconfig (S0100)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "9ef645ab-afd1-41d6-ad60-d207fd134748", - "value": "SeaDuke (S0053) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "2c09a27c-2eea-4287-9908-964533234e71", - "value": "cmd (S0106) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" - }, - "uuid": "3643f451-322d-4f38-91a4-00a55a42c7f5", - "value": "Turla (G0010) uses netstat (S0104)" - }, - { - "meta": { - "source-uuid": "b42378e0-f147-496f-992a-26a49705395b", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "3ef89472-470c-42c9-be01-155efe607b78", - "value": "PoisonIvy (S0012) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "797131cf-fef9-4ece-823f-e931393e72f8", - "value": "Reaver (S0172) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "c8ce3bcd-b74f-497d-8f76-cc8c7333ab49", - "value": "SHOTPUT (S0063) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "ac72c3da-6b58-4f66-8476-8d3cc9ccf6bd", - "value": "Mivast (S0080) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "cdbfa147-52be-411d-bcbd-f6dcbf91d7b5", - "value": "OilRig (G0049) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "253b56a5-232f-44bc-af4d-85ccc12a0577", - "value": "Gamaredon Group (G0047) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "a805a8d5-632c-48df-909d-c3d745652475", - "value": "BS2005 (S0014) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "ba06d68a-4891-4eb5-b634-152e05ec60ee", - "target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd" - }, - "uuid": "cff2088f-c003-4d03-aa8a-cca36753b930", - "value": "Data Transfer Size Limits Mitigation (T1030) mitigates Data Transfer Size Limits (T1030)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "520f5440-740f-4efe-850e-ea4db340aef1", - "value": "Lazarus Group (G0032) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "fa6292a2-c184-4bc9-a37f-0c1ac61e1135", - "value": "Turla (G0010) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "32864e94-8581-4f77-bf7d-53aaf3710f60", - "value": "SeaDuke (S0053) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "3ba2b8bc-1c5b-4cb3-8234-a7dc7b7552d0", - "value": "Matroyshka (S0167) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "0c870326-6b8a-4279-bbd3-2c1ae23ba54a", - "value": "BADNEWS (S0128) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "b6970925-a435-4942-b244-60e4f57acf86", - "value": "WINDSHIELD (S0155) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4" - }, - "uuid": "df9beafa-be6b-4e61-9a27-dfb9ec7d6aa3", - "value": "APT29 (G0016) uses HAMMERTOSS (S0037)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "023ff141-8ed7-4132-85a0-494fe075236b", - "value": "Magic Hound (G0059) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "51f1d23c-1ccd-4cc4-918c-39e9a66e510b", - "value": "OilRig (G0049) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "5cceffd9-5818-4481-bce6-4e326548d6b4", - "value": "MoonWind (S0149) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "6db82410-1fcf-483a-be5b-cf09c361b4eb", - "value": "Daserf (S0187) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", - "target-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43" - }, - "uuid": "a33388b7-3803-442f-8e31-511eef055470", - "value": "APT17 (G0025) uses BLACKCOFFEE (S0069)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c" - }, - "uuid": "bcd1d261-0228-468f-b02b-52e6784e2491", - "value": "APT16 (G0023) uses ELMER (S0064)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "fe3c4134-ddef-45f8-b83a-6865a01b9764", - "value": "Regin (S0019) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "bae7f2fb-99d8-4acf-b61e-f37a215aa82e", - "value": "Emissary (S0082) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "b0099b28-bcb8-4214-8166-d9caed1b6491", - "value": "JHUHUGIT (S0044) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a" - }, - "uuid": "f52f1b34-a96a-45a0-8cc0-2f138a3f1257", - "value": "BRONZE BUTLER (G0060) uses Daserf (S0187)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "df69c29c-01c4-4541-988e-8a5765439d56", - "value": "Poseidon Group (G0033) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "2a8f0313-4059-42b9-b487-6c8f860588c0", - "value": "ADVSTORESHELL (S0045) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "2c79282f-5e60-48b9-962a-d61c3d73b334", - "value": "OilRig (G0049) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "340d4ef7-816b-4758-994f-b913df78afd7", - "value": "Elise (S0081) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "b9083516-7dd3-4ef2-808a-1df48894122b", - "value": "Group5 (G0043) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "d3b787ec-795c-481b-94e5-ff42dc56d79d", - "value": "FIN10 (G0051) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "bad90106-a150-4d76-b39f-f35aab4ac766", - "value": "Rover (S0090) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "5b686a7c-4fcd-44c2-9f57-1d88d6633ef4", - "value": "USBStealer (S0136) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" - }, - "uuid": "07d16181-ba82-42c8-a67b-8d7d5adef52d", - "value": "Flame (S0143) uses Audio Capture (T1123)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "59b39f06-a71c-42f7-92f2-244a183113d6", - "value": "BBSRAT (S0127) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "e8068ad2-97b3-4693-a6ad-a8ee9a272890", - "value": "Patchwork (G0040) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" - }, - "uuid": "e8048bf8-3931-4d6b-b4a6-475ff717cbae", - "value": "Cobalt Strike (S0154) uses Network Share Discovery (T1135)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "f39d9e4d-b4f9-4c12-aa8e-a44f8550b57f", - "value": "JHUHUGIT (S0044) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "b2ab26e2-eb90-4f19-b35a-b8a0a5438961", - "value": "DustySky (S0062) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "0fec9b91-cd45-493b-b23e-abb3ed2513a0", - "value": "EvilGrab (S0152) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", - "target-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1" - }, - "uuid": "542bb806-3e73-42f5-8a3e-86b498093f4b", - "value": "certutil (S0160) uses Install Root Certificate (T1130)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "5e53b45b-ca14-4e8b-8c76-0cf9cb572a92", - "value": "Misdat (S0083) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "699ddfef-6e95-42cf-b212-dc661f790adc", - "value": "Lazarus Group (G0032) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "92711ee1-041b-4e35-a322-3e16790fcce2", - "value": "Crimson (S0115) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "5cfcbf60-454a-4673-aa93-9020d04efab7", - "value": "APT28 (G0007) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "ade60661-8dfb-473a-8d12-014ba0273934", - "value": "Kasidet (S0088) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "cd1e409b-e981-4c83-a9ea-86705a45f92c", - "value": "EvilGrab (S0152) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "58fdc63b-05b4-4db9-90fe-c80f7956292f", - "value": "BRONZE BUTLER (G0060) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" - }, - "uuid": "6863078f-fe93-4b84-ad7f-dffe494d9265", - "value": "Cobalt Strike (S0154) uses Access Token Manipulation (T1134)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "8ca14a24-b8b3-4669-ae56-e7102b543dc6", - "value": "Emissary (S0082) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" - }, - "uuid": "5b9fbec2-0e72-44ef-94a5-a9f702469c93", - "value": "Cobalt Strike (S0154) uses Execution through API (T1106)" - }, - { - "meta": { - "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "0e27ebb3-2d48-48f6-ab99-968c0a992c61", - "value": "Downdelph (S0134) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "8e28cc53-3fd4-42ed-8516-71fd9ee57641", - "value": "Patchwork (G0040) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "0fee8bfd-aec2-44a7-8182-530a648006f3", - "value": "Reaver (S0172) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "41747c46-1dd1-418b-84e9-75710f17a10c", - "value": "BLACKCOFFEE (S0069) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "7c0995ef-ab5d-48f9-8884-7d953c4c3247", - "value": "3PARA RAT (S0066) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "a442fcac-55d7-49ff-8ecf-ca61885c27e2", - "value": "Putter Panda (G0024) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "519630c5-f03f-4882-825c-3af924935817" - }, - "uuid": "9b88372d-4f3f-4442-906d-9ab07e22e781", - "value": "CORESHELL (S0137) uses Binary Padding (T1009)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091" - }, - "uuid": "2c48f039-61f7-4af4-974b-f0e0fcf95f58", - "value": "PlugX (S0013) uses Multiband Communication (T1026)" - }, - { - "meta": { - "source-uuid": "9da16278-c6c5-4410-8a6b-9c16ce8005b3", - "target-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae" - }, - "uuid": "701a2767-70f3-44f1-a397-9c04517ece67", - "value": "Screensaver Mitigation (T1180) mitigates Screensaver (T1180)" - }, - { - "meta": { - "source-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "55df3b40-b130-4313-9064-6b0fc56564d0", - "value": "Truvasys (S0178) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "23e2dc58-4b8d-48d8-82fd-d051892a7d58", - "value": "RTM (S0148) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "4b23ac99-3761-46f0-ad5d-2cf63a95036a", - "value": "S-Type (S0085) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "39fdd17c-5f59-4daf-bf14-95841b5ec248", - "value": "Lazarus Group (G0032) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "f1af286d-9367-45de-aced-a762838e58bd", - "value": "Threat Group-1314 (G0028) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "bc60180b-2db6-4e0d-8b98-d349db637777", - "value": "Elise (S0081) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" - }, - "uuid": "9e90e4a5-844c-4516-9044-6f35bbf27806", - "value": "APT28 (G0007) uses Bootkit (T1067)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "55ffbd77-ec97-4dca-9399-b9e4b62fbbf8", - "value": "FIN5 (G0053) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "c585ae70-1bda-4751-ad34-536a78b7daad", - "value": "MoonWind (S0149) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "6c71a59f-05e6-44cc-ace5-33200e1f0846", - "value": "Agent.btz (S0092) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "025bdaa9-897d-4bad-afa6-013ba5734653", - "target-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654" - }, - "uuid": "877a67b0-5dea-467c-9da1-8eee3bcc19a6", - "value": "NEODYMIUM (G0055) uses Wingbird (S0176)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966" - }, - "uuid": "fc79f30d-94c8-400e-ab10-21d2a2527788", - "value": "BRONZE BUTLER (G0060) uses Windows Credential Editor (S0005)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "7df747e6-81a1-4bb0-b47f-96136694f2d0", - "value": "APT34 (G0057) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "2db406cf-667d-4ad6-b768-7645f6663ac9", - "value": "Duqu (S0038) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "1fda6ff7-a344-4bc3-b545-4083cc15290d", - "value": "PowerDuke (S0139) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "021c3289-43bb-4787-9d7e-6ad17b3ce84f", - "value": "Emissary (S0082) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "52cf8793-2f13-45c2-8274-1a9bf5d6224a", - "value": "Regin (S0019) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "030fb5ef-3900-4f60-a1d2-0f1d67940aed", - "value": "HTTPBrowser (S0070) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "ff5d862a-ae6b-4833-8c15-e235d654d28e", - "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" - }, - "uuid": "a65de154-e0dd-445f-9f26-8459a287c790", - "value": "Component Object Model Hijacking Mitigation (T1122) mitigates Component Object Model Hijacking (T1122)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - }, - "uuid": "8cdfc8e4-b657-4ae9-b9ee-9b6107fae796", - "value": "Turla (G0010) uses Systeminfo (S0096)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "48fb8267-5d68-467b-a2c0-8302cc15ebed", - "value": "RedLeaves (S0153) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "385f57f4-87b6-4126-ab67-531e482ec9bc", - "value": "Regin (S0019) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "02f0f92a-0a51-4c94-9bda-6437b9a93f22", - "target-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00" - }, - "uuid": "c5747927-2d3d-4d3b-a4d7-56a2b37b039e", - "value": "Space after Filename Mitigation (T1151) mitigates Space after Filename (T1151)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "3dcf441c-b987-4c6a-93e7-e24ae1e16475", - "value": "Reaver (S0172) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "512e16e9-634c-45d3-b569-c25a3072bbdc", - "value": "FLASHFLOOD (S0036) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "630dedba-136b-4ea3-956e-f8f38e96653d", - "value": "APT1 (G0006) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" - }, - "uuid": "fc4811c4-103b-48b7-9e52-20d574cfc4bf", - "value": "XAgentOSX (S0161) uses Execution through API (T1106)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "96e928af-dbfc-4743-a1dc-353904e21fd3", - "value": "Prikormka (S0113) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "1aa10371-6473-416a-8b8b-17c36f700233", - "value": "JHUHUGIT (S0044) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" - }, - "uuid": "59a6700b-3ae5-4039-a07c-cbbf6eb7a78e", - "value": "Threat Group-3390 (G0027) uses Redundant Access (T1108)" - }, - { - "meta": { - "source-uuid": "9e57c770-5a39-49a2-bb91-253ba629e3ac", - "target-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446" - }, - "uuid": "142800a5-62e9-48e9-97ef-186cfb68ffa1", - "value": "Security Support Provider Mitigation (T1101) mitigates Security Support Provider (T1101)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2dd15583-34cd-4b49-a6ba-4bd647b7ff27", - "value": "Magic Hound (G0059) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "85a92b0f-f8c3-41a9-a1b3-cfbf8b442b39", - "value": "ADVSTORESHELL (S0045) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "a7e5ffbc-d123-4f62-88eb-36b32656cd35", - "value": "H1N1 (S0132) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "4696a49d-caa1-4746-b106-45faf327270b", - "value": "Matroyshka (S0167) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "aad8c4dc-db11-48b4-b294-f63ccde5e798", - "value": "Carbanak (G0008) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "67b49860-e1e4-4b56-bf83-108c4ac25e5c", - "value": "MiniDuke (S0051) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "e7714693-e792-44f0-a224-9899df75fced", - "value": "APT3 (G0022) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "dac7355a-9d13-4155-a053-d0c18fe92f53", - "value": "Cobalt Strike (S0154) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "0a65c303-52a6-4624-a8fb-fc7448429139", - "value": "Winnti (S0141) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "19be6ce1-8eea-47ff-b87c-3358d390454d", - "value": "China Chopper (S0020) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "c4bea2b7-e8a2-45d0-bac2-4d82576c1521", - "value": "Carbanak (G0008) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "8c918d8a-11c5-4ffd-af10-e74bc06bdfae", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "98c18956-03d7-49e5-93b2-44351682331d", - "value": "Rundll32 Mitigation (T1085) mitigates Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "84e0c62b-b1a6-4ecd-8607-f0b516cb48f6", - "value": "RTM (S0148) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "af9347a3-00a9-4ece-b075-8c55bd4f4b9b", - "value": "Shamoon (S0140) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "31cd4eb1-f7b3-4030-b087-388d55faba03", - "value": "XAgentOSX (S0161) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d" - }, - "uuid": "1ee44004-6aaa-4b22-934d-4f4ef82cbbd4", - "value": "Regin (S0019) uses NTFS Extended Attributes (T1096)" - }, - { - "meta": { - "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "af6e3f9e-7c71-484d-ab8e-5adaaaedea36", - "value": "WinMM (S0059) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "1ba38510-0489-4305-944f-451e6869b30f", - "value": "BADNEWS (S0128) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "5d46a519-1ef9-4cdb-b737-8c7b3ffb4f0e", - "value": "Pteranodon (S0147) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "b9e624b0-47d1-4463-970b-fbb6ddcd7171", - "value": "Cobalt Strike (S0154) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334" - }, - "uuid": "70d5a73c-cc14-410a-a430-5948cd21532f", - "value": "JHUHUGIT (S0044) uses Logon Scripts (T1037)" - }, - { - "meta": { - "source-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "8cbb1567-70c5-4daf-b163-cbc6cc40a794", - "value": "Strider (G0041) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "36112f24-7814-4c75-b5b7-a1205bb28b68", - "value": "Gamaredon Group (G0047) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "04b44241-3ff4-4d46-9847-7cb2feaba84e", - "value": "APT34 (G0057) uses Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "c9703cd3-141c-43a0-a926-380082be5d04" - }, - "uuid": "1c812537-dfaf-40da-a71b-a49c18870b77", - "value": "APT3 (G0022) uses schtasks (S0111)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "2e77d363-e38f-40ad-a6ef-9222dc12793d", - "value": "Naikon (G0019) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "4176d195-5740-47c2-874d-51704e7d293e", - "value": "RedLeaves (S0153) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", - "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - }, - "uuid": "69b9edd8-c1a8-4cbd-bd94-9af0fdefe013", - "value": "HIDEDRV (S0135) uses Rootkit (T1014)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "c7017855-dc52-4e9d-977f-3af701e094c8", - "value": "APT32 (G0050) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "37ab6b56-033c-4cb6-8d1b-e7ff5dcf668d", - "value": "Elise (S0081) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "d3b810ed-0be4-448b-b1ac-aa3a7dd16c91", - "value": "MimiPenguin (S0179) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "94e95eeb-7cdb-4bd7-afba-f32fda303dbb", - "target-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a" - }, - "uuid": "4c2b4c0f-0ded-4f0f-ad5a-a95241ba927e", - "value": "Network Share Connection Removal Mitigation (T1126) mitigates Network Share Connection Removal (T1126)" - }, - { - "meta": { - "source-uuid": "8b880b41-5139-4807-baa9-309690218719", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "689c51b8-7e41-474e-abf6-ffdde0acc40b", - "value": "SPACESHIP (S0035) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "953134ab-5816-43b8-b2b1-8f4c9305f57a", - "value": "Sowbug (G0054) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24" - }, - "uuid": "80c071f7-123e-468f-800d-726a1d3e4144", - "value": "APT18 (G0026) uses gh0st (S0032)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "36b9f594-9a27-4281-a18e-9a5e7df70ad9", - "value": "Threat Group-3390 (G0027) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "2dbed740-1b50-4d59-a729-a1d9e6a839df", - "value": "OilRig (G0049) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "37ba7858-8765-4445-a65e-d2765b673b34", - "value": "FIN7 (G0046) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "b0db4b00-8716-430f-a9d8-29a878a12eac", - "value": "Dragonfly (G0035) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "fa035513-59b6-4f54-8b85-13ec08849453", - "value": "Felismus (S0171) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "327a64df-b405-453b-83d2-528d17e8df51", - "value": "CozyCar (S0046) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "3fe559f9-9bee-48ea-8a7c-7d65b63419ee", - "value": "APT34 (G0057) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "fc2ffb01-2c4e-429d-b4fd-e0d20678504a", - "value": "APT1 (G0006) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "24478001-2eb3-4b06-a02e-96b3d61d27ec", - "target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e" - }, - "uuid": "a1f198ef-af69-4c0f-b3ed-0b47ad6167fe", - "value": "Multilayer Encryption Mitigation (T1079) mitigates Multilayer Encryption (T1079)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "3e09a5ce-a6a0-4f03-8c23-a7ebb4dfd74c", - "value": "BADNEWS (S0128) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "aea8401e-774e-47b1-86ac-220cacd11a3c", - "value": "FIN6 (G0037) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "865a5b25-6908-4ad9-a81d-33f3cf48e357", - "value": "RTM (S0148) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "0998045d-f96e-4284-95ce-3c8219707486", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "bbe37d7e-ad35-4c74-a57c-9a398ef6b1be", - "value": "SEASHARPEE (S0185) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "6b5c6fc2-615a-46fc-80a4-9ab332159722", - "value": "Threat Group-3390 (G0027) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "4e9c5234-65e9-4b4a-bc13-891e7aed84b2", - "value": "Shamoon (S0140) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "98852860-145c-40f0-86af-b32dd61fa008", - "value": "APT34 (G0057) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "56e40368-38a7-4415-9ebc-8c84694bc7d6", - "value": "Lslsass (S0121) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "c95c8b5c-b431-43c9-9557-f494805e2502", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "35572bdc-c7a2-442b-8d9a-7691317b6982", - "value": "Software Packing Mitigation (T1045) mitigates Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "496e66ff-2c9f-454c-af36-49c7dc098493", - "value": "Dragonfly (G0035) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "660d09ce-8722-42b3-8503-911dff37bf22", - "value": "ASPXSpy (S0073) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "df5bee66-b840-405e-b9d5-2e0ced2e6808", - "value": "Sykipot (S0018) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" - }, - "uuid": "8793b289-4b74-4119-8561-a9ad27dacdff", - "value": "BBSRAT (S0127) uses Component Object Model Hijacking (T1122)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "0efa0a7a-545d-49e2-b0c4-0e251226404a", - "value": "Sowbug (G0054) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "c9703cd3-141c-43a0-a926-380082be5d04" - }, - "uuid": "d691e305-8ce5-40cd-a648-b0dcab329e69", - "value": "BRONZE BUTLER (G0060) uses schtasks (S0111)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "da734f6c-de0d-44f1-9521-6607b800ad43", - "value": "Patchwork (G0040) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "bfdffca9-6418-486d-833f-84f3920fcb71", - "value": "HALFBAKED (S0151) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "b9fe8dd4-a3c9-4e58-9a74-937e4de677a8", - "value": "Derusbi (S0021) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", - "target-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24" - }, - "uuid": "3f780c76-b5d5-43f9-b4f2-048106f00894", - "value": "PittyTiger (G0011) uses gh0st (S0032)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "699ac754-3f3e-46de-9b2a-5ea450ef47fd", - "value": "Helminth (S0170) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "59b95288-b954-4118-9a88-8e2ad85a1265", - "value": "Dragonfly (G0035) uses Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "be31bf6d-ce4f-4620-8940-445f35ff90a7", - "value": "POSHSPY (S0150) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "9eefeafd-aca1-4e4c-8d29-ea6f9154808a", - "value": "Turla (G0010) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "bcb8ac03-4f58-4cd8-af58-c3df991c8af5", - "value": "CosmicDuke (S0050) uses Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "27102940-8ec1-42ad-98e5-57dc24b572eb", - "value": "PsExec (S0029) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "82826722-4278-438e-a8d0-5bd9fd117b2b", - "value": "DownPaper (S0186) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "2174c465-8855-4c92-a683-97eb0eba9f7c", - "value": "BRONZE BUTLER (G0060) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "216ab163-818b-4303-beb6-a743b90c98bf", - "value": "Prikormka (S0113) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "a732c265-07f0-4e9b-a42c-0df6277e5b27", - "value": "Carbanak (G0008) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "f696324d-7fb4-44ca-82dd-3385b55fbb80", - "value": "Elise (S0081) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "a3eca9d0-bc4b-48a8-801d-9aaa757bfe72", - "value": "HAMMERTOSS (S0037) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b" - }, - "uuid": "0a6ec458-f9f7-4e51-b0eb-4fd915a48a6b", - "value": "admin@338 (G0018) uses LOWBALL (S0042)" - }, - { - "meta": { - "source-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", - "target-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd" - }, - "uuid": "b1334535-019a-4d6a-88c1-8bb6741f152b", - "value": "meek (S0175) uses Domain Fronting (T1172)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "3b31b258-d3e0-4acc-9c20-de870baa64a0", - "value": "Komplex (S0162) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3" - }, - "uuid": "235fe6f1-66d1-4cf4-adb9-3bc7f081144a", - "value": "Deep Panda (G0009) uses Mivast (S0080)" - }, - { - "meta": { - "source-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "baabf444-1748-472f-b991-7a5b25e4e1bb", - "value": "Reg (S0075) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "3a6c13d3-6589-4d33-9848-88e3409be0cc", - "value": "Volgmer (S0180) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "0aac9510-f48a-4b28-ae0e-c6facc1635ae", - "value": "Replication Through Removable Media Mitigation (T1091) mitigates Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "d7bb00a0-fbe6-4622-84ed-be32ff5d8561", - "value": "DownPaper (S0186) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "6b1c1b38-0448-4114-99eb-23aae85ada52", - "value": "APT28 (G0007) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466" - }, - "uuid": "033d168d-8348-47ad-af48-d297dc0d1dbb", - "value": "Cobalt Strike (S0154) uses Scheduled Transfer (T1029)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "3126c7fa-02eb-475f-a474-26d4d6af7a67", - "value": "ZLib (S0086) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "4527c528-8377-4349-ae5c-95c04cabd3d4", - "value": "H1N1 (S0132) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "2d704e56-e689-4011-b989-bf4e025a8727", - "target-uuid": "06780952-177c-4247-b978-79c357fb311f" - }, - "uuid": "352d3d80-3a5f-454b-8190-fbac20979fc7", - "value": "Plist Modification Mitigation (T1150) mitigates Plist Modification (T1150)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "7e46e7c8-e48a-4860-bbcd-224a2d12284a", - "value": "FIN5 (G0053) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "1d808f62-cf63-4063-9727-ff6132514c22" - }, - "uuid": "4a687e50-e6b7-41df-93b1-6fed7db10f60", - "value": "APT1 (G0006) uses WEBC2 (S0109)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "a08dadbf-6f68-415f-9daa-f84571af83a2", - "value": "ChChes (S0144) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "938a71e3-a9dc-4ad9-b1c4-b15d75967b8d", - "value": "Duqu (S0038) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "95b21e05-610e-47bf-a4b1-9d4b398e6c13", - "value": "Helminth (S0170) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "514e7371-a344-4de7-8ec3-3aa42b801d52", - "target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91" - }, - "uuid": "389854e8-32d1-406c-ab58-2ee2918bf7ed", - "value": "Multi-Stage Channels Mitigation (T1104) mitigates Multi-Stage Channels (T1104)" - }, - { - "meta": { - "source-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "96076f66-3ad6-4e54-b816-c9c3f90fa43a", - "value": "Ixeshe (S0015) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "ac008435-af58-4f77-988a-c9b96c5920f5", - "target-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d" - }, - "uuid": "06a8b931-7881-4e8b-a970-c430379279ca", - "value": "NTFS Extended Attributes Mitigation (T1096) mitigates NTFS Extended Attributes (T1096)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "00ae99d1-db02-4007-8669-04d7fc4c1390", - "value": "USBStealer (S0136) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "56c927c5-f64e-4b31-9a14-7ce78fd1c8a1", - "value": "APT3 (G0022) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" - }, - "uuid": "43d85ed6-223e-4402-bd29-be10a872359d", - "value": "PowerDuke (S0139) uses Application Window Discovery (T1010)" - }, - { - "meta": { - "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "32ee78b3-58de-4de5-bc3d-34ea8dc90ca3", - "value": "SHOTPUT (S0063) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "ad696f42-0631-43fb-893b-a5616f14f93f", - "value": "gh0st (S0032) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "2d4d634d-ed13-462a-916b-94798546ec6c", - "value": "Elise (S0081) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "fa2c0697-0d47-4ee9-b5bf-845ac3453c3a", - "value": "Nidiran (S0118) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "da8a87d2-946d-4c34-9a30-709058b98996", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "403863dd-5b73-4987-9397-e8c5b25041cc", - "value": "Input Capture Mitigation (T1056) mitigates Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "4c94f67d-6662-44ea-be75-ded8b2dbfa00", - "value": "Net (S0039) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "801f139f-1361-4d79-965e-078787f8ec36", - "value": "AutoIt backdoor (S0129) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "162a051d-a551-4b8c-875a-75264768e541", - "value": "MoonWind (S0149) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "ba1a4084-a74f-44d6-bafe-7a09ee959270", - "value": "APT29 (G0016) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "c5a7cf46-a3ab-4d33-a43f-012c0c5fdf63", - "value": "Shamoon (S0140) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "1451c4a3-5dc6-4744-8120-197f3a3134c1", - "value": "Duqu (S0038) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "e0033e57-8839-42b9-8515-46e9c7dca966", - "value": "APT32 (G0050) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "97ff5931-f27f-4774-b595-312f5771f91a", - "value": "SHIPSHAPE (S0028) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "dc43c2fe-355e-4a79-9570-3267b0992784", - "target-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda" - }, - "uuid": "c24f1b29-ee7b-4fe6-89be-6b733888a4e6", - "value": "Dylib Hijacking Mitigation (T1157) mitigates Dylib Hijacking (T1157)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "85ca1e00-24c4-403e-8aff-9890f91e9b78", - "value": "Emissary (S0082) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "ea964313-8f60-4cff-800c-2ea49e2c19d7", - "value": "Misdat (S0083) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "aeda6707-50e2-47e2-833a-18e4a5d73e88", - "value": "Mis-Type (S0084) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "6e24d8d1-7376-493f-a85c-75448c80efed", - "value": "CozyCar (S0046) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "fe229513-0cd9-4e9a-a333-2748ef03dfbc", - "value": "USBStealer (S0136) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "e7b5511a-3528-48d1-9224-6c5ff88b3825", - "value": "Winnti (S0141) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "f1000a93-e87d-4acf-b71d-73c3bb05fd75", - "value": "System Owner/User Discovery Mitigation (T1033) mitigates System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0" - }, - "uuid": "c6ceeb68-5d8e-4105-a20a-cce2b3ef48f0", - "value": "Putter Panda (G0024) uses httpclient (S0068)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "7e7d5aa9-6860-44fe-88b9-22a6b36162e2", - "value": "APT32 (G0050) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "ff4e1b0e-eea2-4329-aecc-e5353be8c1f4", - "value": "APT29 (G0016) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "5e840479-61c1-44f5-8cb8-0e61ffe12b89", - "value": "Taidoor (S0011) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "c3cf2312-3aab-4aaf-86e6-ab3505430482", - "target-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f" - }, - "uuid": "f388c949-b692-4863-8e3b-7c1fc21a5fbd", - "value": "Rc.common Mitigation (T1163) mitigates Rc.common (T1163)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "c0223316-4b0b-461e-8947-01c0f5baeef2", - "value": "XAgentOSX (S0161) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "760be456-6b72-4b86-b5aa-3297aa89bc4d", - "value": "FALLCHILL (S0181) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "77f9936d-1ba7-42a8-879d-1a6e90156366", - "value": "Ke3chang (G0004) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "c61fee9f-16fb-4f8c-bbf0-869093fcd4a6", - "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" - }, - "uuid": "dd315296-ffee-4f1b-aef7-2d914c458fd2", - "value": "Access Token Manipulation Mitigation (T1134) mitigates Access Token Manipulation (T1134)" - }, - { - "meta": { - "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "315aab88-9b01-4a70-8f8c-173a3f29e79c", - "value": "SHOTPUT (S0063) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "63f0007e-833e-4d6a-b79e-873525979f40", - "value": "CosmicDuke (S0050) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "70edcba2-e777-4ced-a52d-5dfc3965211c", - "value": "POSHSPY (S0150) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "0040fdbd-ec7e-49b3-b715-c8c91e08666b", - "value": "Emissary (S0082) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "6fdaef62-c4da-488a-a07d-c8fca2c98d85", - "value": "MobileOrder (S0079) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4" - }, - "uuid": "8ab176f0-009f-49e9-ba4b-f476c33697f4", - "value": "Carbanak (G0008) uses Carbanak (S0030)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "a3251b26-7012-4f26-9c5d-1fb9d69b8569", - "value": "HTTPBrowser (S0070) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "5c4e0ddb-57a1-440f-82ab-146847c99be8", - "value": "SOUNDBITE (S0157) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "6b39985b-2e2f-4d54-9211-aef4d94b318f", - "value": "OnionDuke (S0052) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "544b0346-29ad-41e1-a808-501bb4193f47" - }, - "uuid": "c1fd6ce6-26e7-49a7-abff-a64fd0fc8a35", - "value": "Cobalt Strike (S0154) uses Man in the Browser (T1185)" - }, - { - "meta": { - "source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "e8cb4430-db05-4029-b011-926a2ba17a4c", - "value": "Winnti Group (G0044) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "fcbe8424-eb3e-4794-b76d-e743f5a49b8b", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "b274a57d-9d27-4e33-b6dc-15e007805838", - "value": "Data Encoding Mitigation (T1132) mitigates Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "090813dc-b370-42e1-a211-4d9e3247968a", - "value": "FakeM (S0076) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "f6d23c6b-01c8-4bea-9bc6-2c66fbbbd3ae", - "value": "BRONZE BUTLER (G0060) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "27afb647-85a1-4e89-8762-c6c7d04bc1c5", - "value": "pngdowner (S0067) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "12904c83-67ad-430f-96ae-20e9081c2b5d", - "value": "ADVSTORESHELL (S0045) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "2c417522-9fa6-4f95-b9d6-062c9c2401b5", - "value": "Cobalt Strike (S0154) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324" - }, - "uuid": "00c88cab-5cb9-492a-8dce-8eab92213bc3", - "value": "OilRig (G0049) uses ISMInjector (S0189)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "28f655e0-ac0b-41bc-baaf-9a9987469fe9", - "value": "MobileOrder (S0079) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "ec99ea0b-1020-4ccc-bdc8-d545a4d3ccf6", - "value": "APT34 (G0057) uses Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a" - }, - "uuid": "da1a5240-bbd7-4e91-9dee-9b14df6cffe2", - "value": "BlackEnergy (S0089) uses File System Permissions Weakness (T1044)" - }, - { - "meta": { - "source-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "37ad61e7-6520-47d0-81ae-f3d129b49ac1", - "value": "OnionDuke (S0052) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", - "target-uuid": "7d751199-05fa-4a72-920f-85df4506c76c" - }, - "uuid": "92e4cc06-5708-4486-92cc-0d25d9a755d4", - "value": "Tor (S0183) uses Multi-hop Proxy (T1188)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "9ab576ed-2ba0-4fc5-87fc-2011a7cd183d", - "value": "Crimson (S0115) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "bb2ba4b6-d96a-4d66-ac13-aa657108b363", - "value": "Sys10 (S0060) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "ab109b93-76a9-46da-8934-58751125fd1e", - "value": "OSInfo (S0165) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "8336111f-565e-4294-8b18-182c26da2421", - "value": "OSInfo (S0165) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "5d0263d9-ddd3-4195-96ae-e340caef9e0e", - "value": "JHUHUGIT (S0044) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "9fef204f-163a-4c9d-b9b1-8a168074063a", - "value": "admin@338 (G0018) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "32218bd0-d598-4560-9a70-ab7d5c92f986", - "value": "WINDSHIELD (S0155) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "e7a0b7a4-b49b-46b9-9bfa-5db0a87dd09e", - "value": "SeaDuke (S0053) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "ba2ec548-fb75-4b8c-88d6-d91a77a943cf", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "a2ee3987-f7c9-41ce-8aca-fae8e8c2ef9a", - "value": "Windows Management Instrumentation Mitigation (T1047) mitigates Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "df6bc111-0e49-4e61-b38a-ee79cf682d09", - "value": "Cobalt Strike (S0154) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" - }, - "uuid": "d329d311-422b-4144-9212-aa7da4dc273a", - "value": "OilRig (G0049) uses Redundant Access (T1108)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "e8ce10b4-3b00-40c1-983a-1d87ff9a68ee", - "value": "OilRig (G0049) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "dbccbeab-26c9-476e-b529-c193f9796cbc", - "value": "Wingbird (S0176) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "a2faf818-d21d-40a5-ad02-a3b1b2ee5d58", - "value": "Derusbi (S0021) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "ec6a8fde-702a-4e38-a37b-428a8ca10b18", - "value": "APT28 (G0007) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b" - }, - "uuid": "a2c9bae6-15aa-4ce0-8f4d-01b8fc32a36d", - "value": "FIN5 (G0053) uses FLIPSIDE (S0173)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "6f8cef32-d057-40f8-be52-62d86b1049e6", - "value": "SeaDuke (S0053) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "70f713e8-f4f6-483c-9ec1-524a3aee2d8e", - "value": "APT34 (G0057) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "b4795040-fe94-429a-9853-f30c09ba05aa", - "value": "HALFBAKED (S0151) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "a1dc7c15-bd44-43b3-a32b-8e4ea9856758", - "value": "Backdoor.Oldrea (S0093) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "6e6828ca-7567-4302-8ed7-fa5821dc5bbc", - "value": "Threat Group-3390 (G0027) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "4caf9f0d-dfe9-48ce-9b6e-812577e09711", - "value": "Crimson (S0115) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "a02da835-676d-47df-86c6-547a7d29dbae", - "value": "MobileOrder (S0079) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "930175b1-0f2f-4f0b-99ad-13a4b304cc29", - "value": "Dragonfly (G0035) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "4189f5b4-4c57-452a-a3fb-da5988804feb", - "value": "Lazarus Group (G0032) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529" - }, - "uuid": "cb69217e-f063-4093-bcf0-f051ecd42e25", - "value": "APT28 (G0007) uses Network Sniffing (T1040)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "7ac10827-9bf6-4d60-aa16-9f2d2930b373", - "value": "Magic Hound (G0059) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "765e3b13-60f4-4b34-b03f-0d8e738b0add", - "value": "CHOPSTICK (S0023) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "8ef27cd6-3909-4174-b57c-3dbe3061a6dd", - "value": "PowerDuke (S0139) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "e873321b-0d76-4cd6-bc46-8231cfcdeba0", - "value": "Cobalt Strike (S0154) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "2c586158-d02b-468a-bee8-04e1bde320e1", - "value": "BlackEnergy (S0089) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090" - }, - "uuid": "dff84383-c4c5-4974-a33d-9e43526abf49", - "value": "FIN5 (G0053) uses RawPOS (S0169)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "0ca1948b-476c-4ff5-a792-f3790250bdc1", - "value": "APT3 (G0022) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54" - }, - "uuid": "fda1acb3-8e87-4fff-ae19-7e6a2ff9d6c3", - "value": "BRONZE BUTLER (G0060) uses gsecdump (S0008)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "d1222ff7-b93c-40a7-99bd-217d795d8d58", - "value": "Remsec (S0125) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "b6f70ba6-bff1-4b40-a418-356e7b6efa27", - "value": "APT1 (G0006) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "f146a331-3595-46be-abef-518708e34def", - "value": "Lazarus Group (G0032) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - }, - "uuid": "35ac37f9-7484-4fe4-8b5e-9381600ee01b", - "value": "APT34 (G0057) uses Systeminfo (S0096)" - }, - { - "meta": { - "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "2e367a09-1d94-4ea4-984c-a592b769fffa", - "value": "WinMM (S0059) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "53b3b027-bed3-480c-9101-1247047d0fe6", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "1d0bbeb7-5477-4321-81cd-ef66607d7972", - "value": "Remote Desktop Protocol Mitigation (T1076) mitigates Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "7adaf2f3-52f2-40aa-b1ae-2fd2f05d9d56", - "value": "Prikormka (S0113) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1" - }, - "uuid": "af74c0ec-0bbe-4538-a3a3-1e967afd3d51", - "value": "RTM (S0148) uses Install Root Certificate (T1130)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "820c50f3-65e8-4a3a-a71a-e079ae8badad", - "value": "Remsec (S0125) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb" - }, - "uuid": "d924c061-9ee2-45c2-9ea4-491a2d3f50a5", - "value": "APT3 (G0022) uses SHOTPUT (S0063)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "5b2682dc-f64d-482b-8fc4-132dad2727d9", - "value": "H1N1 (S0132) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "a1684fef-eca9-418a-ab48-b9aad4101c6c", - "value": "BRONZE BUTLER (G0060) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "cfc64939-1c2c-4bc0-bfac-3492667b1bcd", - "value": "SeaDuke (S0053) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "1ca68d88-a287-4c48-a4f8-68611eceb445", - "value": "RTM (S0148) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "a71256aa-a2e3-447c-ba4e-004ba4f062b2", - "value": "ADVSTORESHELL (S0045) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47" - }, - "uuid": "e232f720-ab39-43f4-b419-ae8de115c5e6", - "value": "FIN7 (G0046) uses TEXTMATE (S0146)" - }, - { - "meta": { - "source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "512879fe-8433-4c78-9345-009ed5168078", - "value": "netsh (S0108) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "d0f797ce-9176-4b74-8d64-fad4e1bdef4f", - "value": "Carbanak (G0008) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0" - }, - "uuid": "51afbe4e-c5cd-4acd-b4e1-ff7877b78b9e", - "value": "FIN7 (G0046) uses Dynamic Data Exchange (T1173)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "a61cf8cf-87f1-4061-ae9d-31e8162bdfef", - "value": "Mis-Type (S0084) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "289e01df-60e6-4eee-830e-9d742ac10c86", - "value": "Threat Group-1314 (G0028) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "97ea3b82-58ba-4a3e-8e6d-367755f83fa6", - "value": "FIN6 (G0037) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "86b2980a-dd9f-4553-8f65-69f75f0f4332", - "value": "Helminth (S0170) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "a901eaf4-7cbe-43c2-9c03-7d716357edc9", - "value": "menuPass (G0045) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "2cfa6113-1995-494a-b767-61d3f371e0ea", - "value": "Sys10 (S0060) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "0c0b4142-96e7-440b-a01f-f2bda05649b1", - "value": "BlackEnergy (S0089) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "7fe49f05-8f96-4fc2-bc5b-b2eea59efca3", - "value": "Sykipot (S0018) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "453914ae-8d76-4796-b507-dafc33adf005", - "value": "4H RAT (S0065) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "e9011839-ca57-434d-a0cc-007594247110", - "value": "Felismus (S0171) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "8f6701a2-91cc-449e-98e1-e83bd2f7317c", - "value": "APT3 (G0022) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "0d4e8cb8-c265-449a-b010-f4614135572f", - "value": "H1N1 (S0132) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "fe786b29-e621-48e2-84b5-aed35e6930fe", - "value": "Wingbird (S0176) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "40a8f80d-5497-4218-849c-3c0b63796641", - "value": "CHOPSTICK (S0023) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "b149adfe-547f-4cd4-af4a-ea7018a203c1", - "value": "Trojan.Karagany (S0094) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "487d67d7-b697-4de4-abde-decee8b17c44", - "value": "T9000 (S0098) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "7a1e7afa-7052-4e47-8725-66e485efda43", - "value": "Unknown Logger (S0130) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "5033a0a2-ef95-4ec6-b5ac-d7cfbd7be9f0", - "value": "Prikormka (S0113) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "e39b5b63-b29a-4322-9dca-8bca7dedf474", - "value": "Dragonfly (G0035) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "e025dccd-ead3-44d8-af26-f2c3b27667f5", - "value": "Cobalt Strike (S0154) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "f4188b9b-c2fe-41b7-96e0-e28d99671b9d", - "value": "BRONZE BUTLER (G0060) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "d26a9de1-0ec7-41dd-94fe-21a51bedf37f", - "value": "Cobalt Strike (S0154) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "39076217-a5bf-4b1b-b085-8dbf7ba92265", - "value": "Dragonfly (G0035) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "80aab758-d3fc-4380-b114-e552bdace832", - "value": "BACKSPACE (S0031) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4" - }, - "uuid": "7577e14c-ceba-4646-98ce-41e7fa9ae851", - "value": "FIN7 (G0046) uses Carbanak (S0030)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "14135aaa-6080-48c1-8a08-d6ee9bb15c3d", - "value": "Elise (S0081) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "10cc3288-d06c-456c-bc0e-b10a8c5abeaa", - "value": "APT28 (G0007) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e" - }, - "uuid": "42897880-fe55-4f54-a42c-f85ba19fb39a", - "value": "BRONZE BUTLER (G0060) uses cmd (S0106)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" - }, - "uuid": "7ca1b40d-d1de-48ab-b8ad-023ad9877def", - "value": "Lazarus Group (G0032) uses Bootkit (T1067)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "5c8fba10-9d8a-4257-a458-8f58efc8d912", - "value": "Ke3chang (G0004) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "fdf9f632-03ce-4e8c-88bf-3798bb7f5ef4", - "value": "Felismus (S0171) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "79f0712b-2cb1-47df-8ea1-26fb1502a831", - "value": "BADNEWS (S0128) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "c952f284-e529-481f-97fb-7a6e14c25ccf", - "value": "Putter Panda (G0024) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e" - }, - "uuid": "1593ae11-0bb5-4e16-804a-1383eb0cced5", - "value": "APT29 (G0016) uses OnionDuke (S0052)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "b990e235-dcf4-48c7-800d-b8a10a62eda4", - "value": "Threat Group-3390 (G0027) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "98908617-068d-4b6e-bcba-ad213c137b1e", - "value": "APT32 (G0050) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", - "target-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54" - }, - "uuid": "3cdc74fc-a291-4253-98b4-ca33e021914a", - "value": "Molerats (G0021) uses DustySky (S0062)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "59543467-938a-4528-961d-a539f0a5618b", - "value": "Gazer (S0168) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "7193ed4c-7169-46fa-9294-d74d912510d0", - "value": "menuPass (G0045) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "f0b3c919-bf39-4bc9-9488-5f30d5407c54", - "value": "APT3 (G0022) uses Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "d72da887-5684-47ac-958a-84b3e8b59c0b", - "value": "Nidiran (S0118) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "73f5c564-53b1-48bc-8cab-32fa4a608672", - "value": "certutil (S0160) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "bc9cfe76-2d64-4901-8e9e-c69d046cdfaa", - "value": "APT3 (G0022) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "9a05a8cc-8d3c-46a5-947e-bebed2ab1c5a", - "value": "ADVSTORESHELL (S0045) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "a0d8db1d-a731-4428-8209-c07175f4b1fe", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "bde4d54d-16d7-4a07-a35a-9f0cc6956be2", - "value": "Uncommonly Used Port Mitigation (T1065) mitigates Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "ec4d07a2-8c8b-4df8-bb9e-b8c3e23d8dc5", - "value": "BRONZE BUTLER (G0060) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "7185fe1c-1565-4175-bc7e-539ff704f4cb", - "value": "Net (S0039) uses Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "897dec92-49a8-4edd-8ed2-8082f134e42b", - "value": "APT3 (G0022) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "ae1ee1dc-6017-4177-b34c-70db166a939e", - "value": "JHUHUGIT (S0044) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" - }, - "uuid": "595be2e7-9f2a-4d5a-b23d-8e4822ae6199", - "value": "BRONZE BUTLER (G0060) uses Data from Network Shared Drive (T1039)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "2d8cdbf3-1be2-4e64-ba18-f8b65fcbae8f", - "value": "Helminth (S0170) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d" - }, - "uuid": "3e5cf341-4707-4de3-bb06-43530ee3e90f", - "value": "Mimikatz (S0002) uses SID-History Injection (T1178)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "6b38f460-e309-4ab1-bbc9-bd0bb30f4af9", - "value": "PowerDuke (S0139) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "101867a2-149c-4088-a90f-7af4b86e5013", - "value": "CHOPSTICK (S0023) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d", - "target-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf" - }, - "uuid": "e24bd0ff-bc9e-4d26-84ea-008acb4975a1", - "value": "Video Capture Mitigation (T1125) mitigates Video Capture (T1125)" - }, - { - "meta": { - "source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "target-uuid": "bb3c1098-d654-4620-bf40-694386d28921" - }, - "uuid": "e577372f-c3c9-4e12-9bc6-3f6a1faec0ac", - "value": "Scarlet Mimic (G0029) uses FakeM (S0076)" - }, - { - "meta": { - "source-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "fce7fac2-91da-4903-95dc-fb54650c0859", - "value": "PHOREAL (S0158) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" - }, - "uuid": "93d83b03-8367-4655-84a5-9abaee885700", - "value": "SslMM (S0058) uses Access Token Manipulation (T1134)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "b3973baa-0185-45a1-934d-2b29f742a2df", - "value": "XTunnel (S0117) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "a802d52a-01f4-44c8-b80d-d2c746e1e31d", - "value": "ChChes (S0144) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421" - }, - "uuid": "af0b0bfb-1a1e-4a06-b9e9-adeda7b6ad81", - "value": "Naikon (G0019) uses SslMM (S0058)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "31ec568c-53c7-4dfb-8bfb-bfb7addca7ee", - "value": "Net (S0039) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "05604d66-735a-4369-bc31-c7915bb3f2e0", - "value": "Group5 (G0043) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "c79d7110-46bb-4b6d-a256-87bd1b6379a3", - "value": "H1N1 (S0132) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "61827309-9071-416b-aedf-7f82f224db2e", - "value": "NETEAGLE (S0034) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "1923a47b-5a48-44e6-883f-ca23a96fea46", - "value": "JHUHUGIT (S0044) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2b2cdb6b-c23c-4792-8cfb-8c4d9279a186", - "value": "BUBBLEWRAP (S0043) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700" - }, - "uuid": "ab83d817-57b8-4970-afc6-fbd70c6e3760", - "value": "FIN5 (G0053) uses pwdump (S0006)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "d93265a6-1f92-472b-9e47-48b7863d8171", - "value": "Sowbug (G0054) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "932fa199-f4c0-4c39-bb30-a412607ee299", - "value": "CozyCar (S0046) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "2dfbcf5d-8563-440c-bd9c-0cfc15059bd5", - "value": "Shamoon (S0140) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "3efe41c1-48be-48fc-90d8-5ae70df3cd97", - "value": "Sakula (S0074) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "0d43f3a7-70ed-4d04-857e-3a9fbce86cfb", - "value": "JHUHUGIT (S0044) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "f33725f4-cce5-4868-b494-d73419c76bdf", - "value": "DustySky (S0062) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "target-uuid": "92a78814-b191-47ca-909c-1ccfe3777414" - }, - "uuid": "b38cfcfd-b8e3-4a9c-ade9-8a8bfeb04694", - "value": "Threat Group-1314 (G0028) uses Third-party Software (T1072)" - }, - { - "meta": { - "source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "4afcb9c9-e490-446b-97b1-1c151974242f", - "value": "TINYTYPHON (S0131) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "cfccba1b-5aa0-46ef-b668-d9f7e25b53ae", - "value": "MobileOrder (S0079) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc" - }, - "uuid": "47835d17-73e1-427f-85b0-b55b610fa9ad", - "value": "Putter Panda (G0024) uses 4H RAT (S0065)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "ecca0af0-1549-4068-b01d-bab711c491c5", - "value": "Reaver (S0172) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "8278fc85-24af-4f8a-9b82-3f233f18f5a6", - "value": "Mivast (S0080) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "c2bd7b04-b090-478a-8e83-6b4656c14bb0", - "value": "Dragonfly (G0035) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" - }, - "uuid": "170e2f76-5b6a-4eee-8ea4-d1171368b4a9", - "value": "Lazarus Group (G0032) uses Application Window Discovery (T1010)" - }, - { - "meta": { - "source-uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2", - "target-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334" - }, - "uuid": "87f4c47d-b94d-4a1e-9c4b-be671a99e6f0", - "value": "Logon Scripts Mitigation (T1037) mitigates Logon Scripts (T1037)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "66bec558-ff92-42ff-a8c1-5b47d071d606", - "value": "Hi-Zor (S0087) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "96797ece-5783-4d34-a399-32496c8705ac", - "value": "APT3 (G0022) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "fad2a504-6e00-4892-bf88-b49d6d18788c", - "value": "Axiom (G0001) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "acca43ee-1e88-4d39-a953-7626173a89b2", - "value": "Helminth (S0170) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "5c34be50-c7be-40c2-80bb-f3bc7db5cdd7", - "value": "Sakula (S0074) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "fcfb3ce0-01a0-4f92-8e18-b323202d095d", - "value": "APT3 (G0022) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "380db9ad-f6ad-4988-8a28-b773313f07b7", - "value": "HTTPBrowser (S0070) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "1dc42b4c-4a93-4fc6-bad3-b5498ad500b1", - "value": "Pass-The-Hash Toolkit (S0122) uses Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "d6d66a6f-dbc8-4d7b-b3fc-634f2765429a", - "value": "Sowbug (G0054) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "7ec988a7-712a-45ae-b6b3-db26a6515b80", - "value": "Gazer (S0168) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "57a1f1a8-f1c0-4b7c-b5b4-f283a278833c", - "value": "pwdump (S0006) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "ce212487-1291-4fe6-9f0b-f697516a7824", - "value": "APT32 (G0050) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "44273d72-b0d9-42ee-9e8e-53d1b39f0651", - "value": "menuPass (G0045) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "5391ece4-8866-415d-9b5e-8dc5944f612a", - "target-uuid": "45d84c8b-c1e2-474d-a14d-69b5de0a2bc0" - }, - "uuid": "fb5e24e6-58f1-4ef0-9094-147319487f15", - "value": "Source Mitigation (T1153) mitigates Source (T1153)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "a5a63d5c-acf7-4720-866d-fcf6e576a58f", - "value": "Ke3chang (G0004) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "c6358f18-fc64-46f5-8939-66e5258dd83d", - "value": "Threat Group-1314 (G0028) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "1b27cec5-241a-4c2e-a3db-e9cea241496c", - "value": "HTRAN (S0040) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "9c8fa95a-cbbe-4ef6-999d-21b4080b54f6", - "value": "FIN6 (G0037) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "04203d88-5fe1-4e63-be65-51a17705716b", - "value": "menuPass (G0045) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "d36e83a0-5370-4d78-862d-4dbe8921709d", - "value": "BRONZE BUTLER (G0060) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b" - }, - "uuid": "14b393f2-6d67-4d4f-8f88-75c8b421c4e2", - "value": "PlugX (S0013) uses Trusted Developer Utilities (T1127)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "6dc0543b-1a60-4e9a-9527-595220854f53", - "value": "Cobalt Strike (S0154) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "aa243e70-fba4-4f8a-8b5e-1ac826eac593", - "value": "Cobalt Strike (S0154) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "aabb13d6-a73b-42aa-8014-696b94ff2416", - "value": "POWRUNER (S0184) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "e6cafa6a-22ce-49f7-8136-dc5a51c3aaeb", - "value": "Lazarus Group (G0032) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "073cc04d-ac46-4f5a-85d7-83a91ecd6a19", - "target-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2" - }, - "uuid": "daca6956-64b8-468f-aa64-0ce4a4f7ad28", - "value": "Setuid and Setgid Mitigation (T1166) mitigates Setuid and Setgid (T1166)" - }, - { - "meta": { - "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "e30a790b-8f09-4bdc-8116-275d00880333", - "value": "FLASHFLOOD (S0036) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e" - }, - "uuid": "bb8fd9d4-4362-40c6-ab09-f05f843c2cef", - "value": "APT32 (G0050) uses PHOREAL (S0158)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "98a9bef7-8aff-4cbb-958b-14cb72954b8a", - "value": "ZLib (S0086) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "062ebca3-abf7-449a-ad84-f04a3cada4dd", - "value": "Equation (G0020) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "6cf42ee6-a064-4d8a-99d4-8aa0f878ae2a", - "value": "DownPaper (S0186) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "41edf1d6-15a7-4da5-9bfd-ebee9d53f71e", - "value": "CloudDuke (S0054) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", - "target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529" - }, - "uuid": "9c012fcf-876b-4101-aa28-6af8b00a51d2", - "value": "Responder (S0174) uses Network Sniffing (T1040)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" - }, - "uuid": "2b97e16e-8c39-4e5e-ad90-15c10f15d923", - "value": "USBStealer (S0136) uses Exfiltration Over Physical Medium (T1052)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "c8bceb4a-0cf2-43c9-9729-20ed706c4c72", - "value": "Pteranodon (S0147) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "8d976244-6d4e-443a-98c0-52fe1d94c388", - "value": "hcdLoader (S0071) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "acc40539-13a0-4577-a862-e348962bf0fc", - "value": "Pteranodon (S0147) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "500130c0-d049-4e67-9bcc-d60a5f6dfd4c", - "value": "Lazarus Group (G0032) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "aec49e52-c54e-45be-a476-70aa0dc42cfb", - "value": "BlackEnergy (S0089) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "6a1693a7-1e85-48b6-9097-11339a987099", - "value": "Threat Group-3390 (G0027) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "654d9e83-9501-4de8-8828-1a1ebf36bc8f", - "value": "HTTPBrowser (S0070) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "22301618-a676-4d94-975a-2a56e5a7f919", - "value": "CozyCar (S0046) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "af66e48f-3232-4f78-ad3e-5a404f7ae3a1", - "value": "Derusbi (S0021) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4" - }, - "uuid": "720c211e-2219-496d-8a34-c3f37dfbe5bf", - "value": "APT28 (G0007) uses HIDEDRV (S0135)" - }, - { - "meta": { - "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "3a66ff23-3dcc-45b9-821a-8d6527b6e242", - "value": "POWERSOURCE (S0145) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "6d87588e-2202-4616-a536-e43a2606721b", - "value": "Rover (S0090) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "0a8ee649-e907-4a73-8513-3019b2d771a0", - "value": "Lazarus Group (G0032) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "a9bd68ed-2602-4225-838e-2d9b7f8761b4", - "value": "Carbanak (S0030) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "b42378e0-f147-496f-992a-26a49705395b", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "b41c9b77-536b-49bc-8cb9-a873aa121002", - "value": "PoisonIvy (S0012) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "76333b56-47b1-40c6-9223-c4cf6673362f", - "value": "SeaDuke (S0053) uses Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "e6f69552-fe0e-4b40-ad20-4410048277e6", - "value": "ChChes (S0144) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "4477e350-645d-40de-8de7-7a6e1680c2e0", - "value": "APT32 (G0050) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "290a1ceb-68e1-42ae-be81-f474038aaa05", - "value": "Prikormka (S0113) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f" - }, - "uuid": "49404706-aa42-4914-a273-2eeb217e6477", - "value": "OilRig (G0049) uses Reg (S0075)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "f5fee3da-a3ef-4a81-a70c-9660ab1fb3d6", - "value": "XAgentOSX (S0161) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "ab7faed6-3c50-4b04-a31b-ac2c933a51ef", - "value": "HTTPBrowser (S0070) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "dad229e7-fcc6-4c1d-99c3-47d54fbc6892", - "value": "CosmicDuke (S0050) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "2b4a8be2-8403-43d4-addd-79c504e3dec8", - "value": "Remsec (S0125) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "aaca7907-7a43-4ebb-bd2b-bf7f497d9134", - "value": "Hi-Zor (S0087) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "ab7eb363-c775-4065-a80d-1b324f22d0b8", - "value": "Ke3chang (G0004) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "d39e3775-9221-4020-b826-edc111e36c7c", - "value": "OilRig (G0049) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a" - }, - "uuid": "dc4e54ed-ca71-4dd1-a61e-714222c0c76d", - "value": "CopyKittens (G0052) uses TDTESS (S0164)" - }, - { - "meta": { - "source-uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", - "target-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0" - }, - "uuid": "c56de8bc-ad9e-415a-8840-ae294ed4f88a", - "value": "Power Loader (S0177) uses Extra Window Memory Injection (T1181)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "88896f55-5606-4b21-8616-e7965a863dd8", - "value": "Lazarus Group (G0032) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91" - }, - "uuid": "25ad5783-c7fe-4715-b4ce-c03b36ccdfa8", - "value": "BLACKCOFFEE (S0069) uses Multi-Stage Channels (T1104)" - }, - { - "meta": { - "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "cb2d2f2d-face-430b-995d-c9bd35db5b90", - "value": "Suckfly (G0039) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" - }, - "uuid": "54d3eadf-0363-47d1-b51d-a16d6a99c42e", - "value": "APT28 (G0007) uses Component Object Model Hijacking (T1122)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "0c03f2b4-a752-4d74-9c26-5306132a3329", - "value": "OilRig (G0049) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "b03aafb3-dc03-4e12-9354-69a579b60aaf", - "value": "Dust Storm (G0031) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "f73df541-6b55-42d1-aec3-53660fda1508", - "value": "Gamaredon Group (G0047) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "8765dd7e-33cc-4040-927d-bf0aa16d3d79", - "value": "OSInfo (S0165) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "d6204645-83ff-4b26-a011-9b58bab2d597", - "value": "Daserf (S0187) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "684feec3-f9ba-4049-9d8f-52d52f3e0e40", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "98bdcea2-1c8d-4a65-b75d-075a00d6e87c", - "value": "System Network Configuration Discovery Mitigation (T1016) mitigates System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "a6e4853a-78a6-4c88-a7c5-58793d3e4dcd", - "value": "pngdowner (S0067) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "9267fe42-6290-4342-8024-38d703db4376", - "value": "BACKSPACE (S0031) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "a67d4b9b-0c8f-41d8-a7f2-6d4c61fcb1ea", - "value": "USBStealer (S0136) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "eaa06586-e33e-4e4c-91ca-76935c22e012", - "value": "Ke3chang (G0004) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "8c553311-0baa-4146-997a-f79acef3d831", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "35ec37ba-44aa-49b1-9379-3f6070554c62", - "value": "RARSTONE (S0055) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "81b183bc-de6a-457c-a3f3-a1168e8456f1", - "value": "Misdat (S0083) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "6d51e34d-d2ee-41aa-9ec7-dc74c84ebe9f", - "value": "RedLeaves (S0153) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "d219ed2b-2877-450f-9a69-a30f36497d14", - "value": "Gazer (S0168) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "0640214c-95af-4c04-a574-2a1ba6dda00b", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "b003a96b-81f7-436c-99a6-a25323f759ac", - "value": "Query Registry Mitigation (T1012) mitigates Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "0cbc1f3f-7a32-4056-bfa6-25186ac5e6a4", - "value": "StreamEx (S0142) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "b98c506f-3dd3-45c1-b81a-3e23bcfe6198", - "value": "Regin (S0019) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "6f884bda-0c39-4d3b-97e3-29ae9099fa45", - "value": "Threat Group-3390 (G0027) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "cb0ebed2-4cac-437b-b5b2-37ee716af3f0", - "value": "CozyCar (S0046) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "8c553311-0baa-4146-997a-f79acef3d831" - }, - "uuid": "7dba7706-128e-43a7-a240-6d456c9003a2", - "value": "Naikon (G0019) uses RARSTONE (S0055)" - }, - { - "meta": { - "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "b25f5d90-f6cc-47e9-89f1-5527886bf536", - "value": "RawPOS (S0169) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131" - }, - "uuid": "0ec4a49c-0adc-41fb-afc2-e99f1e7c5200", - "value": "Dust Storm (G0031) uses S-Type (S0085)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "6610332d-86a5-46dc-a0a1-31c2fe31f164", - "value": "RedLeaves (S0153) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "935971d6-0af2-4683-971a-9acb523733fe", - "value": "Windows Credential Editor (S0005) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "bb8149a2-fdda-4c3a-9e02-f530c4ee7962", - "value": "GLOOXMAIL (S0026) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "e8e4b87c-3d30-4627-8060-5b5116d057fc", - "value": "KOMPROGO (S0156) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "1082a68e-549b-47d5-9eb3-e719f01ce42b", - "value": "H1N1 (S0132) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - }, - "uuid": "301de16e-3829-4fb0-b217-dcdfca7398c9", - "value": "Ke3chang (G0004) uses Systeminfo (S0096)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091" - }, - "uuid": "7e221899-d90a-4c9a-8ea4-77110c45f0f9", - "value": "Lazarus Group (G0032) uses Multiband Communication (T1026)" - }, - { - "meta": { - "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "6613ed52-5c6c-43f2-bd0c-9809769cb022", - "value": "4H RAT (S0065) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "35697909-4c19-4799-a5ac-3153750619f8", - "value": "Volgmer (S0180) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", - "target-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913" - }, - "uuid": "8859897c-66f5-4754-8cb8-2c6e6b8b8e2e", - "value": "Lotus Blossom (G0030) uses Elise (S0081)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "4ee54acd-fc04-43c2-8cf6-2200a802d0b9", - "value": "Remsec (S0125) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "809b79cd-be78-4597-88d1-5496d1d9993a", - "target-uuid": "b53dbcc6-147d-48bb-9df4-bcb8bb808ff6" - }, - "uuid": "d17c02f0-bd1f-4c16-8fe7-28d347407f2e", - "value": "Trap Mitigation (T1154) mitigates Trap (T1154)" - }, - { - "meta": { - "source-uuid": "0472af99-f25c-4abe-9fce-010fa3450e72", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "5a491b91-739f-498b-b8f2-b14aaea07893", - "value": "Credentials in Files Mitigation (T1081) mitigates Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "b3bc844c-bebf-4756-8d33-6e16ca4ee6a1", - "value": "BBSRAT (S0127) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "b9e2fac9-fc1a-4e13-ac68-1a5796b04d72", - "value": "XAgentOSX (S0161) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" - }, - "uuid": "cc495391-9abd-4df1-8ad7-ec8d84feaeb9", - "value": "Sowbug (G0054) uses Network Share Discovery (T1135)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "e590aaaa-40fd-4f61-93f3-f2d6daee65a4", - "value": "APT3 (G0022) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "d295beee-439c-44f9-9908-4cb194331de9", - "value": "Deep Panda (G0009) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "03fc71a1-c589-4396-b5c7-70dfde49c55c", - "value": "Duqu (S0038) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "bd78bfa6-f30e-4429-ac06-0039d553a69d", - "value": "menuPass (G0045) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "f9773935-853e-4d5e-9345-9587fd77340d", - "value": "DustySky (S0062) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "74859e2a-7a8f-4b87-b75c-7286b3de685c", - "value": "FIN7 (G0046) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "f43ab4db-5dea-4a1f-977a-f5d779330193", - "value": "Deep Panda (G0009) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", - "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" - }, - "uuid": "8b5d4742-35a6-4ab7-993c-e20831ab0020", - "value": "Janicab (S0163) uses Audio Capture (T1123)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "edaa004e-8239-40d8-a4f0-8849c4f0e87f", - "value": "JHUHUGIT (S0044) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "753f9861-f0b8-4467-ac5e-4457bd350095", - "value": "TINYTYPHON (S0131) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "5a6942dc-eab7-4f45-b5fa-6149774e2acc", - "value": "menuPass (G0045) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "6b19a5ae-3f6a-4950-94da-22d94477d5d2", - "value": "BBSRAT (S0127) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "f4f5b6a4-26d5-4352-a25d-001a51a0a121", - "value": "Downdelph (S0134) uses DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "e3b79cfa-6ea8-4e7a-85f8-9862702d466a", - "value": "FLIPSIDE (S0173) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "fe0aeb41-1a51-4152-8467-628256ea6adf", - "target-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b" - }, - "uuid": "812b36a3-ed93-4b45-95c3-39a9ac9c36f5", - "value": "Modify Existing Service Mitigation (T1031) mitigates Modify Existing Service (T1031)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" - }, - "uuid": "e38e741c-a7ef-420a-911a-1d2cf6abf49d", - "value": "admin@338 (G0018) uses ipconfig (S0100)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "47a95ac1-e37a-40ea-bf1e-e99ff4483998", - "value": "Matroyshka (S0167) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "fbae4191-679a-45b2-8ebb-8adb5348f4d0", - "value": "CosmicDuke (S0050) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "68852bf2-c3cf-4d59-b1c1-f6af8fb61be6", - "value": "gh0st (S0032) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb" - }, - "uuid": "d26b3aeb-972f-471e-ab59-dc1ee2aa532e", - "value": "APT28 (G0007) uses USBStealer (S0136)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "609d3d8c-1995-43ef-a102-a39d668a774d", - "value": "MoonWind (S0149) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "bd8aaa70-710d-45a7-bb43-6b2e37f7c797", - "value": "RedLeaves (S0153) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "9c7a9bd0-4f52-4c10-8e79-3b6e72d431d1", - "value": "Downdelph (S0134) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "8d65162b-650d-4a38-9c19-cc6c8e85a2e9", - "value": "PittyTiger (G0011) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "3ebad12d-fd33-4289-93dc-1f5af5e90b66", - "value": "FLASHFLOOD (S0036) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "84d633a4-dd93-40ca-8510-40238c021931", - "target-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93" - }, - "uuid": "36adf5c8-2426-41e1-807d-f4d7958b9d54", - "value": "Hidden Files and Directories Mitigation (T1158) mitigates Hidden Files and Directories (T1158)" - }, - { - "meta": { - "source-uuid": "54246e2e-683f-4bf2-be4c-d7d5a60e7d22", - "target-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0" - }, - "uuid": "126bfb52-654a-4056-be93-37a06f8d6a32", - "value": "LLMNR/NBT-NS Poisoning Mitigation (T1171) mitigates LLMNR/NBT-NS Poisoning (T1171)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "731710ae-a6b9-47b7-b8b2-8526ce60be2f", - "value": "CHOPSTICK (S0023) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "7b355dcf-9a9f-43b3-9989-128f5171b5c3", - "value": "admin@338 (G0018) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "a4a49b56-e220-4a81-a0da-43b63c012cfe", - "value": "CozyCar (S0046) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "028c3adf-4182-4250-9642-2ce5c448f710", - "value": "Mimikatz (S0002) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "8b880b41-5139-4807-baa9-309690218719", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "23df6015-0167-481c-84aa-3d15d3e38a85", - "value": "SPACESHIP (S0035) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "4d3e4232-1330-45a9-9e90-9914eed276a5", - "value": "Stealth Falcon (G0038) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "789cf81d-bfc9-4c1a-a34a-57e41981894a", - "value": "PowerDuke (S0139) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "c476a0da-44fd-4492-86ae-407aabab3735", - "value": "Matroyshka (S0167) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "c48f6a1b-1599-4e82-a7b6-1f7b5186e99e", - "value": "BlackEnergy (S0089) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "e0cf8a56-e8e1-43b0-9efc-f167d1cf21de", - "value": "POWRUNER (S0184) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" - }, - "uuid": "bd2a23f7-88cd-47d2-b30e-9356d0204a8e", - "value": "Turla (G0010) uses Tasklist (S0057)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "9e587add-08b7-4ecb-a40a-664b9cff1d0f", - "value": "Remsec (S0125) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "68bbad6c-1685-4275-bd36-b885a64caf6d", - "value": "Elise (S0081) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47" - }, - "uuid": "2a220ca3-88f4-40eb-8041-184c412950d4", - "value": "Naikon (G0019) uses Ping (S0097)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "147d2e66-25de-42ea-8592-eb51333f595c", - "value": "BlackEnergy (S0089) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "24ea53e3-a51f-4c4a-b3de-2e1d09ed69e8", - "value": "PowerDuke (S0139) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "aaa92b37-f96c-4a0a-859c-b1cb6faeb13d", - "target-uuid": "a6525aec-acc4-47fe-92f9-b9b4de4b9228" - }, - "uuid": "0bc1693e-d481-46d7-bd62-3ed6884986d2", - "value": "Graphical User Interface Mitigation (T1061) mitigates Graphical User Interface (T1061)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd" - }, - "uuid": "0b36c1d0-d016-4c12-bf61-6dc14b29c7e0", - "value": "Threat Group-3390 (G0027) uses Data Transfer Size Limits (T1030)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966" - }, - "uuid": "6ed5961a-224a-419b-b696-8962813158f2", - "value": "FIN6 (G0037) uses Windows Credential Editor (S0005)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "4f08676f-51c1-4cb5-94a7-08922e4886c6", - "value": "Hi-Zor (S0087) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "c74f0442-88c6-4f2b-abb1-c2f269a93d69", - "value": "Dragonfly (G0035) uses Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "5c84d301-b6d1-4af8-9c25-1260e05fa924", - "value": "MoonWind (S0149) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "43a63e7a-d673-47c0-9af5-76dcd5a5d9b8", - "value": "4H RAT (S0065) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "9f1c680d-042e-4291-bf9c-85c51120aa8b", - "value": "Volgmer (S0180) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "d4d07662-749c-4116-a83c-e4045eddad43", - "value": "menuPass (G0045) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "3a241a6c-11ee-4abc-a551-b5d4e594aad4", - "value": "OLDBAIT (S0138) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "291b7fbf-5b5f-460a-8009-cadb383b3262", - "value": "HTTPBrowser (S0070) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "d30d8fa0-7f24-41e5-ae8d-e4449e88d2f0", - "value": "Gamaredon Group (G0047) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "fcc12c1f-1a46-49f4-a872-99cb97968bf0", - "value": "Agent.btz (S0092) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "4f170666-7edb-4489-85c2-9affa28a72e0", - "target-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8" - }, - "uuid": "a48d44d2-a84c-45dc-9a59-2bc21f2f2301", - "value": ".bash_profile and .bashrc Mitigation (T1156) mitigates .bash_profile and .bashrc (T1156)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "4887f5b0-45ed-4848-a984-4e72263e33d8", - "value": "Felismus (S0171) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "f7740e3c-c143-40b7-a8da-e797f5d74b50", - "value": "USBStealer (S0136) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "4af1ec66-5007-49df-8a10-df2c8ed7edc8", - "value": "BBSRAT (S0127) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "48042284-2fde-43f0-a3dc-f64e9f16bd77", - "value": "APT3 (G0022) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "e27e75c2-5734-4602-8a32-c56bb50f890b", - "value": "SNUGRIDE (S0159) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "0f3af4de-b1cc-4cc2-9eb7-9aa46cdebfcd", - "value": "Duqu (S0038) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "305ecc72-e820-44cb-ab52-593ccca814ff", - "value": "Kasidet (S0088) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "target-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a" - }, - "uuid": "a18071ad-fe4f-4014-ad9a-1b0a66df3eab", - "value": "APT30 (G0013) uses FLASHFLOOD (S0036)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "98d3455f-49cc-4539-ba35-4b11bec0ddcd", - "value": "Reaver (S0172) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "9a5b7194-88e0-4579-b82f-e3c27b8cca80", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "7b88fc6b-32c0-4c3d-9ea3-505543c7f374", - "value": "Create Account Mitigation (T1136) mitigates Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "3f954be4-205c-4cec-92f9-36715e204a49", - "value": "Patchwork (G0040) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0", - "target-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148" - }, - "uuid": "e9b0af76-f6b1-43b0-ac0e-ea23582f575b", - "value": "Charming Kitten (G0058) uses DownPaper (S0186)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "7cac6ccb-d070-47da-8ebf-4034b0fddb7c", - "value": "BlackEnergy (S0089) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", - "target-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3" - }, - "uuid": "d92b5b68-4c3e-436f-a922-997467831409", - "value": "Trojan.Mebromi (S0001) uses System Firmware (T1019)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "cc705bf0-ba29-443e-9cd5-aef247505210", - "value": "APT3 (G0022) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "4d7add6f-ebd5-477f-9958-a5176835da2e", - "value": "CosmicDuke (S0050) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "308855d1-078b-47ad-8d2a-8f9b2713ffb5", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "243bf0fe-68eb-4d82-bbbf-d551611a0cd8", - "value": "Windows Admin Shares Mitigation (T1077) mitigates Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "d8e375a3-f455-4c66-bc63-251f320ec8b1", - "value": "OilRig (G0049) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "8b36d944-f274-4d46-9acd-dbba6927ce7a", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "9213f7ac-c548-4139-950b-5481a94570f9", - "value": "Registry Run Keys / Start Folder Mitigation (T1060) mitigates Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "3d97f57c-2a7c-4626-8b05-9d345047d3ad", - "value": "PlugX (S0013) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "8ac07a3f-9468-47a3-8ecc-c432f80e03f4", - "value": "APT3 (G0022) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "8b3f374c-9f56-4493-8b85-72d0750d0c59", - "value": "FIN10 (G0051) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "8b880b41-5139-4807-baa9-309690218719", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "9e214d5b-7d46-4135-bc42-4caab16b39d8", - "value": "SPACESHIP (S0035) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "3acdd018-80a0-4005-bab9-0cf89acfa43a", - "value": "PinchDuke (S0048) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "f6915cfa-4c11-4830-bcd8-aa648596b895", - "value": "CopyKittens (G0052) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" - }, - "uuid": "3f327394-55be-4dac-8e79-93c49be0426a", - "value": "3PARA RAT (S0066) uses Redundant Access (T1108)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "c63c7dc5-e374-4bf0-9839-0f940ac6d46c", - "value": "Gamaredon Group (G0047) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966" - }, - "uuid": "432f40d2-5309-4cc1-9544-2943233c3c2c", - "value": "FIN5 (G0053) uses Windows Credential Editor (S0005)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "4e5dff55-c686-4fa6-bad1-caa8507083d9", - "value": "Sakula (S0074) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "e71903c4-a7af-4317-adf0-10f76d3d4e15", - "value": "APT28 (G0007) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283" - }, - "uuid": "7909f5a6-3924-4259-aedd-2e48123f563a", - "value": "APT1 (G0006) uses CALENDAR (S0025)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "2af3c673-c0c6-4246-aacc-984eb370e7b9", - "value": "FIN5 (G0053) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf" - }, - "uuid": "e5a2a20c-1ef7-49a9-a9fa-2b89231793b8", - "value": "T9000 (S0098) uses Video Capture (T1125)" - }, - { - "meta": { - "source-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", - "target-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41" - }, - "uuid": "cb4af413-9bd7-4f1a-a693-57d11ffccbf5", - "value": "Cherry Picker (S0107) uses AppInit DLLs (T1103)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" - }, - "uuid": "cc2099fb-4785-4884-b274-4f3e8a3b8d99", - "value": "ADVSTORESHELL (S0045) uses Execution through API (T1106)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "2f507d82-1df4-4c9c-804a-2e6060944142", - "value": "Daserf (S0187) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "4eec017c-8bf2-4eda-8c92-15926fc7e5aa", - "value": "Lazarus Group (G0032) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "ff61ebde-befe-488a-89d0-dc4c49e60d59", - "value": "CosmicDuke (S0050) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "cfc2d2fc-14ff-495f-bd99-585be47b804f", - "target-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566" - }, - "uuid": "a38d4ac5-1d3d-4a2f-9493-ff3e2a4669b8", - "value": "Application Shimming Mitigation (T1138) mitigates Application Shimming (T1138)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "675f24e0-c445-4eb3-a191-16fb181f6e30", - "value": "Magic Hound (G0059) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "f3d0c735-330f-43c2-8e8e-51bcfa51e8c3", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "647032ac-0432-4785-9d50-06b9970bcbcb", - "value": "Custom Command and Control Protocol Mitigation (T1094) mitigates Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "63a7bbf6-bb2e-41e7-8893-c3f7f207a7a7", - "value": "XAgentOSX (S0161) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "a8e6ca7b-5d75-429a-b8f8-de97d5c277b3", - "value": "Net Crawler (S0056) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91" - }, - "uuid": "a6962782-1942-42f5-a627-f205376e2ec2", - "value": "BACKSPACE (S0031) uses Multi-Stage Channels (T1104)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "c7823efd-005f-49ad-94cf-ebc44a87abed", - "value": "APT1 (G0006) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" - }, - "uuid": "f16c18f0-c5ac-4ea2-bfd0-222e63c09018", - "value": "menuPass (G0045) uses Remote Services (T1021)" - }, - { - "meta": { - "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "ac3b6751-e615-44f6-a086-0c236742d8fd", - "value": "Psylo (S0078) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "d2858dfa-504f-416d-8801-41a1a9561f22", - "value": "APT3 (G0022) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "abb4a85a-d98a-46f7-965b-48d9f88fe9b6", - "value": "RemoteCMD (S0166) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "a4c59c09-2abd-4c49-8156-0ccc9214b66e", - "value": "Magic Hound (G0059) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "9f653750-2ee6-4d00-906b-c71f1d217288", - "value": "Felismus (S0171) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f" - }, - "uuid": "49d09bc3-cdc0-479b-8516-f64bff9b6757", - "value": "FIN7 (G0046) uses HALFBAKED (S0151)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "6fb6c639-cefa-4c7f-af89-26cb5fcd4030", - "value": "Ke3chang (G0004) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b" - }, - "uuid": "8119ee71-e017-4ba0-9aeb-a14c46f64f1a", - "value": "Naikon (G0019) uses HDoor (S0061)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "73da57b5-e64f-44ee-85f7-d294c21fb534", - "value": "Stealth Falcon (G0038) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "1b141c9e-a679-40c7-ad7b-ac40ac586471", - "value": "admin@338 (G0018) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "9cef6fec-e4eb-49eb-85db-880138f335bd", - "value": "Rover (S0090) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "d8a5e73d-fe56-42d7-a53d-09a90c21308b", - "value": "OSInfo (S0165) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6" - }, - "uuid": "3ae8d262-d2f8-4fa5-adb4-e379d43b9c37", - "value": "APT29 (G0016) uses GeminiDuke (S0049)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "198d7156-eff4-4a6e-8e59-ab8a656f77a8", - "value": "Crimson (S0115) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "2e5039ef-913f-4808-9685-32f64f4dbf49", - "value": "Wingbird (S0176) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "4b6bee9b-469e-48ce-84fa-5322de03470a", - "value": "FakeM (S0076) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "519630c5-f03f-4882-825c-3af924935817" - }, - "uuid": "0c143634-89e1-47a0-9044-4ca39ccff76a", - "value": "XTunnel (S0117) uses Binary Padding (T1009)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "5b69fc3c-1bf7-4092-be94-755790ccf41f", - "value": "Helminth (S0170) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "3537c31f-bd6f-4cad-97ac-4ec3d8a9478b", - "value": "Helminth (S0170) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "28189361-4cd2-4925-a095-d7ebd07ebd57", - "value": "netstat (S0104) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "084ac639-2502-4020-8938-65352349acbb", - "value": "Volgmer (S0180) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "03ab3120-4c6e-4de2-982a-fe22d466f748", - "value": "USBStealer (S0136) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "361cbd71-b178-44d0-9802-78a310938bad", - "value": "Molerats (G0021) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "329678a6-eb6b-499b-90a8-059d1cf1a35f", - "value": "SslMM (S0058) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "d77a4123-3d46-4317-8921-f6eb8c34c585", - "value": "PinchDuke (S0048) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "b6ae274b-f0b3-4694-ab8d-37e0c62cff35", - "value": "Backdoor.Oldrea (S0093) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "1c677f35-b73b-47bc-b162-1fd036a38def", - "value": "PowerDuke (S0139) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "78f237da-f58b-4849-b2ee-cf1f3f7a1a42", - "value": "Threat Group-3390 (G0027) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - }, - "uuid": "05e05236-1635-48d7-8ee3-33319c01c815", - "value": "Winnti Group (G0044) uses Rootkit (T1014)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "ce9dbe5b-1b16-41d6-a7af-a2a1b33c4552", - "value": "Daserf (S0187) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "1c7b9a1b-e874-4881-884a-e3c3d1fd8aed", - "value": "Cleaver (G0003) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "37c94531-1e56-4640-93fd-e9fd65da4f80", - "value": "Darkhotel (G0012) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "566d783a-2d86-4b9a-8ca0-5013de5f7fb4", - "value": "ISMInjector (S0189) uses Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "79ecf1f6-a17d-4374-a84c-811669e39261", - "value": "SslMM (S0058) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef" - }, - "uuid": "c612eb88-d7e0-46cc-a9bc-d0da2977ff00", - "value": "USBStealer (S0136) uses Communication Through Removable Media (T1092)" - }, - { - "meta": { - "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "b2b873cd-8618-426e-9cae-9e6755acafad", - "value": "EvilGrab (S0152) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "a403648d-4c23-46bd-9688-1face1407b42", - "value": "SOUNDBITE (S0157) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "fa155ccc-b9db-48f6-bb1a-a367596668ad", - "value": "BRONZE BUTLER (G0060) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "69c1806d-e6ae-4c11-bce6-8fbebd8bbee5", - "value": "netsh (S0108) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "e7379230-882e-4b5c-bee1-629e9028e97f", - "value": "APT3 (G0022) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "b4c7e12f-6921-4007-ab15-595969bf9eca", - "value": "POWRUNER (S0184) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2892eada-7633-4428-80e0-0e965d5faf5c", - "value": "DustySky (S0062) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9" - }, - "uuid": "49957d89-7449-476a-b542-d7811a86c230", - "value": "Cleaver (G0003) uses TinyZBot (S0004)" - }, - { - "meta": { - "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "1b3cc0cb-de43-405b-bfa5-f0bececabf8c", - "value": "GeminiDuke (S0049) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "f02f0a58-a76b-4966-8717-8a9b40b07e81", - "value": "SNUGRIDE (S0159) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "c7e6d4a6-8d99-4134-848a-f4f712eb4316", - "value": "Ke3chang (G0004) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "3076f49e-0db2-4652-a07d-653027aeef1e", - "value": "Remsec (S0125) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "3d602fec-cf94-4aa4-a4d9-cad286e6881f", - "value": "FIN10 (G0051) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "f81df2c8-1edd-4734-a1c9-cca6e4c56607", - "value": "Kasidet (S0088) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "2244e21e-b7f6-476f-8f58-67db772f9736", - "value": "CALENDAR (S0025) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "73171e71-b769-41ff-874a-ff76da43541f", - "value": "Emissary (S0082) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "51d06864-d5de-4286-b2bb-561a8d2c4d49", - "value": "APT28 (G0007) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" - }, - "uuid": "b9f4c6ef-d0bd-4651-9445-4705e1fd85f2", - "value": "Axiom (G0001) uses Accessibility Features (T1015)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "4de2ac9b-4e51-4d73-8fe3-d7d1659778b8", - "value": "Stealth Falcon (G0038) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "e90717f3-fad2-4978-be15-7dfb647d034d", - "value": "Rover (S0090) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "5f00edf9-fcfc-4514-8d06-bc69f91f9260", - "value": "APT32 (G0050) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" - }, - "uuid": "8b96fb11-8b54-4bed-9e6c-cd93b29c5c20", - "value": "Agent.btz (S0092) uses Exfiltration Over Physical Medium (T1052)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "b077d81d-0449-493f-9b93-23dc0fb0b62d", - "value": "FIN7 (G0046) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "af4d45e1-1aa4-444c-b176-31df7aaf9374", - "value": "TDTESS (S0164) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "dc10e96f-1d3c-4ab9-8df6-acdc8238ec6c", - "value": "APT28 (G0007) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9", - "target-uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44" - }, - "uuid": "51006a56-a1fa-4467-b930-6488de0d32bd", - "value": "Equation (G0020) uses Component Firmware (T1109)" - }, - { - "meta": { - "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "d7d3cf5c-e541-4639-95c6-8cdea60b084d", - "value": "cmd (S0106) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df" - }, - "uuid": "a7180b8e-c580-49ab-bbfb-e56e8ab48823", - "value": "APT29 (G0016) uses CloudDuke (S0054)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "c79796c1-88d6-4cd8-95d3-4f81d3755859", - "value": "Lazarus Group (G0032) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "51372934-2c81-4db7-aa38-cbb173698cc2", - "value": "menuPass (G0045) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "5909e6e9-c620-4278-9bdc-113f09e5799b", - "value": "Cobalt Strike (S0154) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "58882b0d-0f4a-4e12-b8c1-f43c53fd96f4", - "value": "Carbanak (G0008) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "53d7b242-3ed6-4281-9829-e25d425e28fe", - "value": "BlackEnergy (S0089) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "35b912d8-bf46-4dec-b2eb-c48c0056af6e", - "value": "Magic Hound (G0059) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "c008b7f3-0507-4987-a7e4-8c4d57cb4ca5", - "value": "DustySky (S0062) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "b60dcc78-83b0-4fe2-b874-6f22f99b6087", - "value": "Magic Hound (G0059) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "5301c007-7c00-4b4d-b355-864db8de052f", - "value": "CORESHELL (S0137) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "5bda4ebe-cd21-469e-9495-952df7254f17", - "value": "APT29 (G0016) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a" - }, - "uuid": "da3a85c7-7590-48b1-8a22-2f8b00060f83", - "value": "APT29 (G0016) uses PowerDuke (S0139)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "ef1cdbe7-29c9-4be9-a3f7-96e5b7bae031", - "value": "APT3 (G0022) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "09e8b282-61ee-4107-94f5-d03e28199fe9", - "value": "S-Type (S0085) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "d5dce4b9-f1fa-4c03-aff9-ce177246cb64", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "87131e3c-9d73-4910-a56d-f917d6660a7d", - "value": "Service Execution Mitigation (T1035) mitigates Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "a79ff150-e765-4303-9668-ff553d6000cd", - "value": "Sakula (S0074) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "8beb37e3-5cf0-4229-ae27-186a37133521", - "value": "BBSRAT (S0127) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "290c4e3b-00be-411f-b0c8-919e85e08a49", - "value": "Prikormka (S0113) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "bea7bd3c-1251-4858-8957-a6dc3bb840d2", - "value": "China Chopper (S0020) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "e465e173-04d8-4a2b-8953-a2fa3b44aec0", - "value": "PowerDuke (S0139) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "95805281-96b1-49ea-95ee-9d654178c5c3", - "value": "BRONZE BUTLER (G0060) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "ace4daee-f914-4707-be75-843f16da2edf", - "target-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8" - }, - "uuid": "9952a93f-d009-48e5-a618-8e8f97a55685", - "value": "Bash History Mitigation (T1139) mitigates Bash History (T1139)" - }, - { - "meta": { - "source-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "cf859589-38ac-4152-b206-08740ccf503b", - "value": "Taidoor (S0011) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824", - "target-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466" - }, - "uuid": "130275cb-368e-4168-a4bf-60b39566bc50", - "value": "Scheduled Transfer Mitigation (T1029) mitigates Scheduled Transfer (T1029)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "259a5116-2492-4d7b-b300-1cf9b8c79f00", - "value": "Helminth (S0170) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "0649f7fd-3aa1-4646-a7a4-2334088c6c74", - "value": "T9000 (S0098) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "745106bb-3641-488e-ae1c-547cd6ea9b7a", - "value": "cmd (S0106) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5" - }, - "uuid": "614c18a5-2cee-48ac-898d-e1b85a91e44d", - "value": "Threat Group-3390 (G0027) uses OwaAuth (S0072)" - }, - { - "meta": { - "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "fb60b027-facd-4be2-b8b2-0fb9351ea235", - "value": "cmd (S0106) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "1f972385-7f1c-4cbd-a071-951973e6d229", - "value": "MiniDuke (S0051) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "73a53379-746e-46db-b101-1fc45df5e458", - "value": "Shamoon (S0140) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "00b0af92-df59-4d56-ac3e-18f6f1f72957", - "value": "Flame (S0143) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d" - }, - "uuid": "fa9a8640-75e5-458c-99c0-e5e85aa32a77", - "value": "Dragonfly (G0035) uses Trojan.Karagany (S0094)" - }, - { - "meta": { - "source-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "ac3ee298-bef0-4a52-9050-3dcef1701408", - "value": "FTP (S0095) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "2fa20fad-4ede-42f4-8ce5-7f5a6ce83ed8", - "value": "CHOPSTICK (S0023) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "82384148-90fd-4bfa-a734-e9c8b37b584f", - "value": "Carbanak (S0030) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "171380bf-41ff-43da-86fe-c131f5f7b97b", - "value": "Cherry Picker (S0107) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "f64acb43-91b8-431a-ad0a-ad22afe5851a", - "value": "Duqu (S0038) uses Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "e45cdf20-e182-4346-8c98-a48575282ae6", - "value": "Kasidet (S0088) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "1f764874-0e08-4799-9487-a9e12c499c13", - "value": "FIN6 (G0037) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "ec418d1b-4963-439f-b055-f914737ef362", - "target-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b" - }, - "uuid": "0ac55ad4-0f16-416e-bf88-67ee1aad85ab", - "value": "InstallUtil Mitigation (T1118) mitigates InstallUtil (T1118)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "7fd4fe68-0f2a-485c-9b10-6847428ef5da", - "value": "Derusbi (S0021) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" - }, - "uuid": "988cb889-b385-4e8f-be06-7d41c4da0dd7", - "value": "JHUHUGIT (S0044) uses Component Object Model Hijacking (T1122)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "12ea66f1-566a-404f-a948-f76b9047710e", - "value": "menuPass (G0045) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "d078f862-c090-4e79-808b-ff69887a920c", - "value": "POWRUNER (S0184) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446" - }, - "uuid": "41f04732-8fdc-4b2f-9e22-7b78ff650e5d", - "value": "Mimikatz (S0002) uses Security Support Provider (T1101)" - }, - { - "meta": { - "source-uuid": "402e92cd-5608-4f4b-9a34-a2c962e4bcd7", - "target-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4" - }, - "uuid": "a6a8e3e4-faa7-4c9f-9460-fabbbc8c844c", - "value": "Launch Daemon Mitigation (T1160) mitigates Launch Daemon (T1160)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "e25b4146-2f52-4c5b-a1f8-3e868e767f84", - "value": "FIN5 (G0053) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "56db6ccc-433d-4411-8383-c3fd7053e2c8", - "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" - }, - "uuid": "678be242-66fd-40b8-bbf1-24c3dda77895", - "value": "Execution through API Mitigation (T1106) mitigates Execution through API (T1106)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68" - }, - "uuid": "bd5b6f31-2248-4af8-8e8e-e3273aaa57e4", - "value": "APT29 (G0016) uses Tor (S0183)" - }, - { - "meta": { - "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "35f02c40-d46f-44fa-8ba2-5106357494b4", - "value": "FALLCHILL (S0181) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "9b2356e1-6544-40a7-a694-8ac36a1da1b7", - "value": "Ping (S0097) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719" - }, - "uuid": "89363ca8-1cf3-4c40-972c-6e2787a05b43", - "value": "APT28 (G0007) uses Responder (S0174)" - }, - { - "meta": { - "source-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "5365d764-76fa-49ce-b76b-d0344322b037", - "value": "Reg (S0075) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "c33c2a0f-eb88-43ef-be7b-6311bef2da3d", - "value": "RedLeaves (S0153) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "0d63f3cf-bace-4210-9b76-199c5cdb8764", - "value": "Stealth Falcon (G0038) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae" - }, - "uuid": "b4f8c479-aab5-481d-aa04-922677da108a", - "value": "Gazer (S0168) uses Screensaver (T1180)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "4d82bac6-ec9d-4f4b-a471-169728a830a4", - "value": "APT3 (G0022) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "d3234cf8-0ef7-4447-ae3a-9624f3229265", - "value": "XTunnel (S0117) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "26968975-5f01-4b4b-9cdc-ef3b76710304", - "value": "4H RAT (S0065) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "86461465-cb29-4fc9-8fa8-8956c0f94536", - "value": "Dust Storm (G0031) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71" - }, - "uuid": "9f62c4e4-02d4-497b-8039-cc4e816386a5", - "value": "Lazarus Group (G0032) uses netsh (S0108)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "60137eb6-ed8c-41ce-bf75-6b45cdafe751", - "value": "Derusbi (S0021) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "106aae81-fab1-42b3-97b0-4f0c1d67c896", - "value": "Emissary (S0082) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "e5efa7ca-3e2a-4f08-ac2c-f5f317c9caf7", - "value": "USBStealer (S0136) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", - "target-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8" - }, - "uuid": "edea5971-fc27-4637-8de9-aabcd50784a7", - "value": "Strider (G0041) uses Remsec (S0125)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "1a028242-1896-4867-a691-c97867f1663d", - "value": "Elise (S0081) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "5d2ca571-9e66-4949-b3a1-978c47398b18", - "value": "Derusbi (S0021) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "0061f7aa-fe4e-41e5-8ebf-e9f526bda08f", - "value": "TDTESS (S0164) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "dbf13cc5-f61b-41fd-96fa-d0bac20549bc", - "value": "Duqu (S0038) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b" - }, - "uuid": "96a09c57-4848-464e-8649-142152c91db9", - "value": "Volgmer (S0180) uses Modify Existing Service (T1031)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "0d2a66c5-fb8e-4cbb-9526-579b5c9c881c", - "value": "T9000 (S0098) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "0d889b2d-eda4-45dc-99bf-c530b7d4b05f", - "value": "menuPass (G0045) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49" - }, - "uuid": "2b6da092-7380-4bd3-bd4c-f136a5b9b4cc", - "value": "Sykipot (S0018) uses Two-Factor Authentication Interception (T1111)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "16cb7ede-b431-4711-bcb1-91bc925663e5", - "value": "BACKSPACE (S0031) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79" - }, - "uuid": "07f83a39-8bb0-44f1-9c81-7291ba10dd03", - "value": "Gazer (S0168) uses Winlogon Helper DLL (T1004)" - }, - { - "meta": { - "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "fea6e347-95f5-4d97-8781-4cc15d6b5b0c", - "value": "Sys10 (S0060) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "2e44b66a-0f81-4f60-94aa-c450556bc243", - "value": "ChChes (S0144) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "09266cb7-26b3-4959-bcff-a91e309b5588", - "value": "Helminth (S0170) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "b3831788-f18f-4315-997e-275e425c0d31", - "value": "RemoteCMD (S0166) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "11874e26-e692-43da-bb54-760e51a4714f", - "value": "S-Type (S0085) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "40c5a024-37db-478b-b90f-27f184bf8f60", - "value": "Tasklist (S0057) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "74e84133-f84a-469a-bfd7-1a514af2f15e", - "value": "T9000 (S0098) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "bb784f1f-fb42-4587-9fe2-9dd5c8dffa5c", - "value": "Magic Hound (G0059) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e" - }, - "uuid": "845482a1-a062-407d-a83e-90d883d1d91b", - "value": "menuPass (G0045) uses ChChes (S0144)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565" - }, - "uuid": "35a9c64c-c305-46bf-a216-c8bb1b051614", - "value": "Turla (G0010) uses ComRAT (S0126)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "b2dbbb46-9659-4277-8753-c469c4bfe409", - "value": "Threat Group-3390 (G0027) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2" - }, - "uuid": "75d04175-c43d-46cd-be08-5f4c91f767ed", - "value": "APT28 (G0007) uses JHUHUGIT (S0044)" - }, - { - "meta": { - "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "53ad6525-7888-4651-bd43-c010b489ccc0", - "value": "RawPOS (S0169) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "c5da001c-2c17-4e83-8e5c-21863ead4bd9", - "value": "Patchwork (G0040) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "788e8246-d835-42c6-b8b4-7efad31e4a84", - "value": "Gamaredon Group (G0047) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "c987dc63-ef3d-43aa-9344-bd9fd528c55d", - "value": "Elise (S0081) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "1bbb499c-81c8-4e94-8305-86b199e8298b", - "value": "Wingbird (S0176) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d" - }, - "uuid": "0cde085d-12ca-4cde-a99c-c37d63d7dc2e", - "value": "Putter Panda (G0024) uses pngdowner (S0067)" - }, - { - "meta": { - "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "5dd257c0-c2cb-422a-9991-93ff667c5ad6", - "value": "FALLCHILL (S0181) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "fdb1ae84-7b00-4d3d-b7dc-c774beef6425", - "target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27" - }, - "uuid": "bb55d7e7-28af-4efd-8384-289f1a8b173e", - "value": "Account Manipulation Mitigation (T1098) mitigates Account Manipulation (T1098)" - }, - { - "meta": { - "source-uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "8bbb18a7-5eab-4832-beac-f52f30b54862", - "value": "Scheduled Task Mitigation (T1053) mitigates Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "39590383-ba69-4d8f-9520-e893cd4ebcdf", - "value": "FIN5 (G0053) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "d021d378-a5ff-4020-972c-cc9152e824b0", - "value": "Darkhotel (G0012) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "0e58b447-7b3e-404c-b8e5-003734c34574", - "value": "MoonWind (S0149) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "32a470e7-4bbc-43e8-ae8e-09b382dd441f", - "value": "Tasklist (S0057) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "13d8aec7-3e49-41f8-b57c-475cdc0d9632", - "value": "Threat Group-3390 (G0027) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "5e2e672a-02d4-4510-a629-942d44a558f1", - "value": "DustySky (S0062) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "d3c8d1a9-9413-4633-9cbf-4bc34bb5054d", - "value": "ADVSTORESHELL (S0045) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "48f662fe-1ba2-4c19-b782-dd06d9fb67fa", - "value": "APT28 (G0007) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "target-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf" - }, - "uuid": "6782d7bb-5e81-4656-9445-fbd6ae1f2bdb", - "value": "EvilGrab (S0152) uses Video Capture (T1125)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164" - }, - "uuid": "02462741-4148-48b3-881b-1b813ce62fcc", - "value": "APT29 (G0016) uses PinchDuke (S0048)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "a36263d1-d109-4c94-930a-6be1e9615527", - "value": "admin@338 (G0018) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d", - "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" - }, - "uuid": "06cd0498-7ebb-41e6-9399-c43c82487540", - "value": "Audio Capture Mitigation (T1123) mitigates Audio Capture (T1123)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "b1e7f787-2d43-442b-8bd1-4fa064f089b2", - "value": "Threat Group-3390 (G0027) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "f28627be-fddd-455c-b001-abddaaa29fa7", - "value": "Winnti Group (G0044) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "8f269f6c-9e8b-4296-ab47-2f60c9156b58", - "value": "APT28 (G0007) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "92c901ce-5edb-417f-8af5-d569203e241c", - "value": "ChChes (S0144) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "ad50f322-18b6-43c7-bf6b-f77f4932fdad", - "value": "DustySky (S0062) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "bf8ae26c-c28c-4de7-a3e2-ad1a2851c1c0", - "value": "CallMe (S0077) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "fe4ed27a-6d45-4e6a-bbc0-7ebe15a38046", - "value": "RTM (S0148) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", - "target-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe" - }, - "uuid": "01b924d7-42dd-412f-a9af-cabcb46512ea", - "value": "Suckfly (G0039) uses Nidiran (S0118)" - }, - { - "meta": { - "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "92fb7408-1638-43b7-95a3-0cfeebd7624d", - "value": "RawPOS (S0169) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "e104cf3c-a802-4e06-8abc-6293cea9492f", - "value": "menuPass (G0045) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "24503815-4ac5-4d57-9e95-ebeb84e0c11b", - "value": "Daserf (S0187) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "13204383-a747-4f7f-a75c-858ddc76beab", - "value": "WinMM (S0059) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87" - }, - "uuid": "2858ec3b-5814-4515-9dda-f8009fbf4cd3", - "value": "Flame (S0143) uses Exfiltration Over Other Network Medium (T1011)" - }, - { - "meta": { - "source-uuid": "8c553311-0baa-4146-997a-f79acef3d831", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "345c6135-7557-4292-8214-66618ba17edd", - "value": "RARSTONE (S0055) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "3b9e7ec8-8b10-4fe4-87b3-38b7710dbbb9", - "value": "Sakula (S0074) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "efa98949-4b58-4407-8fa2-366c06dc2ed9", - "value": "BlackEnergy (S0089) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "44908b0a-993a-4339-b30f-f0f1a64c0753", - "value": "Pteranodon (S0147) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "9779ccbc-c376-4a6e-a43f-56a782892302", - "value": "OilRig (G0049) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "94b4648a-4108-468c-be51-cca365fd97ac", - "value": "Stealth Falcon (G0038) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "9453d60b-4f3f-494f-985d-e29094ef8945", - "value": "Net Crawler (S0056) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "3ebc8829-f260-4d75-817a-cd23a4ebb194", - "value": "HAMMERTOSS (S0037) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "51a03c8a-1983-4bdd-b326-78ec67f86f06", - "value": "Trojan.Karagany (S0094) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "ae61abba-14fb-4d4e-9f8e-a3b18500b449", - "value": "Lazarus Group (G0032) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "bde913a9-9895-4414-b79a-3156159033aa", - "value": "Ke3chang (G0004) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "bdde6ad0-b6eb-4e3a-80e4-8a9db6a9570d", - "value": "TinyZBot (S0004) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "ea40711b-461d-4629-b1fd-5f020b1f3257", - "value": "APT1 (G0006) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "76e75bfe-b72c-471b-9a26-eab5ed04a812", - "value": "ELMER (S0064) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "61d02387-351a-453e-a575-160a9abc3e04", - "target-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300" - }, - "uuid": "9064fd2e-4e0a-44e4-8bde-6e6c4cf8495f", - "value": "Re-opened Applications Mitigation (T1164) mitigates Re-opened Applications (T1164)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "7d047513-5fbf-4d9e-8a5d-54317123e34c", - "value": "admin@338 (G0018) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "9b1709f3-5062-42f1-82d9-191e66e1d14a", - "value": "Nidiran (S0118) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "fdcda836-4a21-45d2-8269-31b82aa3c08e", - "value": "APT29 (G0016) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "91d4c776-c259-46b0-b511-b344ca027009", - "value": "CozyCar (S0046) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "70495f42-0a81-485c-8f30-c75af61f1c6a", - "value": "OilRig (G0049) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "82fbc58b-171d-4a2d-9a20-c6b2a716bd08", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "f9ca3697-51a1-494b-8a61-06e516f29860", - "value": "Code Signing Mitigation (T1116) mitigates Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "fada6223-ba24-4c26-aa89-3998f07604f9", - "value": "Prikormka (S0113) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "a1fe7df1-7c20-422e-8e86-042cd11b3501", - "value": "APT28 (G0007) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "56d023cf-4390-40d9-afc6-cb0d40b4cdd1", - "value": "APT28 (G0007) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "e42eef1a-107e-40a3-9227-45621e277ff3", - "value": "Lazarus Group (G0032) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "5c816fc0-c4e3-47ef-8193-ef88eabdfc7e", - "value": "admin@338 (G0018) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "72fe5021-bace-41e4-9cc6-73af415225ac", - "value": "MoonWind (S0149) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "f36a8899-940f-4c8f-924d-eef2f056744d", - "value": "dsquery (S0105) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "e0703d4f-3972-424a-8277-84004817e024", - "target-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02" - }, - "uuid": "f132ff40-9e9d-49b8-a47d-832a21e1e56d", - "value": "Path Interception Mitigation (T1034) mitigates Path Interception (T1034)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "df207207-01b2-456b-9dc4-7afd5ffeeb46", - "value": "Prikormka (S0113) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808" - }, - "uuid": "2db640ab-413b-4c49-9842-3bf190c5e184", - "value": "APT29 (G0016) uses POSHSPY (S0150)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "089efdf8-b07a-4cda-aa5d-e60f9501ffd1", - "value": "BRONZE BUTLER (G0060) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "4a4a5d60-ec17-49a2-b651-ea8918410fc2", - "value": "JHUHUGIT (S0044) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529" - }, - "uuid": "fcfe071b-e527-44e9-9970-9243a354f563", - "value": "Regin (S0019) uses Network Sniffing (T1040)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "3f14994e-149d-4cca-85b8-eec0964120d3", - "value": "BACKSPACE (S0031) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "49c7a467-98ce-4764-af86-c950ed951d13", - "value": "Helminth (S0170) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd" - }, - "uuid": "412b7fbf-bc21-4373-9f2c-5f0a26482536", - "value": "Threat Group-3390 (G0027) uses PlugX (S0013)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "95a1ac52-e022-4c81-96cc-b7b39ca776d3", - "value": "Kasidet (S0088) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "6b83bc1e-edfc-4c6a-961f-d3757ae6a234", - "value": "Mimikatz (S0002) uses Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "05076bd4-e4cb-4234-90ae-c7ce45feb41f", - "value": "Dragonfly (G0035) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "fb3b8f32-0991-4d05-a80d-a4736372ad2a", - "value": "Janicab (S0163) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "77fd4d73-6b79-4593-82e7-e4a439cc7604", - "target-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb" - }, - "uuid": "918956f2-db79-4721-8741-3b461a280e51", - "value": "LC_LOAD_DYLIB Addition Mitigation (T1161) mitigates LC_LOAD_DYLIB Addition (T1161)" - }, - { - "meta": { - "source-uuid": "d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "4b12c645-96fc-45ac-b515-8333d6e254ef", - "value": "Data Obfuscation Mitigation (T1001) mitigates Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "a90da496-b460-47e8-92e7-cc36eb00bd9a", - "target-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302" - }, - "uuid": "f4aaf7ec-7ff1-4519-bd93-3eaf3074d11f", - "value": "Regsvcs/Regasm Mitigation (T1121) mitigates Regsvcs/Regasm (T1121)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "fbfc610a-5355-40fc-b5a1-059e89a1eb8d", - "value": "SslMM (S0058) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "deb7df24-689e-4e4e-909f-a270241ab65a", - "value": "Gazer (S0168) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "91ca1017-0b33-4fa1-a61f-b3dae24c7e40", - "value": "Wingbird (S0176) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "bc85f8f4-5d65-484c-af82-6adbe42083d9", - "value": "OSInfo (S0165) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "7aa43cd7-ada3-49c9-8dc7-9492fa22c7d8", - "value": "Lazarus Group (G0032) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "ea93ff11-939f-449a-a222-4273d9fc9f3c", - "value": "T9000 (S0098) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "e3909a5f-ebfb-48e1-b0fc-5737217a994b", - "value": "DownPaper (S0186) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "6139509a-709b-4ef4-81fb-25b9a35e2c60", - "value": "Volgmer (S0180) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "7138c1e4-6791-424b-adc1-5b4c7d5e3cca", - "value": "Naikon (G0019) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "92e6d080-ca3f-4f95-bc45-172a32c4e502", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "d2a028a0-3c4f-4984-be51-80dbcf93a1a9", - "value": "Exploitation of Vulnerability Mitigation (T1068) mitigates Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "3b35fec9-ee0d-4c2d-9936-0aa06ad6a49a", - "value": "APT1 (G0006) uses Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "b26eb7d2-1147-4c2b-a1eb-4a457e081e22", - "value": "Cobalt Strike (S0154) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "35419603-7bc2-40f6-8e5d-4e7a8f13ebb7", - "value": "POWRUNER (S0184) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "92c28497-2820-445e-9f3e-a03dd77dc0c8", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "cd38481c-7c23-4e72-b1b4-056830f5f7f3", - "value": "Exfiltration Over Command and Control Channel Mitigation (T1041) mitigates Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466" - }, - "uuid": "5eb253cb-2e81-4f51-bd0e-d1734283491c", - "value": "ADVSTORESHELL (S0045) uses Scheduled Transfer (T1029)" - }, - { - "meta": { - "source-uuid": "8b880b41-5139-4807-baa9-309690218719", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "8a48e090-ab8c-414e-b559-7a0437c92850", - "value": "SPACESHIP (S0035) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "1782bb6e-7a06-4dfb-96f5-dd671d8a02d5", - "value": "MoonWind (S0149) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "9f618c0f-79b8-4990-a02b-6e3187b14033", - "value": "Sowbug (G0054) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "b4228f64-bc0c-47a5-a3d8-d9aabdf66bfc", - "value": "OnionDuke (S0052) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "56fac514-4461-4d8c-93a0-d12cade25169", - "value": "Prikormka (S0113) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "fc1ec654-af35-4a7d-b2f6-54b4d8378cfb", - "value": "APT34 (G0057) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "5d397a8d-2195-440d-a0f5-bbf6c3e8f6e4", - "value": "ADVSTORESHELL (S0045) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "59d4e54d-66b8-4603-b189-ba67160da44d", - "value": "Pisloader (S0124) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "04e4f0d1-32a9-4d64-a733-3316b0bf2740", - "value": "CozyCar (S0046) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "dc187ed1-3987-4575-b1af-dc150e4329f8", - "value": "Agent.btz (S0092) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "17bc0957-1509-4faf-bb51-a6a9e1959978", - "value": "Magic Hound (G0059) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "c75cc595-79d7-4a77-9647-d2323aad93d0", - "value": "SNUGRIDE (S0159) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "fe8a320f-e5e5-4503-8c3a-5c21b628a61d", - "value": "Threat Group-3390 (G0027) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236" - }, - "uuid": "95842c88-c596-44c7-a16e-40d98e2457cc", - "value": "APT18 (G0026) uses Pisloader (S0124)" - }, - { - "meta": { - "source-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "42dc03ec-03fb-4bf0-8f5f-e90d1aacd6e7", - "value": "KOMPROGO (S0156) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "cbc4c186-028e-4a24-93ff-5f2bb7edd98a", - "value": "Pisloader (S0124) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "4a9f7553-b3ee-405b-9c81-f487b4bed868", - "value": "Flame (S0143) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "016dc21c-ade9-43cc-9d88-a0c4c0891ccc", - "value": "USBStealer (S0136) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "539f8bc3-3fb4-43af-8918-9a65239cdff6", - "value": "Carbanak (G0008) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "954961e4-0bf5-496e-b200-e63d99c006de", - "value": "CHOPSTICK (S0023) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "ed283e07-a029-4d23-aa8f-55f92abb5203", - "value": "APT3 (G0022) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "c354bbc0-74c4-4805-b6e6-f33f49272f86", - "value": "Gazer (S0168) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "e30c24d3-d440-4395-88b3-3192a02c4364", - "value": "OilRig (G0049) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "beb45abb-11e8-4aef-9778-1f9ac249784f", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "483a70b9-eae9-4d5f-925c-95c2dd7b9fa5", - "value": "Bypass User Account Control Mitigation (T1088) mitigates Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "a3de3705-8085-4992-9b90-1cb8ef532b5c", - "value": "APT28 (G0007) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "d13aaa09-5465-4439-b100-444242601a98", - "value": "Cobalt Strike (S0154) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", - "target-uuid": "519630c5-f03f-4882-825c-3af924935817" - }, - "uuid": "83cfa11e-f221-4dc4-b184-943c2c7f4562", - "value": "Moafee (G0002) uses Binary Padding (T1009)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "746b0def-62c8-438d-b5ec-aa6b7dbfb860", - "value": "Stealth Falcon (G0038) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "19c33297-1efd-4489-b09c-a4230ce194f4", - "value": "Sys10 (S0060) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" - }, - "uuid": "13f986d2-949b-42c8-bd4b-b8a833b9d5de", - "value": "APT3 (G0022) uses Redundant Access (T1108)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "33c8fb30-3515-4582-ad29-34fa0d7e15e5", - "value": "FIN10 (G0051) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "8b880b41-5139-4807-baa9-309690218719", - "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" - }, - "uuid": "04e2c418-8f6c-453c-8e17-4d3aeec0f755", - "value": "SPACESHIP (S0035) uses Exfiltration Over Physical Medium (T1052)" - }, - { - "meta": { - "source-uuid": "cdecc44a-1dbf-4c1f-881c-f21e3f47272a", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "ab637576-5bf9-423f-b5e8-6d1ac26bbb5c", - "value": "Remote File Copy Mitigation (T1105) mitigates Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "fb6ffb5c-5405-4515-a120-7a34414933ea", - "value": "OilRig (G0049) uses Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "4ac3f9d6-73e6-49d0-a49a-329eca1f5a3a", - "value": "Duqu (S0038) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "7d751199-05fa-4a72-920f-85df4506c76c" - }, - "uuid": "54188543-7746-4158-9a9f-5556bb99ec7a", - "value": "APT29 (G0016) uses Multi-hop Proxy (T1188)" - }, - { - "meta": { - "source-uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", - "target-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1" - }, - "uuid": "764b5d56-83a1-4c8d-824a-2021c7fe8052", - "value": "Lotus Blossom (G0030) uses Emissary (S0082)" - }, - { - "meta": { - "source-uuid": "c88151a5-fe3f-4773-8147-d801587065a4", - "target-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61" - }, - "uuid": "e1275bcd-0462-4f79-b18f-2132b0bb74ec", - "value": "Application Deployment Software Mitigation (T1017) mitigates Application Deployment Software (T1017)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "8ce2219f-6c25-46a2-8215-a78871e2773a", - "value": "TinyZBot (S0004) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "087721ee-6643-4453-8a76-8768ced7e506", - "value": "Backdoor.Oldrea (S0093) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" - }, - "uuid": "4fab8d06-e6fb-472f-91ee-f2fd29ef444e", - "value": "Deep Panda (G0009) uses Regsvr32 (T1117)" - }, - { - "meta": { - "source-uuid": "383caaa3-c46a-4f61-b2e3-653eb132f0e7", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "42ab2855-fe9b-4ed2-bef7-db3a9dcf5a89", - "value": "Email Collection Mitigation (T1114) mitigates Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "47415cec-25f8-4425-9125-157e1637a687", - "value": "Matroyshka (S0167) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "4c3890f0-378d-4cef-8db7-0258161ff3f7", - "value": "RTM (S0148) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "0db8a021-2f3a-41cc-abc6-d8723c7e802b", - "value": "PowerDuke (S0139) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "fc67e15c-ae09-45e1-925f-8a6b0e8ca4ab", - "value": "Janicab (S0163) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "7aee8ea0-0baa-4232-b379-5d9ce98352cf", - "target-uuid": "66f73398-8394-4711-85e5-34c8540b22a5" - }, - "uuid": "9692d2b6-c933-4c1a-8ea0-1f0babfeeec9", - "value": "Hooking Mitigation (T1179) mitigates Hooking (T1179)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86" - }, - "uuid": "66a3ab46-abcb-4234-a786-638044cfc50e", - "value": "Deep Panda (G0009) uses StreamEx (S0142)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "e32b53b5-b112-483a-8d95-56bf3f43671f", - "value": "CosmicDuke (S0050) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "2d090e9d-f9fb-4f73-99df-0e17a7489adb", - "value": "H1N1 (S0132) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "976202db-cdfa-4c4e-bc09-9b3cad90e6fb", - "value": "JHUHUGIT (S0044) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70" - }, - "uuid": "71daf1fe-a979-4cbc-bb0d-4e2d6c79274a", - "value": "Threat Group-3390 (G0027) uses China Chopper (S0020)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "bd745d11-93d8-45db-8a68-08a52383375a", - "value": "Lazarus Group (G0032) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "30489451-5886-4c46-90c9-0dff9adc5252" - }, - "uuid": "5c0645e4-f0c7-4bb4-bedb-29a96a472fe0", - "value": "Turla (G0010) uses Arp (S0099)" - }, - { - "meta": { - "source-uuid": "12c13879-b7bd-4bc5-8def-aacec386d432", - "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" - }, - "uuid": "0727c98a-b7e0-45ba-a20e-632d394ef422", - "value": "Regsvr32 Mitigation (T1117) mitigates Regsvr32 (T1117)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472" - }, - "uuid": "24013fde-5ce7-4995-9d9f-d2ced31b9d9a", - "value": "APT28 (G0007) uses CHOPSTICK (S0023)" - }, - { - "meta": { - "source-uuid": "33f76731-b840-446f-bee0-53687dad24d9", - "target-uuid": "62166220-e498-410f-a90a-19d4339d4e99" - }, - "uuid": "3e9d8f68-a9c6-4be7-9639-56b64d4f600a", - "value": "Image File Execution Options Injection Mitigation (T1183) mitigates Image File Execution Options Injection (T1183)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360" - }, - "uuid": "e9612cb1-79a5-4987-aa83-b84aa7fa050f", - "value": "APT18 (G0026) uses HTTPBrowser (S0070)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "854a3a7e-09a7-4523-ac7f-d625a0b50b6b", - "value": "Cobalt Strike (S0154) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "target-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2" - }, - "uuid": "581f8dd6-edd4-467b-a3d5-3177870b0264", - "value": "netsh (S0108) uses Netsh Helper DLL (T1128)" - }, - { - "meta": { - "source-uuid": "51b37302-b844-4c08-ac98-ae6955ed1f55", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "366214ea-29b0-458a-a852-7a76420783d2", - "value": "Screen Capture Mitigation (T1113) mitigates Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" - }, - "uuid": "a92197a8-ec5c-4366-92af-f45078a3bfd7", - "value": "APT3 (G0022) uses Accessibility Features (T1015)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "bcdbb8dc-87e5-4f29-8ff2-d660e53015cb", - "value": "SeaDuke (S0053) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "b942cd55-6fed-49a1-ba05-af23836b518f", - "value": "Cobalt Strike (S0154) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" - }, - "uuid": "ab6a19e4-ce00-46cd-ae83-0798471e4a4a", - "value": "Threat Group-3390 (G0027) uses External Remote Services (T1133)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" - }, - "uuid": "59261bc8-0220-4e37-8018-7a3618a5dd1b", - "value": "Rover (S0090) uses Automated Exfiltration (T1020)" - }, - { - "meta": { - "source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "6cfd1f0f-0355-4b1a-af29-84ed992bbb71", - "value": "TINYTYPHON (S0131) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "5b3d2b2f-73f4-4fef-9cb9-b11db3eb4c4f", - "value": "httpclient (S0068) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "d16d59aa-f056-4cc7-9f67-0e80db9cdacb", - "value": "Patchwork (G0040) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "a713d0d3-2897-4da2-995f-df3a40f04b29", - "value": "NETEAGLE (S0034) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "1df7df54-c4c1-49f0-a0c3-11102db44f2c", - "value": "Patchwork (G0040) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "b4b71687-5aed-4cde-ba59-c37bb5231878", - "value": "ELMER (S0064) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "16a8ac85-a06f-460f-ad22-910167bd7332", - "target-uuid": "519630c5-f03f-4882-825c-3af924935817" - }, - "uuid": "1a3de27b-377c-4390-9911-2da8aaa705e3", - "value": "Binary Padding Mitigation (T1009) mitigates Binary Padding (T1009)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47" - }, - "uuid": "e5f75ae0-45f5-48b8-938f-f0d9e17e53eb", - "value": "menuPass (G0045) uses Ping (S0097)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "2eb985a1-e73e-4554-8638-2e6f27690ec0", - "value": "Sykipot (S0018) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "c7420523-7dc0-4118-a075-93f9c0268627", - "value": "HAMMERTOSS (S0037) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "b4e77f71-970a-4b24-938f-0d50ecea1969", - "value": "Misdat (S0083) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "b82f51f9-74a0-43e1-b3c6-63df3a90c9eb", - "value": "BBSRAT (S0127) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "a0c55c8d-6192-4faa-a5a2-1742fb5815a0", - "value": "Suckfly (G0039) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "259b878f-147e-443b-8360-aabc00cf6d73", - "value": "HTTPBrowser (S0070) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" - }, - "uuid": "5744b31d-6633-44ca-8170-17489fec124c", - "value": "OilRig (G0049) uses netstat (S0104)" - }, - { - "meta": { - "source-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "84bc4ba8-ab0e-4c60-92ed-26496a831611", - "value": "Truvasys (S0178) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "9b8ff36d-ff96-460a-b5cf-d369e7f598d9", - "value": "RedLeaves (S0153) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "5682d524-80f0-4fd8-9960-6f54eeafce96", - "value": "Turla (G0010) uses Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "39791d22-fec7-4459-8321-c9aa824d5fc1", - "value": "BRONZE BUTLER (G0060) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "896cd1de-ffa7-4f69-a981-2859cc756601", - "value": "CopyKittens (G0052) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" - }, - "uuid": "f2d601c9-8cc7-4425-b76f-fbc9997b55fd", - "value": "Naikon (G0019) uses Tasklist (S0057)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "62f9aa2c-b0c1-4028-a2b8-c436e30ace4b", - "value": "PowerDuke (S0139) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "11ed82c1-88af-4c23-860e-185505389288", - "value": "XAgentOSX (S0161) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "8904bd95-4844-4fe4-b6b6-47e4a4f8d85d", - "value": "SslMM (S0058) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "3e9f8875-d2f7-4380-a578-84393bd3b025", - "target-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39" - }, - "uuid": "d35b9e63-a236-47f4-9fa8-d04719858115", - "value": "Windows Remote Management Mitigation (T1028) mitigates Windows Remote Management (T1028)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "3ef6a3fb-0d59-4ba5-b2d0-dc32d547b74f", - "value": "FIN5 (G0053) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "25e53928-6f33-49b7-baee-8180578286f6", - "target-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3" - }, - "uuid": "ab524992-5666-466b-8c12-ec79b269901b", - "value": "System Firmware Mitigation (T1019) mitigates System Firmware (T1019)" - }, - { - "meta": { - "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "d04d6101-f6f6-42a2-8679-351956b75228", - "value": "POWERSOURCE (S0145) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "11247a95-272b-4ae2-8dae-2cd049328734", - "value": "Remsec (S0125) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "1035fe41-56b9-4966-bf3b-109ae950c908", - "value": "MoonWind (S0149) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "3d4dabc2-3bee-409a-a05d-e107677cfdc7", - "value": "CosmicDuke (S0050) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "37804b22-63b4-4b24-846e-6541688d9213", - "value": "OwaAuth (S0072) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "c8db7b65-563d-47ba-9e06-cabdbade47e9", - "value": "Ke3chang (G0004) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "e333cf16-5bfa-453e-8e6a-3a4c63d6bfcc", - "target-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee" - }, - "uuid": "d9ae86e6-377b-45d5-b32c-89776fd7755c", - "value": "Launchctl Mitigation (T1152) mitigates Launchctl (T1152)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f" - }, - "uuid": "e603a78c-ecbc-46b2-95cc-08251c1faea9", - "value": "APT34 (G0057) uses Reg (S0075)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "98abda72-4760-4e8c-ab6c-5ed080868cfc", - "value": "Backdoor.Oldrea (S0093) uses Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "2497ac92-e751-4391-82c6-1b86e34d0294", - "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" - }, - "uuid": "b8306976-370f-403d-9983-fe3327c00709", - "value": "Automated Exfiltration Mitigation (T1020) mitigates Automated Exfiltration (T1020)" - }, - { - "meta": { - "source-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "3ac3a282-e1be-45f8-8974-0a94e5d43644", - "value": "BISCUIT (S0017) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "b7601a08-a52d-4daa-acb9-2f5e3392b6c3", - "value": "ZLib (S0086) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "f72d9605-eea6-4ed4-8502-231d4c21431f", - "value": "Elise (S0081) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "b052a076-6d4e-49f5-95ac-16264ef05b1d", - "value": "HTTPBrowser (S0070) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "c5fa4766-4468-4afd-9b5f-5ce4f443729d", - "value": "Prikormka (S0113) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "b9b0e376-f249-432f-a0d3-dfa259b4757a", - "value": "BUBBLEWRAP (S0043) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "8c553311-0baa-4146-997a-f79acef3d831", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "22a75bbf-5490-40cb-bdb7-a0eda5e95d21", - "value": "RARSTONE (S0055) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "28b27852-4125-4639-a07b-0b97dfdb650a", - "value": "APT1 (G0006) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "ea4c3651-b2a3-418e-8d3b-3c8075b988ef", - "value": "BUBBLEWRAP (S0043) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "40772ec1-2f25-425f-aad5-635f64ba8fd2", - "value": "DustySky (S0062) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "db91e39d-daa4-4f9c-a7a6-be67eba712d2", - "value": "APT32 (G0050) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "ce4707f0-d5b8-4dd6-b5ab-cf1483dd236f", - "value": "Pisloader (S0124) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "3c630128-27ba-4c71-b09a-c9ac39e7acac", - "value": "Shamoon (S0140) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "ef79ec2f-fd7f-4f0b-851c-d215693987be", - "value": "Credential Dumping Mitigation (T1003) mitigates Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "720cc0d6-9285-425b-bda2-3bdd59b4ea8f", - "value": "Volgmer (S0180) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "5efe685d-66a6-4f1f-8779-4aae5db859d0", - "value": "PowerDuke (S0139) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "44f230bb-b59a-4f30-8203-5e5ffd9796f5", - "value": "Deep Panda (G0009) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "d7699bcf-5732-40f5-a715-d430b00b043e", - "value": "Mivast (S0080) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "60198640-1e5a-4b8e-9a69-5f275f7e0e68", - "value": "OSInfo (S0165) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "cce31baa-5862-4df5-806f-15aaa7410fa5", - "value": "APT28 (G0007) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "27a64a3a-62cb-4c1b-adfc-5070e2f1e744", - "value": "Hi-Zor (S0087) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "752db800-ea54-4e7a-b4c1-2a0292350ea7", - "target-uuid": "7d751199-05fa-4a72-920f-85df4506c76c" - }, - "uuid": "4ce0f95f-577c-4a02-a355-328cf376ceba", - "value": "Multi-hop Proxy Mitigation (T1188) mitigates Multi-hop Proxy (T1188)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "bdee01a7-16cb-417e-8d9b-c98afd445bbc", - "value": "Duqu (S0038) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "1334cbe3-8613-4279-9a1f-58781c2656a4", - "value": "APT3 (G0022) uses Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "4b45b720-a606-4c52-a28a-2ef298f9b42f", - "value": "FIN6 (G0037) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "7a892ca0-f915-4dc1-817a-cdcfb6777f28", - "value": "USBStealer (S0136) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "12cba7de-0a22-4a56-b51e-c514c67c3b43", - "target-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff" - }, - "uuid": "0fe893d6-a52f-4828-a792-eeb6a3e4f979", - "value": "Hidden Users Mitigation (T1147) mitigates Hidden Users (T1147)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "a73f9ed3-7f51-4709-a63f-f5ef59aa25cf", - "value": "Threat Group-3390 (G0027) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "0bd9fd2b-e2f7-48f1-8988-31c041691585", - "value": "Trojan.Karagany (S0094) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "229e8b6e-6c16-406a-8def-7588aaae4fcb", - "value": "Uroburos (S0022) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "f6cb3957-be7f-41bf-ad44-3dfbd7a5dfe2", - "value": "Reaver (S0172) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "059f8b03-59f9-45da-9c12-862f50e5fe45", - "value": "FIN10 (G0051) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "5576c38e-6b03-4ea9-8936-60eeddb749a7", - "value": "StreamEx (S0142) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" - }, - "uuid": "deafd60c-af1a-40eb-bc43-287b37553fae", - "value": "PlugX (S0013) uses Execution through API (T1106)" - }, - { - "meta": { - "source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "5cd8b8a9-fd11-4405-8369-b12398b94def", - "value": "AutoIt backdoor (S0129) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "12455fe5-42dd-420e-839e-8a96886488f7", - "value": "Net (S0039) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "910482b1-6749-4934-abcb-3e34d58294fc", - "target-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7" - }, - "uuid": "65a4317d-86b2-40c1-9d27-a067bcc2ad80", - "value": "Distributed Component Object Model Mitigation (T1175) mitigates Distributed Component Object Model (T1175)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "f29a3a93-e697-4d6f-8087-eec72856bae5", - "value": "CHOPSTICK (S0023) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "20c7d1a2-be94-4f58-83a9-7eb9e05c4449", - "value": "FIN6 (G0037) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "33630ee4-24dc-4339-b29f-3d8b39e7daae", - "value": "SHOTPUT (S0063) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "1f7b17e9-9ad3-42dd-ab92-e3afe752247b", - "value": "FIN7 (G0046) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27" - }, - "uuid": "6e641c36-188b-480e-b177-e412cd000b34", - "value": "Mimikatz (S0002) uses Account Manipulation (T1098)" - }, - { - "meta": { - "source-uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", - "target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27" - }, - "uuid": "f76355cb-9aa5-403c-aae4-8faed799ac31", - "value": "Skeleton Key (S0007) uses Account Manipulation (T1098)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "92b34cc0-b059-4294-824f-bb92298f3ae6", - "value": "Daserf (S0187) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54" - }, - "uuid": "6e366a30-cf75-4a47-855f-91a006014ada", - "value": "APT1 (G0006) uses gsecdump (S0008)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" - }, - "uuid": "ab9b78cc-2b83-4074-beeb-0af4aad906d3", - "value": "APT32 (G0050) uses Cobalt Strike (S0154)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "6c8303dd-6ecc-47ea-abd6-6d5b2e557d96", - "value": "XAgentOSX (S0161) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "0d328be7-85d2-4558-a4e3-cc5ce8bc7e2e", - "value": "ADVSTORESHELL (S0045) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "e7baabf7-9300-432d-aa78-000ac099d4d3", - "value": "Wingbird (S0176) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "99c0cda4-91b1-4845-9891-9a4b89c128f9", - "value": "APT3 (G0022) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "5b650388-4ab3-4c56-a69e-df7eba7f0756", - "value": "Hi-Zor (S0087) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "5ea36f9f-f5b6-4494-be0a-061058d6b1f1", - "value": "APT28 (G0007) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "12cc7738-bb90-4e77-a96d-8e4f312e07d4", - "value": "LOWBALL (S0042) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "a7cb0193-e854-4361-b1a1-fc4e68354c59", - "value": "Derusbi (S0021) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "3f02c07f-663f-4c54-b7e0-c2b2dbe82335", - "value": "ZLib (S0086) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "75b383eb-5483-4c44-a721-ee1cffa6edb7", - "value": "FIN10 (G0051) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee" - }, - "uuid": "eeae630c-0c58-4397-90fb-05f5b60b720f", - "value": "APT29 (G0016) uses CosmicDuke (S0050)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "f4865a5c-c17c-408a-94de-2feac0d006fd", - "value": "Cobalt Strike (S0154) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "7c3b845e-56ca-4580-b060-a3fa42b86a86", - "value": "Duqu (S0038) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "ea6289bb-c974-4e4c-bdc4-1c3211a6d1d4", - "value": "Emissary (S0082) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2fe9c7cf-44aa-495b-bde6-80cbfc4fbed9", - "value": "Regin (S0019) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "47f611f4-b9f0-42ef-9629-ee4a56e737ed", - "value": "WINDSHIELD (S0155) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "782da600-bc3b-4dae-89d1-4a79522bed02", - "value": "Stealth Falcon (G0038) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "5c84cfe2-a395-47c6-831a-4491f8585a00", - "value": "Prikormka (S0113) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "05352dad-ecbb-477c-a05c-5eb3d67ae9ae", - "value": "FTP (S0095) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "5de21fc4-c460-4da4-9dc4-2acdd54640a8", - "value": "APT29 (G0016) uses Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "24bce281-7858-4a42-bfd6-601800fb63f7", - "value": "Remsec (S0125) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "131fde9c-7a83-4603-9c1e-c41f815fb14c", - "value": "Remsec (S0125) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c" - }, - "uuid": "7243a679-467e-4c31-b413-547016b9c3ad", - "value": "APT29 (G0016) uses MiniDuke (S0051)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe" - }, - "uuid": "1c5b8ff2-400a-4e0f-a819-3cc8f1bc76b8", - "value": "Mimikatz (S0002) uses Private Keys (T1145)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700" - }, - "uuid": "4aa62b6b-7441-4ece-9cb0-2a5bcb46f966", - "value": "menuPass (G0045) uses pwdump (S0006)" - }, - { - "meta": { - "source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "b1df64c9-782d-4452-8c4a-5ef933503c13", - "value": "ISMInjector (S0189) uses Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "5bad7b38-36b5-4208-9895-e4a113c511a3", - "value": "Darkhotel (G0012) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "8e82a523-fc73-4f3b-98dc-3b1e7199cd93", - "value": "OLDBAIT (S0138) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c" - }, - "uuid": "46f301cd-8ae3-431a-931b-df4bb4fee271", - "value": "Remsec (S0125) uses Password Filter DLL (T1174)" - }, - { - "meta": { - "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "9fe01f98-e0b3-4749-b9a6-eb10c216c548", - "value": "BLACKCOFFEE (S0069) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b" - }, - "uuid": "cf467be5-c162-4763-801b-32cb57a514ef", - "value": "APT1 (G0006) uses xCmd (S0123)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "1b4ee147-dc39-43d2-b468-fcd308e6cbae", - "value": "StreamEx (S0142) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "c0905059-1f3c-414c-8027-b8ec2e4b3c89", - "value": "Duqu (S0038) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "23bff3ce-021c-4e7a-9aee-60fd40bc7c6c", - "target-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72" - }, - "uuid": "2e5931ef-cc28-49e8-b0c1-7705227ee5cf", - "value": "Sudo Mitigation (T1169) mitigates Sudo (T1169)" - }, - { - "meta": { - "source-uuid": "7c1796c7-9fc3-4c3e-9416-527295bf5d95", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "a34d1e30-dcf5-4743-93e5-e4834e980f0f", - "value": "Commonly Used Port Mitigation (T1043) mitigates Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "35ae6625-8563-493c-8950-1230bd0fd122", - "value": "Pteranodon (S0147) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "1f99a883-e78f-423d-9837-2b5ebb14fe63", - "value": "Matroyshka (S0167) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "1b45f3b5-b7a4-4424-a8ff-1b1f1c1a55d9", - "value": "Threat Group-3390 (G0027) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "f3bbff8f-5f4b-40aa-a55f-e3880a582868", - "value": "KOMPROGO (S0156) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "533deac3-2f27-4256-bb11-7d68d8824d47", - "value": "POWRUNER (S0184) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab" - }, - "uuid": "92c68b65-18b8-44e9-a368-692048ba9611", - "value": "APT28 (G0007) uses XTunnel (S0117)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "98aeed7c-e88b-4c5b-8e8e-21ee3534abe9", - "value": "H1N1 (S0132) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "4da943df-a7dc-499f-a8b7-ca8d298d8ff6", - "value": "admin@338 (G0018) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360" - }, - "uuid": "75c3b5f6-a0ca-4afc-baad-ef19ed4317b3", - "value": "Threat Group-3390 (G0027) uses HTTPBrowser (S0070)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091" - }, - "uuid": "290c0a54-2702-4d6e-97db-1eafa9a7a1f3", - "value": "Cobalt Strike (S0154) uses Multiband Communication (T1026)" - }, - { - "meta": { - "source-uuid": "0e5bdf42-a7f7-4d16-a074-4915bd262f80", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "6f991c49-462a-4cb8-8096-15c77f7ccace", - "value": "Exfiltration Over Alternative Protocol Mitigation (T1048) mitigates Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "5697b245-d888-40ab-af72-9236c6daa273", - "value": "BACKSPACE (S0031) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "e64a09d0-4205-4aca-8acb-f6926233d107", - "value": "Prikormka (S0113) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "a83992e1-5be5-433e-b3f1-d9ccde98c9ca", - "value": "OwaAuth (S0072) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "04ba0d26-d931-423e-a3de-713892c0af97", - "value": "P2P ZeuS (S0016) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "a8aac75d-ef58-4dda-97a8-9584a6a6baaf", - "value": "Wingbird (S0176) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c" - }, - "uuid": "02a7ea5c-695c-4932-9160-6e0441789670", - "value": "SeaDuke (S0053) uses Pass the Ticket (T1097)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "3bf633d0-5578-4e3a-a599-52f3946f6623", - "value": "Reaver (S0172) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "e1592867-e02f-4c1f-a9f2-1c60e25a1301", - "value": "Stealth Falcon (G0038) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "a13e35cc-8c90-4d77-a965-5461042c1612", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "2482623f-65a7-4da5-8cb2-64279319e3dc", - "value": "Shortcut Modification Mitigation (T1023) mitigates Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "f5a175ba-ed26-44f8-9828-c2aa0e1f7d86", - "value": "BlackEnergy (S0089) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "f0d218a3-9f7b-4f21-aa4a-34dc25f05b61", - "value": "netsh (S0108) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "f0b00a47-9d63-4d05-b771-022a21a4ed06", - "value": "PowerDuke (S0139) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "9cf37d0b-a23d-4514-961d-94d1cc6e2bef", - "value": "Prikormka (S0113) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "c93bb2b9-bd22-4e14-b884-2141168387b2", - "value": "Pteranodon (S0147) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "5f055076-79d1-44e8-95cb-43fc515df2f6", - "value": "Lazarus Group (G0032) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "108a1655-faba-4016-a276-c224665cb5c4", - "value": "gsecdump (S0008) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "0c78e3a7-45c5-454f-8905-a831fbede841", - "value": "FIN6 (G0037) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "991c16bd-c17b-479a-8f45-385467323c0a", - "value": "BACKSPACE (S0031) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "4689b9fb-dca4-473e-831b-34717ad50c97", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "91af9744-413c-4e9c-bfdb-a9ca167e9bb5", - "value": "Web Service Mitigation (T1102) mitigates Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "7985b09e-9241-489c-a0f2-45a6f5c782f1", - "value": "pngdowner (S0067) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "ab51525b-93c6-4ea8-bd83-b9547f1317bb", - "value": "APT29 (G0016) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "a2a31eb7-0b22-416c-b12d-e52e5f37f8b8", - "value": "BADNEWS (S0128) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "e2b4bcf2-58a6-49ed-bc72-21226ff419bd", - "value": "TDTESS (S0164) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "d45f03a8-790a-4f90-b956-cd7e5b8886bf", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "3c3f26b3-d676-4e17-adca-2a8ea4643148", - "value": "Valid Accounts Mitigation (T1078) mitigates Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "cd79beea-20ee-4b4f-aad1-5cc34d27398c", - "value": "Turla (G0010) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "c1421d39-cb5d-4bac-a931-9c641066c0fd", - "value": "Sykipot (S0018) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "c954a1f5-c925-4c5c-ad64-62545dfbe383", - "value": "route (S0103) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "9066dcee-7c80-429c-a5cc-77458e891349", - "value": "menuPass (G0045) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46" - }, - "uuid": "96235e56-e55a-4146-a9a6-956f8f1f7dcf", - "value": "APT34 (G0057) uses POWRUNER (S0184)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "9b7bf5d9-23a0-4190-80c0-b27b906bafcc", - "value": "APT3 (G0022) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "56d858ef-2d62-4aa9-b050-699de9b048e9", - "value": "MobileOrder (S0079) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "64a17aba-5182-4666-bd37-dafa9d835fe8", - "value": "Lazarus Group (G0032) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "23dca74f-2b3e-46c0-b7a3-9d9eab932f58", - "value": "Cobalt Strike (S0154) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "519630c5-f03f-4882-825c-3af924935817" - }, - "uuid": "d200ba08-8179-495e-a854-9b13be5c0f93", - "value": "Emissary (S0082) uses Binary Padding (T1009)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "e20b57e5-c010-4b9e-a04e-660daa8b5c87", - "value": "Sowbug (G0054) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "6deeb486-90c3-4279-8549-17c81ea2466b", - "value": "Elise (S0081) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "febbf503-d7e5-4896-90b9-35b6a811b19b", - "value": "APT3 (G0022) uses Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "2902ccff-873a-4ebc-bdf4-caaae629ae9d", - "value": "Volgmer (S0180) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "047ee6d3-1b85-4a0f-96a6-6ead4be43548", - "value": "Night Dragon (G0014) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" - }, - "uuid": "3e7c9978-4db1-4ee1-ae27-640acee5a543", - "value": "CosmicDuke (S0050) uses Data from Network Shared Drive (T1039)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "a56aafe6-4a54-4ce5-b927-8b56826b3445", - "value": "Matroyshka (S0167) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" - }, - "uuid": "5f3eb1ae-782e-4e49-8e1e-650f3e5a1139", - "value": "Sowbug (G0054) uses Data from Network Shared Drive (T1039)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "3fb836b7-41cf-40d1-bd56-14e45e6bbd02", - "value": "OilRig (G0049) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352" - }, - "uuid": "019eb3cf-35df-4109-a006-1b91331866c3", - "value": "Wingbird (S0176) uses LSASS Driver (T1177)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "2fb450c6-e236-4b81-b5ac-a9d4be0cf167", - "value": "Gazer (S0168) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "2c158663-599b-45a8-b946-6d545206428d", - "value": "Emissary (S0082) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "7f1c30eb-051f-4d1a-9d81-1ee46f7779c7", - "value": "Mis-Type (S0084) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "12daddcc-b964-485e-8c2d-10f554d78bcc", - "value": "OilRig (G0049) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "9a62c02a-e373-494e-af73-f8b3274e8c9b", - "value": "Komplex (S0162) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "aec0a948-428f-4327-b466-a0472da12928", - "value": "Threat Group-3390 (G0027) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "23061b40-a7b6-454f-8950-95d5ff80331c", - "target-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1" - }, - "uuid": "85bddba6-3848-4d2d-a4fa-4c4b71274a02", - "value": "Install Root Certificate Mitigation (T1130) mitigates Install Root Certificate (T1130)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "1ae1ce05-3db2-4a97-8e58-0ed3d65d9d22", - "value": "Carbanak (G0008) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "8b0e9de1-a7b0-479e-aee7-76f2549508c6", - "value": "BLACKCOFFEE (S0069) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "c085476e-1964-4d7f-86e1-d8657a7741e8", - "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" - }, - "uuid": "1da0f3c7-d9e2-4379-a84c-782fc94a75d5", - "value": "Accessibility Features Mitigation (T1015) mitigates Accessibility Features (T1015)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565" - }, - "uuid": "0ead6cee-20a4-46fb-a9c1-8686a776f455", - "value": "Naikon (G0019) uses FTP (S0095)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "b3a9c32f-c6d0-46d4-8936-dd4fec61d305", - "value": "Patchwork (G0040) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "2ade8c03-2395-4175-9a22-8541836f27cd", - "value": "ChChes (S0144) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "16043223-3846-4138-93d0-671339ba3646", - "value": "NETEAGLE (S0034) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "8d5d9206-a213-465d-b384-6152eb2796a0", - "value": "POSHSPY (S0150) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "11bc3d01-fc44-415c-b5a3-5576f5cb6057", - "value": "T9000 (S0098) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "96913243-2b5e-4483-a65c-bb152ddd2f04", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "069e82d5-89f2-4477-a1f5-115be8ab040a", - "value": "DLL Search Order Hijacking Mitigation (T1038) mitigates DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "4a0887ab-3ec3-436a-b378-6e28847dfb1e", - "value": "APT29 (G0016) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "6592447f-31c8-46d0-8e88-47584fa301f0", - "value": "SOUNDBITE (S0157) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "f9b3e5d9-7454-4b7d-bce6-27620e19924e", - "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" - }, - "uuid": "9691a6a8-12d0-45a7-8217-11d1793234cb", - "value": "Redundant Access Mitigation (T1108) mitigates Redundant Access (T1108)" - }, - { - "meta": { - "source-uuid": "c620e3a1-fff5-424f-abea-d2b0f3616f67", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "c28d6f10-431f-493c-8abd-918240c5c970", - "value": "System Information Discovery Mitigation (T1082) mitigates System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "3325e625-d76b-42df-b952-749dabb57517", - "value": "Turla (G0010) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "f4902ad9-b1bb-41ce-a448-55e2d9437503", - "value": "RedLeaves (S0153) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", - "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - }, - "uuid": "89433640-bf49-48b3-9f26-76423cd36f77", - "value": "Hacking Team UEFI Rootkit (S0047) uses Rootkit (T1014)" - }, - { - "meta": { - "source-uuid": "e547ed6a-f1ca-40df-8613-2ce27927f145", - "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" - }, - "uuid": "2083aef8-4d72-4bef-8cbc-33f2c5f4a176", - "value": "Exfiltration Over Physical Medium Mitigation (T1052) mitigates Exfiltration Over Physical Medium (T1052)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "be20faa9-64bf-4a65-86c2-dc12f5695d22", - "value": "Cobalt Strike (S0154) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4" - }, - "uuid": "6a87ff58-10b1-4fbc-a633-d7d8a34d1b29", - "value": "Turla (G0010) uses Uroburos (S0022)" - }, - { - "meta": { - "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "target-uuid": "95047f03-4811-4300-922e-1ba937d53a61" - }, - "uuid": "a8122755-90fe-4b68-8fa1-55ed7be90931", - "value": "Axiom (G0001) uses Hikit (S0009)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "7f78df2e-e6e9-43f1-815b-58e4a10fc594", - "value": "APT29 (G0016) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "8d4effdd-6d91-473d-aa81-d121f1c77881", - "value": "SslMM (S0058) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "a2423ac3-94b4-4936-962b-06562115cb70", - "value": "Net (S0039) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "aeaa2f37-4014-4313-9fe2-8616b352a90c", - "value": "TinyZBot (S0004) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "617fe29d-ac48-4cd0-ae8c-19cf7cfdbedd", - "value": "NETEAGLE (S0034) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e" - }, - "uuid": "ae1de9c5-6bc0-459a-b4ca-568139a5ee41", - "value": "OilRig (G0049) uses Helminth (S0170)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "33caa1a2-8465-47b9-89c4-94f4e9a899c7", - "value": "OwaAuth (S0072) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "35d35ecf-1326-4690-b105-23280e29c120", - "value": "CORESHELL (S0137) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "ade72dc6-559e-4a84-9024-1a862faec6a0", - "value": "FIN6 (G0037) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "7cbedb9a-666f-47eb-b70e-905bcf80940a", - "value": "BACKSPACE (S0031) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "e8d22ec6-2236-48de-954b-974d17492782", - "target-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49" - }, - "uuid": "196a2d37-4b87-465d-8d92-2e614cda869c", - "value": "Two-Factor Authentication Interception Mitigation (T1111) mitigates Two-Factor Authentication Interception (T1111)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "aad1cfa0-0df0-4768-87c2-5e59da2c5e44", - "value": "RTM (S0148) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "d8a7ec97-b262-489d-bc4b-e2c7007f75bc", - "value": "Psylo (S0078) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "4c06e313-2cde-494c-a8dc-449649a1afa6", - "value": "Lazarus Group (G0032) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", - "target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54" - }, - "uuid": "7ed93170-2dba-4e59-b0f0-7c716c73bdc0", - "value": "PittyTiger (G0011) uses gsecdump (S0008)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "552ac18c-4fac-4cb0-aefc-811a10e1c320", - "value": "Lazarus Group (G0032) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "121a09bd-f603-4476-a149-a3cba52f268c", - "value": "Rover (S0090) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "062b1f19-2afb-4bdc-908e-99594ff114cf", - "value": "Epic (S0091) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "11ebf3ff-b184-4010-b238-951e041370db", - "value": "APT34 (G0057) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "37f94533-8fbe-48d2-bf4f-f825ad75ff98", - "value": "BlackEnergy (S0089) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "94b4de9a-1f83-4923-8d4b-e9bafdb1bef9", - "value": "RTM (S0148) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "103f1ad4-feec-4be3-9da7-ee0b2503c318", - "value": "ADVSTORESHELL (S0045) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "283e242a-72d4-4b40-8905-888595c34919", - "value": "BADNEWS (S0128) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "979e6485-7a2f-42bd-ae96-4e622c3cd173", - "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" - }, - "uuid": "2c0fe330-edcf-4519-a577-c3c9b086d60a", - "value": "Remote Services Mitigation (T1021) mitigates Remote Services (T1021)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "17629f20-194c-48cb-aa1c-b3da2b6f06ba", - "value": "CosmicDuke (S0050) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "4cc8afb8-86ab-4537-926f-3178975a7886", - "value": "menuPass (G0045) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31", - "target-uuid": "c1a452f3-6499-4c12-b7e9-a6a0a102af76" - }, - "uuid": "fcf18dc5-8ac0-4ae7-84b9-c47ebd468022", - "value": "Process Doppelgänging Mitigation (T1186) mitigates Process Doppelgänging (T1186)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "3264e1db-0f54-4049-a45c-3a03a24709aa", - "value": "XTunnel (S0117) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "d2d9a619-4379-4e15-9115-40ca9209f316", - "value": "Backdoor.Oldrea (S0093) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "51c5e624-d08e-4750-91f9-fdc98ec56552", - "value": "MoonWind (S0149) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "388606d3-f38f-45bf-885d-a9dc9df3c8a8", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "b35a5218-e64d-49b5-a37d-6390edddece6", - "value": "Disabling Security Tools Mitigation (T1089) mitigates Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "de840f88-b9d0-4f7e-b5c0-b666faa2d92f", - "value": "FIN6 (G0037) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "03c08ef9-80c7-4f20-b197-ad44f702f2e0", - "value": "Daserf (S0187) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "805f7ba3-a904-410c-b9fd-20356c595b19", - "value": "BBSRAT (S0127) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "a24299ed-9735-453c-bd13-66269b2d5d16", - "value": "OilRig (G0049) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "343d285a-e910-487b-8e85-dc87cdb63be3", - "value": "APT29 (G0016) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" - }, - "uuid": "5c38fba7-20c6-4872-ad05-21f0f77e0820", - "value": "APT34 (G0057) uses Tasklist (S0057)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "2f68f61d-07e1-4181-a26c-93433f9f0db7", - "value": "CopyKittens (G0052) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "1b143de7-af2d-4991-9e2e-aa85a8d7d330", - "value": "APT28 (G0007) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "7331b11d-1d5e-4275-ba7e-a83ec4a59259", - "value": "CosmicDuke (S0050) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "d57dd9d9-d075-48c4-ae54-ed0aeae575de", - "value": "BRONZE BUTLER (G0060) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "ce424541-5cfa-4885-ad62-f3f70fa27099", - "value": "TDTESS (S0164) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "db8f1355-57f0-446d-a261-b168497b20c6", - "value": "BADNEWS (S0128) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "6bf4098c-7667-44df-bdaa-076b9099f851", - "value": "PlugX (S0013) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", - "target-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca" - }, - "uuid": "13aa912e-bb51-4293-a971-9179442d516a", - "value": "MONSOON (G0042) uses TINYTYPHON (S0131)" - }, - { - "meta": { - "source-uuid": "00d7d21b-69d6-4797-88a2-c86f3fc97651", - "target-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c" - }, - "uuid": "af088283-7416-466d-86f3-8b55e6d698d4", - "value": "Password Filter DLL Mitigation (T1174) mitigates Password Filter DLL (T1174)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "a8f11c39-df96-451e-a93a-417512f82819", - "value": "RedLeaves (S0153) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "ecb5e830-b678-47a6-98a2-d4dbe162f09e", - "value": "PHOREAL (S0158) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "bcee7b05-89a6-41a5-b7aa-fce4da7ede9e", - "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" - }, - "uuid": "396287ea-36d9-4d84-bf22-af559eb20f58", - "value": "Pass the Hash Mitigation (T1075) mitigates Pass the Hash (T1075)" - }, - { - "meta": { - "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "9f852541-3fc7-4036-9268-7bc6bfe94900", - "value": "EvilGrab (S0152) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "a766ce73-5583-48f3-b7c0-0bb43c6ef8c7", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "32ba984e-dbe9-4a8a-a1b7-16ba560d31d5", - "value": "Standard Cryptographic Protocol Mitigation (T1032) mitigates Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "489e5386-b177-455f-a8b3-d3c6e7afb9b1", - "value": "Threat Group-1314 (G0028) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "33e0178f-c9b2-43db-9e63-3e664ae6bef0", - "value": "Prikormka (S0113) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" - }, - "uuid": "72d6fe7e-ba33-4117-8153-64226f189ed2", - "value": "OilRig (G0049) uses ipconfig (S0100)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "1879905d-a4f6-43a7-aafe-a7e436e5c559", - "value": "Prikormka (S0113) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "0191f3d3-59d3-4fcc-bfff-5fbfa0675cfd", - "value": "SeaDuke (S0053) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "f28a20fd-d173-4603-807e-2cb3f51bdf04", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "b1ee5cba-d4e0-4af0-aa5c-5faacfdb0dbc", - "value": "Command-Line Interface Mitigation (T1059) mitigates Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e" - }, - "uuid": "10c33088-630e-456d-ad0f-8a63be4d3946", - "value": "Sykipot (S0018) uses Multilayer Encryption (T1079)" - }, - { - "meta": { - "source-uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "bdba5fef-c560-4b8a-9ce5-616395a73841", - "value": "Taidoor (G0015) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700" - }, - "uuid": "de979692-5ca5-4874-bfc8-91cea8697ef1", - "value": "APT1 (G0006) uses pwdump (S0006)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "6f448f20-0349-4132-80ec-d46e94d52426", - "value": "ADVSTORESHELL (S0045) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4" - }, - "uuid": "337dc23f-d825-415d-886b-53c3457fbd56", - "value": "APT29 (G0016) uses Windows Management Instrumentation Event Subscription (T1084)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "50f39180-6e5a-476b-b18f-d4e09e83c9d9", - "value": "Pteranodon (S0147) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "de168dd4-3c59-4fa4-901a-911b1ee81a31", - "value": "BlackEnergy (S0089) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "7009ba4d-83d4-4851-9fbb-e09e28497765", - "target-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2" - }, - "uuid": "66a16f64-8c0d-4647-8589-83ea8ef4fbd3", - "value": "Forced Authentication Mitigation (T1187) mitigates Forced Authentication (T1187)" - }, - { - "meta": { - "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "afa1f53f-abd9-4e57-b4e1-4e161dd34e9b", - "value": "POWERSOURCE (S0145) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "2dec6ce1-e459-4266-86d5-f336ab056f17", - "value": "BACKSPACE (S0031) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704" - }, - "uuid": "16fd44bf-405b-49c1-96d7-0cacb5d65e74", - "value": "Cleaver (G0003) uses Net Crawler (S0056)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "8087d99b-cc05-4e2a-abce-687eb726a9e7", - "value": "Magic Hound (G0059) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "3ded5760-4f2e-41f5-a2c5-f2b39eaf5733", - "value": "Shamoon (S0140) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "f44478f1-fdd7-4e84-8b96-60e6c6a10683", - "value": "Reaver (S0172) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "c4d77981-d2e4-4a12-8e52-5b7464cdc8fd", - "value": "POWRUNER (S0184) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", - "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" - }, - "uuid": "b640dfee-9502-4ffb-92e4-f153f8726383", - "value": "SOUNDBITE (S0157) uses Application Window Discovery (T1010)" - }, - { - "meta": { - "source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "25cb2c8f-79d2-4157-8329-fb86caaca0c3", - "value": "LOWBALL (S0042) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "3eb29574-145d-4d4a-b4c6-e94b8a79781e", - "value": "DustySky (S0062) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "9a7ff784-436b-40c5-bfb0-25e02e1d9940", - "value": "DustySky (S0062) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "82d8e990-c901-4aed-8596-cc002e7eb307", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "c593abb1-54ce-4196-a11f-f1dd65fed9aa", - "value": "System Time Discovery Mitigation (T1124) mitigates System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "dbb1d0eb-c7ee-4794-80d4-66e6281cbc63", - "value": "CallMe (S0077) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "e8d2c3f1-7c86-438c-bead-6a86f9a36463", - "value": "XTunnel (S0117) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "14b70990-48b0-482b-bd5a-3a99d9d9a653", - "value": "POWRUNER (S0184) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "fb9cf04b-ad28-472a-9ee3-a2e744e0e122", - "value": "ZLib (S0086) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "d43315b0-d708-4197-b3ed-0a0b1199e434", - "value": "3PARA RAT (S0066) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085", - "target-uuid": "92a78814-b191-47ca-909c-1ccfe3777414" - }, - "uuid": "82268341-e0a8-4937-8618-351e147daa0c", - "value": "Wiper (S0041) uses Third-party Software (T1072)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "2eaea386-ee0f-42c4-bca1-ce2d22062f98", - "value": "PlugX (S0013) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc" - }, - "uuid": "eb9366d5-2bd1-4d0b-8f55-2305827c20d1", - "value": "APT34 (G0057) uses certutil (S0160)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "8c58cfe5-0b71-434c-939a-329b612d2337", - "value": "Lazarus Group (G0032) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "553dbb57-1174-494c-9cfd-dbc83ecc74f6", - "value": "USBStealer (S0136) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "0471088d-7b45-4fec-8946-ae5bf463286b", - "value": "Pteranodon (S0147) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71" - }, - "uuid": "437dd20a-234f-430b-b9ee-4524e1e12aa9", - "value": "Naikon (G0019) uses netsh (S0108)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "86c9bd0f-4251-4103-9be5-65079750c495", - "value": "Shamoon (S0140) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "80c91478-ac87-434f-bee7-11f37aec4d74", - "target-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0" - }, - "uuid": "8467ea5f-cb0d-4eb6-b524-8bfd01e58721", - "value": "Dynamic Data Exchange Mitigation (T1173) mitigates Dynamic Data Exchange (T1173)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "98b7d901-4ede-451f-bab8-3b2b37c56bfd", - "value": "Prikormka (S0113) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "5ebd97d4-1979-40b2-b38b-b6ed44a2f32f", - "value": "CloudDuke (S0054) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "fae44eea-caa7-42b7-a2e2-0c815ba81b9a", - "target-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf" - }, - "uuid": "edb697fa-d6b2-400a-acad-ccacc38c87c0", - "value": "Hidden Window Mitigation (T1143) mitigates Hidden Window (T1143)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "166326b3-6864-4667-aee9-4d7b24cc75d8", - "value": "OilRig (G0049) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4" - }, - "uuid": "f653eb7d-7027-4161-9071-b52336bd4fbc", - "value": "SeaDuke (S0053) uses Windows Management Instrumentation Event Subscription (T1084)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "e68684df-28b4-4f06-b553-cacf14866605", - "value": "ChChes (S0144) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "77c63e89-71fe-47e3-babb-13e7722932ad", - "value": "MoonWind (S0149) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "fb0aef48-57f5-4331-acdd-25fdfdf1babb", - "value": "S-Type (S0085) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "266a5edd-1425-4ab1-88bf-a0d7897699eb", - "value": "Sakula (S0074) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "87ddc052-0933-4722-9fb2-4653c4a3663c", - "value": "APT3 (G0022) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "3a2d591a-f918-44b3-9e75-7520906b9aa3", - "value": "menuPass (G0045) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "7e55e411-230e-4d1a-a780-d07784ed2cd6", - "value": "Mis-Type (S0084) uses Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" - }, - "uuid": "4f3473a4-f5f5-43d8-a4ec-589763695942", - "value": "Derusbi (S0021) uses Regsvr32 (T1117)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "02b9b0b1-5e7d-42dd-ae8c-68d126a8c3cd", - "value": "APT34 (G0057) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "9b203f00-34db-475f-a28b-f5088d937f4e", - "value": "Sykipot (S0018) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "c35702f8-f13f-4851-9cfc-1eea526bd6e1", - "value": "PlugX (S0013) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "f9c7d0e1-135f-4e21-8251-3049bc24c18d", - "value": "BADNEWS (S0128) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "8e7ff07b-7a32-4ced-ac22-b523586dbde3", - "value": "Remsec (S0125) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "6c0aae73-fe06-4aa3-8216-568d78747c6d", - "value": "BACKSPACE (S0031) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "34c4b497-00e3-415c-8e09-3b73667d9bbe", - "value": "HAMMERTOSS (S0037) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "dd89d8a2-257a-47f9-8b55-8011ca53007b", - "value": "T9000 (S0098) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "1762fe5a-0810-4179-bfb0-16d965ffe055", - "value": "HTTPBrowser (S0070) uses DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "4a70e764-5c19-4c8e-97e4-486af893cbfc", - "value": "3PARA RAT (S0066) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "bd315928-0b74-491c-b526-ee5e1841842b", - "value": "Derusbi (S0021) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "438cae9c-cb03-4db9-ae59-24ed27147725", - "value": "Nidiran (S0118) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "0d989c2e-0207-4412-b52a-5d9bf9f96d18", - "value": "PlugX (S0013) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "9bc7f2ff-7ba1-42f4-9e96-2112e99ab12a", - "value": "ChChes (S0144) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "d6154157-fe69-4da3-8cc3-790eecf33f8c", - "value": "HALFBAKED (S0151) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7" - }, - "uuid": "2b469307-a635-4392-a18f-ed1f24b3a684", - "value": "Cobalt Strike (S0154) uses Distributed Component Object Model (T1175)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "611cb6eb-efdb-4d74-b354-5064ab52bd34", - "value": "Duqu (S0038) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "03c0c586-50ed-45a7-95f4-f496d7eb5330", - "target-uuid": "086952c4-5b90-4185-b573-02bad8e11953" - }, - "uuid": "94db2b6e-c01c-4aec-9229-4a6dcda3c6ee", - "value": "HISTCONTROL Mitigation (T1148) mitigates HISTCONTROL (T1148)" - }, - { - "meta": { - "source-uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "ecd83e69-2eb1-4c2d-a01f-e42ea8f807f9", - "value": "UACMe (S0116) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "e68ff1c2-ef03-486b-96df-167a1652a97b", - "value": "Helminth (S0170) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "292b2a10-ebee-4fbb-b359-2eee16aa46ba", - "value": "CopyKittens (G0052) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" - }, - "uuid": "66eb9cc1-4eb4-4b84-8140-bd48da33e93d", - "value": "Cobalt Strike (S0154) uses Remote Services (T1021)" - }, - { - "meta": { - "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "82b679af-7408-4f41-8fc0-5b0cf5993726", - "value": "Suckfly (G0039) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "bbd29878-c16a-45ee-9785-78550f080d83", - "value": "menuPass (G0045) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "e3e841fa-b806-4c22-9f98-a97950b68931", - "value": "USBStealer (S0136) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" - }, - "uuid": "1fe875f1-89b6-447b-9d96-63c0cebecb9b", - "value": "APT34 (G0057) uses netstat (S0104)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "38a72b32-dc04-493d-8b92-31174c32f3ed", - "value": "APT1 (G0006) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "86ebda8c-df0c-4d76-970b-27bf392606a7", - "value": "Gazer (S0168) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "6b11697f-be6c-4cd7-b445-4d277a8d7346", - "value": "Winnti (S0141) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "70a1cab8-dd98-4b82-9f7f-36294e3889c0", - "value": "Misdat (S0083) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "090a553a-b863-4214-aa3b-cf8ea7ba2d68", - "value": "ADVSTORESHELL (S0045) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "cd70a632-a961-4adb-aea9-9995ef8e2b54", - "value": "Matroyshka (S0167) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "272068a3-47e3-42d6-8772-71d39c1976c3", - "value": "Shamoon (S0140) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "f108215f-3487-489d-be8b-80e346d32518" - }, - "uuid": "63841959-afe2-4cb0-a93e-d407eb1b8d66", - "value": "APT28 (G0007) uses Komplex (S0162)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "d7c5e4f4-cede-4a81-b46f-035b9e702e61", - "value": "BRONZE BUTLER (G0060) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "9dfb7899-20af-4eea-bfca-f608d885cb00", - "value": "Turla (G0010) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "c948f964-e26c-4226-9577-7b78b5bf271f", - "value": "APT3 (G0022) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a" - }, - "uuid": "dc7cb17d-c3d3-4c3c-b79e-499cede49baa", - "value": "Threat Group-3390 (G0027) uses Network Share Connection Removal (T1126)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "2fbcd38e-0ec9-4f2d-823b-3654f108f3a3", - "value": "Dragonfly (G0035) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "4b998a71-7b8f-4dcc-8f3f-277f2e740271", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "5978c8e0-8b60-4ad5-8fc9-9fa1ee4d7387", - "value": "Indicator Removal from Tools Mitigation (T1066) mitigates Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "8ebab956-4440-4fd7-96ff-8da29e0f0b46", - "value": "Stealth Falcon (G0038) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "84fcda4b-e58e-4ecd-8366-77d464e043ee", - "value": "NETEAGLE (S0034) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "321544e0-902c-443e-adf9-d7e78f0e4d13", - "value": "Unknown Logger (S0130) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "8c9f23e6-2665-45b3-9c28-53a9335b16ce", - "value": "LOWBALL (S0042) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "b2cf6651-3f2c-4522-9360-dbc5c7af43c5", - "value": "Remsec (S0125) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" - }, - "uuid": "1ce50a6a-5f0b-40ca-9a71-41369ae3fdcd", - "value": "Remsec (S0125) uses Exfiltration Over Alternative Protocol (T1048)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "2d840d1b-28d7-4387-86fd-6d3df8650171", - "value": "BRONZE BUTLER (G0060) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "054a22c3-f0ee-476a-b0cb-e3277c755032", - "value": "BlackEnergy (S0089) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "7fd6c479-00ae-478d-a29b-fc40619eea97", - "value": "BBSRAT (S0127) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", - "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" - }, - "uuid": "10c6cc56-a028-4c2a-b24e-38d97fb4ebb7", - "value": "NetTraveler (S0033) uses Application Window Discovery (T1010)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "3cd8ef78-9d92-4e28-97ae-5bd6c698bfec", - "value": "Cleaver (G0003) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "e6f5bde4-869f-4c9a-9414-11ea48386204", - "value": "CORESHELL (S0137) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "a48e7d01-012a-4336-9676-0f34e8501e22", - "value": "FIN10 (G0051) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "bfd49393-75b6-4e67-af74-4bf3c87624b0", - "value": "FakeM (S0076) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", - "target-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0" - }, - "uuid": "aef7fe44-f381-41d5-88af-f04135e3aeab", - "value": "Responder (S0174) uses LLMNR/NBT-NS Poisoning (T1171)" - }, - { - "meta": { - "source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", - "target-uuid": "e9595678-d269-469e-ae6b-75e49259de63" - }, - "uuid": "238a7a2c-34db-4f43-a94b-4a6ad225129d", - "value": "MONSOON (G0042) uses BADNEWS (S0128)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "4438ba64-0cd2-46e9-8a67-c685bf9b404c", - "value": "Sykipot (S0018) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f", - "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" - }, - "uuid": "7db7f665-6e29-4789-8a3d-d6cb8d0af31e", - "value": "GCMAN (G0036) uses Remote Services (T1021)" - }, - { - "meta": { - "source-uuid": "0998045d-f96e-4284-95ce-3c8219707486", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "6d562520-86bb-4251-9431-a4958bec097c", - "value": "SEASHARPEE (S0185) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "596c4579-14ea-4c1f-9503-cf47693f18a8", - "value": "Dragonfly (G0035) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "3b32f3be-5bdd-4de8-9e39-83b0b8c1e70f", - "value": "FALLCHILL (S0181) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "384c75e4-04e7-4ff8-9da6-0c8a03cb7a61", - "value": "Sakula (S0074) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "f6d23c00-158e-4e39-bf9b-f18344cd0151", - "value": "RTM (S0148) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "d75a3d1b-b536-4f15-a23c-f4bcc17837b8", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "eede138c-9745-453c-a8b5-684b696c2ad0", - "value": "Connection Proxy Mitigation (T1090) mitigates Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "bab6aadc-7a93-43e4-88cb-904fd1f2fddd", - "value": "menuPass (G0045) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "49f2c182-bd69-4874-9102-b5fd1acac59c", - "value": "Ke3chang (G0004) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "42d4ae64-75da-4dfd-b23f-d270252115ee", - "value": "Patchwork (G0040) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "6476b9fe-dc7f-4578-a39d-beebc8390af2", - "value": "Strider (G0041) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "c8d0e862-20af-4f9f-84e8-0419c8080008", - "value": "SeaDuke (S0053) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5" - }, - "uuid": "3dd745f5-1c0c-4376-8850-89679fcd4e31", - "value": "menuPass (G0045) uses RedLeaves (S0153)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "c74cbdc5-e454-4b22-957e-926854dd37f1", - "value": "Felismus (S0171) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - }, - "uuid": "318afc9f-92f3-4262-af70-b2e045b87737", - "value": "admin@338 (G0018) uses Systeminfo (S0096)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "47109a67-e1af-4f5c-8c58-c1580ff5c6ec", - "value": "Regin (S0019) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "c6606ced-4641-451f-ac2a-493b1d15d0aa", - "value": "RTM (S0148) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "a0500766-a6ba-4672-b7fc-2a712cd0cfca", - "value": "ISMInjector (S0189) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "70f3eaca-179d-4412-ad32-c4e3cf60c27c", - "value": "Axiom (G0001) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" - }, - "uuid": "4b521c7b-c66b-4bbc-847e-d6a13e9ae62c", - "value": "Naikon (G0019) uses Systeminfo (S0096)" - }, - { - "meta": { - "source-uuid": "06824aa2-94a5-474c-97f6-57c2e983d885", - "target-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9" - }, - "uuid": "ab6dbf38-dfed-4bfa-9d7d-bbe6864f82d3", - "value": "Login Item Mitigation (T1162) mitigates Login Item (T1162)" - }, - { - "meta": { - "source-uuid": "d8787791-d22e-45bb-a9a8-251d8d0a1ff2", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "338cf92d-43a8-4fdd-948d-1a3bde10d917", - "value": "System Service Discovery Mitigation (T1007) mitigates System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "d4f48744-0564-4ef3-bdae-421076912495", - "value": "Cobalt Strike (S0154) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "fe0c8388-46fb-4064-9837-56a23339ffaa", - "value": "ChChes (S0144) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "40c202ae-fd92-4506-b72a-5fb0e7bcf99a", - "value": "Trojan.Karagany (S0094) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "8c359d18-06fc-4db1-9b58-6e85fa563066", - "value": "BADNEWS (S0128) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39" - }, - "uuid": "d328f1e2-c98f-473e-aea5-063e1ee70744", - "value": "Cobalt Strike (S0154) uses Windows Remote Management (T1028)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "8d7cd505-3b0e-4e90-bf47-6552612958dc", - "value": "Duqu (S0038) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "d412ff4a-d9d0-44a9-b8b3-36a650f18036", - "value": "RTM (S0148) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "35aac341-5371-42e8-ad93-3ab94a11b51a", - "value": "Poseidon Group (G0033) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "b368c7c2-a593-45cb-b557-aac668a02656", - "value": "Ke3chang (G0004) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "7209b3d7-b8c8-4fc0-89fb-a5448f015540", - "value": "HDoor (S0061) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "03f32a8b-4cd9-488c-9759-37f3dff9faea", - "value": "menuPass (G0045) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b" - }, - "uuid": "44858dc2-c869-42a0-8f67-3ddd9660b538", - "value": "APT1 (G0006) uses Lslsass (S0121)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "80dcd852-39c2-4ef9-a401-e54982010a65", - "value": "APT3 (G0022) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "fa04b7b3-e9ea-4c35-a2a5-8d0c73f5698b", - "value": "StreamEx (S0142) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "552462b9-ae79-49dd-855c-5973014e157f", - "target-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d" - }, - "uuid": "e584ec5f-af99-4d61-8b02-3dbacae4adf4", - "value": "Zeroaccess (S0027) uses NTFS Extended Attributes (T1096)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "adf7a6a5-91b0-4c37-9fa5-0bfbb382a838", - "value": "Backdoor.Oldrea (S0093) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "ba95a6e7-3235-4dcd-93eb-4eebc4d0aaec", - "value": "Dragonfly (G0035) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c" - }, - "uuid": "1539eaf6-e4ea-4e9d-af2b-2594d1ca5b38", - "value": "H1N1 (S0132) uses Taint Shared Content (T1080)" - }, - { - "meta": { - "source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "10619fa8-c479-4b61-9aac-ee08f00114d1", - "value": "ELMER (S0064) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "03303147-db81-4cb3-9368-98ee4f963c1a", - "value": "BRONZE BUTLER (G0060) uses Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "37aa4e22-824b-468c-ae46-d9d007cc7cc7", - "value": "RawPOS (S0169) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "330c8e43-575f-4c9a-b6c2-def7306841ad", - "value": "CozyCar (S0046) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "0e630f6b-8662-4ffe-b666-709e17aad69f", - "value": "3PARA RAT (S0066) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "6e39f6fe-3808-41ae-9263-1fd23865bd7b", - "value": "Elise (S0081) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "8200c438-ec29-4f0e-81c3-9a058c735748", - "value": "BlackEnergy (S0089) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "2f5f2d31-739e-4dc5-b137-840401985244", - "value": "Remsec (S0125) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "9f496c45-eac5-464f-858b-ef481f2f37ff", - "value": "ADVSTORESHELL (S0045) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "1c6f35f0-1169-4218-9881-7291e1765cd8", - "value": "Emissary (S0082) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" - }, - "uuid": "c2909563-2b7e-48d6-b165-05b8eff63862", - "value": "menuPass (G0045) uses Data from Network Shared Drive (T1039)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26" - }, - "uuid": "f24d37c0-283d-4f37-8278-07fc75cc0e94", - "value": "APT3 (G0022) uses RemoteCMD (S0166)" - }, - { - "meta": { - "source-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "2be17426-9704-4913-981b-6d8fe4471147", - "value": "NetTraveler (S0033) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "9378f139-10ef-4e4b-b679-2255a0818902", - "target-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427" - }, - "uuid": "52b6181e-881e-4b96-93a3-1292bc2f1352", - "value": "Service Registry Permissions Weakness Mitigation (T1058) mitigates Service Registry Permissions Weakness (T1058)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "cdf73653-b2d7-422f-b433-b6a428ff12d4", - "value": "Stealth Falcon (G0038) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "90347c97-c0c5-4407-9087-b917d0789b0e", - "value": "TinyZBot (S0004) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "1fbde0c8-1b00-40bf-8fef-11892d103d63", - "value": "PinchDuke (S0048) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "828afc32-9874-40aa-b752-315c7623ffee", - "value": "Kasidet (S0088) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "d0013f9d-4243-4ade-8d06-a2cd6158ca58", - "value": "HALFBAKED (S0151) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61" - }, - "uuid": "2092cbf8-4b5e-40e9-93dd-bfd8a71b4e8c", - "value": "Dust Storm (G0031) uses Mis-Type (S0084)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "852009ed-1b50-4b08-9e77-53f0271d995c", - "value": "Remsec (S0125) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952" - }, - "uuid": "80fc5f0c-3dcb-45ab-807a-bfa3d64334c6", - "value": "BRONZE BUTLER (G0060) uses at (S0110)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "0fd5d3bc-d736-43c0-b9ec-f1dcd95411a7", - "value": "Elise (S0081) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "ac7d5b88-7929-4f64-abcd-8219caafac24", - "value": "FIN6 (G0037) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "c667befa-7242-47f8-bdc1-1056f62bb466", - "value": "Elise (S0081) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "6175bbbe-1bc1-4562-8c5f-9e437348636a", - "value": "APT18 (G0026) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "18572125-3439-4f7c-92c8-d787913dc989", - "value": "Hi-Zor (S0087) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "9ef58dda-688d-4461-b5fc-25f2ba3a9c54", - "value": "BRONZE BUTLER (G0060) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "a33c172b-9910-4f36-8373-32126201144b", - "value": "Mis-Type (S0084) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "7a14d974-f3d9-4e4e-9b7d-980385762908", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "4f2dbf3d-70f6-42d9-8894-c98d8bc70abc", - "value": "DLL Side-Loading Mitigation (T1073) mitigates DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "8c553311-0baa-4146-997a-f79acef3d831", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "4bf364ad-1e9c-4860-93c0-241da4c81068", - "value": "RARSTONE (S0055) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "4b5540e5-eac1-40f4-93d0-155f60e9395a", - "value": "Emissary (S0082) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "27ead6bc-2bba-49d3-bcfe-667c7654a6fc", - "value": "OilRig (G0049) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158", - "target-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e" - }, - "uuid": "47639246-6268-4a7e-9670-965873bdfb42", - "value": "Gatekeeper Bypass Mitigation (T1144) mitigates Gatekeeper Bypass (T1144)" - }, - { - "meta": { - "source-uuid": "b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55", - "target-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d" - }, - "uuid": "e59e9443-740a-4e2b-a775-8ae59ceb3844", - "value": "SID-History Injection Mitigation (T1178) mitigates SID-History Injection (T1178)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "6c053469-7bd4-4b55-90b2-289a09aa53fa", - "value": "BRONZE BUTLER (G0060) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "d2bc1c1b-987b-4a1a-b488-8199f8113697", - "value": "Daserf (S0187) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "a83182d2-b619-4ca4-984b-21ecfe43da26", - "value": "RTM (S0148) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "ecde1551-bca2-4f45-8692-cbc583cf3d4f", - "value": "Unknown Logger (S0130) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "fb11df98-790a-4b1c-9ca0-73224226cff3", - "value": "ZLib (S0086) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "39e856a1-4bab-474e-a6b2-3ce69249bc29", - "value": "Mis-Type (S0084) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351" - }, - "uuid": "b6eb09bc-fef4-4cf3-b337-dfe6bd87ca35", - "value": "FIN7 (G0046) uses POWERSOURCE (S0145)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "f08c1f67-485b-4ebd-81dd-e886f63025e6", - "value": "Naikon (G0019) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "11010986-1b4d-4158-b47d-bbff34306c98", - "value": "BADNEWS (S0128) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "18324fed-7770-4768-b652-59860ac4782f", - "value": "FLASHFLOOD (S0036) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "2a93ea80-d0f6-4b81-887d-8911f7573245", - "value": "Threat Group-3390 (G0027) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "ce42140b-f801-40da-8185-105a9b1a915a", - "value": "PlugX (S0013) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "b7b2c89c-09c1-4b71-ae7c-000ec2893aab", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "bb1de6e6-23ce-42a8-bcd7-fd75aec24c50", - "value": "New Service Mitigation (T1050) mitigates New Service (T1050)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "7cf7d162-a34f-4951-a643-5bf959283f6b", - "value": "Trojan.Karagany (S0094) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "4fde23ab-b8db-4275-ac37-37e608cb00b0", - "value": "OilRig (G0049) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "114f98a4-6243-4a0c-a6c4-3e693a4f9b08", - "value": "SHIPSHAPE (S0028) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "11a7431f-416f-48de-a3c0-8782abdede63", - "value": "BADNEWS (S0128) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "545a618f-9fe4-4573-a0a0-ecfcef0b407c", - "value": "BRONZE BUTLER (G0060) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd" - }, - "uuid": "3427863f-d4c4-4272-ad60-1479e42ed4af", - "value": "APT3 (G0022) uses PlugX (S0013)" - }, - { - "meta": { - "source-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "92d3b6b0-7c61-452a-a9b9-c2549357bfef", - "value": "nbtstat (S0102) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "0d0b4507-b600-41f1-be98-03909e5d99cf", - "value": "RTM (S0148) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "e2675622-ec8e-4894-9f5e-3c82944e3019", - "value": "Turla (G0010) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "02206f22-80e9-4f87-9e4b-5c1df1eb737e", - "value": "Unknown Logger (S0130) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "9253e8b3-9fbb-4149-a2e4-60d36c006ba6", - "value": "Downdelph (S0134) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "4556634c-06f7-48f9-bcaa-22d023524068", - "value": "HAMMERTOSS (S0037) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "1a4c94a1-6362-42b3-b1d9-41ae3fbf5ea5", - "value": "Misdat (S0083) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "db283fff-4b13-4c79-85f0-5cdb6b76e964", - "value": "HDoor (S0061) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "5fc0ca38-bb65-43ab-b8b2-6861442b25a8", - "value": "Net (S0039) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "f865403f-5b4a-4e5a-bb50-8d416ad36db4", - "value": "Ke3chang (G0004) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "4c6aea43-27ba-4e6a-8907-e5db364a145b", - "value": "BRONZE BUTLER (G0060) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "f9600732-9116-4325-8073-28d81721b37a", - "value": "menuPass (G0045) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a" - }, - "uuid": "5ccd4b15-ef11-4b89-b0e1-4dd714fa2fb5", - "value": "APT32 (G0050) uses KOMPROGO (S0156)" - }, - { - "meta": { - "source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", - "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" - }, - "uuid": "ff922dd7-21b6-4f95-bb8b-080d0dee6655", - "value": "TINYTYPHON (S0131) uses Automated Exfiltration (T1020)" - }, - { - "meta": { - "source-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "b97e696f-6386-4b15-8f24-81d0abe51830", - "value": "HIDEDRV (S0135) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "20f863a1-f7de-4d66-a564-c4adee24fdbe", - "value": "Ke3chang (G0004) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "39b735d3-c659-4d1a-8e7e-082c0f049c2d", - "value": "Lazarus Group (G0032) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "ced15447-281b-4d92-941e-b5df9747a3d5", - "value": "Flame (S0143) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "05e9e12f-be5e-46f4-9f42-6f7fb7e9fb4a", - "value": "BRONZE BUTLER (G0060) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "d64ba78c-a332-40be-8e2f-904f15ceffe7", - "value": "Sakula (S0074) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "0e89ca75-b73e-476e-b56d-1cf815fa7868", - "value": "Patchwork (G0040) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3", - "target-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79" - }, - "uuid": "cca3a63c-e00e-49d1-bf10-f2c21f3469e6", - "value": "Winlogon Helper DLL Mitigation (T1004) mitigates Winlogon Helper DLL (T1004)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "a5b4d08c-963a-48fe-8f22-ba344835d00e", - "value": "BADNEWS (S0128) uses Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", - "target-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8" - }, - "uuid": "3ec34d16-a4e6-4fc7-b819-5a041605aa42", - "value": "Janicab (S0163) uses Local Job Scheduling (T1168)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "babaa2be-7c41-490a-bd0b-2cf140858244", - "value": "SslMM (S0058) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "d7c49196-b40e-42bc-8eed-b803113692ed", - "target-uuid": "68c96494-1a50-403e-8844-69a6af278c68" - }, - "uuid": "0b0884f1-1a40-436e-9a74-8cbe9c9d6732", - "value": "Change Default File Association Mitigation (T1042) mitigates Change Default File Association (T1042)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "16c7058c-8fa5-4477-8332-9e76fcb38924", - "value": "FIN6 (G0037) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "fb6f077c-06a2-46bb-9aef-959ef818d4aa", - "value": "admin@338 (G0018) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "45f9e4b6-a6a0-4f9f-aae9-9e8a69f5681d", - "value": "RTM (S0148) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "afbf5119-6e39-4e4c-8329-57f7249a67b4", - "value": "APT3 (G0022) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "2e45dc12-f493-42ea-829e-011ba786bef1", - "value": "Threat Group-3390 (G0027) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "62507790-a137-409e-a655-9190ff78cb52", - "value": "CosmicDuke (S0050) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "5f5af879-c239-416b-99ec-b46e2f9926a2", - "value": "OilRig (G0049) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" - }, - "uuid": "cf7cd81f-3684-469f-936b-a6098ff76dbd", - "value": "Cobalt Strike (S0154) uses Indicator Removal from Tools (T1066)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "a6929a8b-e9b4-4122-8dd8-4030173346c9", - "value": "Cobalt Strike (S0154) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "202b96f6-0f7c-4aed-8004-780f1d880059", - "value": "PHOREAL (S0158) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "2e80a049-220e-4d47-98f7-c0dbfe245cdc", - "value": "PinchDuke (S0048) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "c8c5b766-a719-43bd-988a-cb00beedbba3", - "value": "Threat Group-3390 (G0027) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069" - }, - "uuid": "cfe2a359-bbab-4520-bdd7-b2d6abf742cc", - "value": "APT28 (G0007) uses XAgentOSX (S0161)" - }, - { - "meta": { - "source-uuid": "5c49bc54-9929-48ca-b581-7018219b5a97", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "3d635b23-78b7-4de4-9417-8077787c7c0b", - "value": "Account Discovery Mitigation (T1087) mitigates Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "535e3fbe-e6d9-4608-9689-f8f1f8c1ddc9", - "value": "Backdoor.Oldrea (S0093) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" - }, - "uuid": "6dbb3a1e-5fb4-4494-950c-570616302ece", - "value": "CopyKittens (G0052) uses Cobalt Strike (S0154)" - }, - { - "meta": { - "source-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "093215eb-4edb-4c55-bb5f-b8ca2de7962c", - "value": "SHIPSHAPE (S0028) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "9df1a5b0-f1fb-4239-abb5-67ba6e9e05f6", - "value": "WinMM (S0059) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "54e99ba2-143f-43be-8d7f-79de5551d1ac", - "value": "BBSRAT (S0127) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "2e82ef21-9fb2-421e-bd96-73599089b448", - "value": "CopyKittens (G0052) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "57019a80-8523-46b6-be7d-f763a15a2cc6", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "edbef2c6-4005-4fdb-b978-9699a7b2a309", - "value": "Scripting Mitigation (T1064) mitigates Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "5cdbfaba-b4be-4cff-bdc6-c9205c44c844", - "value": "Felismus (S0171) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "ec30b3a9-69b4-4604-9def-db9e904df309", - "value": "Gazer (S0168) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "52c18ed1-91a5-4394-a4d0-f700c75bf3d9", - "value": "Turla (G0010) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "4ec9a523-e27f-4984-9bde-4af785e5e75a", - "value": "Pisloader (S0124) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "95047f03-4811-4300-922e-1ba937d53a61", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "2c29e6cf-a177-4578-bf1f-fd73ae254edd", - "value": "Hikit (S0009) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "4b8d211d-4969-4c0f-8b01-fd176c8172d1", - "value": "APT28 (G0007) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "f4480854-9424-49d5-8b54-f839302e3ee7", - "value": "Rover (S0090) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "ffee4cd1-f193-4dbc-9f47-6fe47e1523eb", - "value": "menuPass (G0045) uses DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "032fb34d-3434-4667-9d5e-6bb9fd6b7d00", - "value": "APT32 (G0050) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "284d622d-8b28-4569-97a7-936edced1b18", - "value": "Helminth (S0170) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "07a550a2-27c1-43f5-8b30-c288441ad5b0", - "value": "OilRig (G0049) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", - "target-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56" - }, - "uuid": "34627bc3-c857-46c4-a9e8-060a779b643e", - "value": "MONSOON (G0042) uses Unknown Logger (S0130)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61" - }, - "uuid": "1d3654f8-3a5e-4ef8-826f-4242ecf78c0a", - "value": "APT32 (G0050) uses Application Deployment Software (T1017)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754" - }, - "uuid": "0585e082-8f8e-4162-b4a8-3c1cef02f7e3", - "value": "APT29 (G0016) uses CozyCar (S0046)" - }, - { - "meta": { - "source-uuid": "823fbfe9-b015-4bf3-9e67-d340c7373ca0", - "target-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b" - }, - "uuid": "e81d69cf-62b8-464b-ad5b-9a9e80236801", - "value": "Trusted Developer Utilities Mitigation (T1127) mitigates Trusted Developer Utilities (T1127)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "a3fe1f58-b507-42ea-a21e-a6ac46de9ca8", - "value": "Sakula (S0074) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "b08e3c96-25a7-412f-bbfb-63e010ef3891", - "value": "Cleaver (G0003) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d" - }, - "uuid": "69d05cb2-ded0-4847-b52e-af7af421f303", - "value": "Flame (S0143) uses Authentication Package (T1131)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "8db1b5bd-8f0c-4c13-8667-c83713ce799e", - "value": "Gazer (S0168) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "daf56e8e-ea82-4ef2-bb03-78dd7e6ef3c0", - "value": "APT3 (G0022) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "6a5bc2dd-2132-4af0-9b12-0e781971d96c", - "value": "Patchwork (G0040) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "ccb67d98-71d6-4a26-86b6-281174ca07b0", - "value": "Kasidet (S0088) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "10571bf2-8073-4edf-a71c-23bad225532e", - "target-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41" - }, - "uuid": "8b439661-99e2-4410-b043-082155793155", - "value": "AppInit DLLs Mitigation (T1103) mitigates AppInit DLLs (T1103)" - }, - { - "meta": { - "source-uuid": "46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4", - "target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529" - }, - "uuid": "c1600f3f-6c21-4c5b-82fe-a4514785f6bb", - "value": "Network Sniffing Mitigation (T1040) mitigates Network Sniffing (T1040)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "03c9b56e-f006-43b2-ac98-bcbe0c05e979", - "value": "ChChes (S0144) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "c839344c-a96d-412f-bded-5ac7c8fd446a", - "value": "RTM (S0148) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "7ee0879d-ce4f-4f54-a96b-c532dfb98ffd", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "1b4cd403-8e3a-43da-bc25-a7e8d707794b", - "value": "Data from Local System Mitigation (T1005) mitigates Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "cef7d272-ee0c-4379-9d7b-63adf1f40252", - "value": "Mis-Type (S0084) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "c560f682-0d21-4c9b-b35d-33aec2287117", - "value": "POWERSOURCE (S0145) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "d4fd461f-fc58-4060-aed4-cebe64f249b9", - "value": "Arp (S0099) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "d9e8d70a-06f6-4873-baf8-29ebfaf6bf99", - "value": "MiniDuke (S0051) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "1d36c3e8-238f-46c6-9b20-9fb4cb5c75ba", - "value": "Net (S0039) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "87e080cf-b8c0-4679-bcfb-ff77ab7698f3", - "value": "Misdat (S0083) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "d067b113-4584-419f-860b-d3184f734350", - "value": "S-Type (S0085) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "94927849-03e3-4a07-8f4c-9ee21b626719", - "target-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f" - }, - "uuid": "56086ed3-641e-4fd5-b26e-1ca9479c2081", - "value": "Startup Items Mitigation (T1165) mitigates Startup Items (T1165)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "519c4c7f-8495-4b8a-b58e-551a78e469cc", - "value": "Turla (G0010) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "e0301b36-c339-49c5-b257-9ece19152922", - "value": "OilRig (G0049) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "f837cc68-8715-4301-ae15-bf89c8b1f7ee", - "value": "Axiom (G0001) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "388b4637-f634-42ab-a370-981be7da89bd", - "value": "RedLeaves (S0153) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "7f17927d-b371-42c4-bd68-0c5c57e3edab", - "value": "Magic Hound (G0059) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "13f5fad8-1b6f-4b65-9803-155f93b5d357", - "value": "Process Hollowing Mitigation (T1093) mitigates Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "1f34230d-b6ae-4dc7-8599-78c18820bd21", - "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" - }, - "uuid": "fb1a7bbd-9dec-4038-9935-1647378f739f", - "value": "Network Share Discovery Mitigation (T1135) mitigates Network Share Discovery (T1135)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "c5cf4822-a0bf-442a-9943-1937ac45520b", - "value": "SslMM (S0058) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "1022138b-497c-40e6-b53a-13351cbd4090", - "target-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a" - }, - "uuid": "c7047518-c63f-41b5-a803-1ed54066a62e", - "value": "File System Permissions Weakness Mitigation (T1044) mitigates File System Permissions Weakness (T1044)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "2cc93cb7-fbe6-4c79-b619-a2eb877de1cf", - "value": "menuPass (G0045) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "f8a90328-b7ee-474a-9773-f5bf501defd3", - "value": "Mivast (S0080) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "00ce7309-114c-45a1-b905-f7a973cb3837", - "value": "APT29 (G0016) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27" - }, - "uuid": "2325c0b2-fb89-44e1-9206-e495811f2907", - "value": "Lazarus Group (G0032) uses Account Manipulation (T1098)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "43c34939-8236-4ddd-8def-0eb7b5fe62cf", - "value": "APT1 (G0006) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" - }, - "uuid": "e65112dc-8a58-486f-9f3b-5a84925a3e53", - "value": "APT29 (G0016) uses Accessibility Features (T1015)" - }, - { - "meta": { - "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "d2fa2382-dcfc-4cff-969b-2b5ec12dc406", - "value": "TDTESS (S0164) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06" - }, - "uuid": "762f85a3-0120-4b09-aafd-3f460764e85f", - "value": "APT12 (G0005) uses Ixeshe (S0015)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "69bff194-c90e-4e30-a369-57da4cff014d", - "value": "StreamEx (S0142) uses Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "ed2f811d-3258-4489-abe1-57dac4bdbbf8", - "value": "RedLeaves (S0153) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "4a959425-4d43-4969-9a47-768894a3afaa", - "value": "Emissary (S0082) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "edbd751e-29ad-419f-a3ff-9d210453351d", - "value": "Reaver (S0172) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" - }, - "uuid": "044ad6d3-9389-4764-9b96-ad53dc98840d", - "value": "XTunnel (S0117) uses Credentials in Files (T1081)" - }, - { - "meta": { - "source-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", - "target-uuid": "66f73398-8394-4711-85e5-34c8540b22a5" - }, - "uuid": "3b4f48d3-eb5d-4d7e-9f0b-86f68951207d", - "value": "FinFisher (S0182) uses Hooking (T1179)" - }, - { - "meta": { - "source-uuid": "addb3703-5a59-4461-9bcd-7e2b5d4e92a0", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "2a0b74b3-cbc3-45fa-aba4-eabdb0cb89b5", - "value": "Standard Application Layer Protocol Mitigation (T1071) mitigates Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "5d55979e-d4e8-44eb-97d6-e3e78baa60c7", - "value": "MobileOrder (S0079) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "79057890-3cd0-4124-8b35-b86db6b4f9d7", - "value": "APT32 (G0050) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "ed45fb1c-048a-4378-8c15-6f6ea0c72d7a", - "value": "RedLeaves (S0153) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" - }, - "uuid": "325ccde0-2d5a-4306-9c4e-e1a554ee0d87", - "value": "Ke3chang (G0004) uses netstat (S0104)" - }, - { - "meta": { - "source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "f19f6e41-14b2-44a1-940f-6a6f2cfab6be", - "value": "LOWBALL (S0042) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "e1f4c08f-b5b1-4d62-8f1c-75f4302b0bce", - "value": "Shamoon (S0140) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "9194756f-c455-427b-9fb0-4887c7bf3bf3", - "value": "RedLeaves (S0153) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "15f74597-d92d-406f-9941-c0dfef3cb609", - "value": "Net (S0039) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "dbacc7d5-5d10-4b41-994d-51e0792cfb19", - "value": "Pteranodon (S0147) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "26af1f3f-806e-45bd-860a-2eead8af7d3e", - "value": "Cobalt Strike (S0154) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "bd5b4264-1f10-4cd5-b7b0-a6a8b9dad7c3", - "value": "Remsec (S0125) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "52781f1e-4b91-4ff2-8f48-89e15bc40d42", - "value": "POWRUNER (S0184) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", - "target-uuid": "94379dec-5c87-49db-b36e-66abc0b81344" - }, - "uuid": "e4c7c4b7-fe19-4433-acd9-ec94f436f381", - "value": "Axiom (G0001) uses Derusbi (S0021)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "7c792d18-25a3-4d85-be44-93523228748c", - "value": "Rover (S0090) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c" - }, - "uuid": "d9c29485-ced4-4ebc-880c-31d35dd54b26", - "value": "APT32 (G0050) uses WINDSHIELD (S0155)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd" - }, - "uuid": "68487d82-458b-4f45-b1c8-c6e4affaa226", - "value": "menuPass (G0045) uses PlugX (S0013)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "a566127b-1d88-4b38-84dd-4686e2837399", - "value": "Daserf (S0187) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "95047f03-4811-4300-922e-1ba937d53a61", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "d7c40b1d-efe6-4869-9754-6494d45f51f1", - "value": "Hikit (S0009) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "007cc21a-685a-4701-99c1-20f258cedc7c", - "value": "BLACKCOFFEE (S0069) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "becf0a5e-4636-4d2f-bd4a-fd60b15ee74a", - "value": "gh0st (S0032) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "a72ad83f-8336-4d01-b22d-5c836f5e5bf9", - "value": "PowerDuke (S0139) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "e6b68811-113e-4f86-8096-9f506e34dda1", - "value": "Remsec (S0125) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "252c0e02-0da6-4812-b147-81d9cfb3c998", - "value": "CHOPSTICK (S0023) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" - }, - "uuid": "907df22e-fdfe-4b93-8b18-ebf66f83868c", - "value": "S-Type (S0085) uses Shortcut Modification (T1023)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "a39bc982-3934-4ec7-ba33-0de9331d55f5", - "value": "APT34 (G0057) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4" - }, - "uuid": "773e99eb-0739-42d3-afaa-aff65e86329d", - "value": "Turla (G0010) uses Gazer (S0168)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "68edf451-bda3-4159-9715-dbcfda8eb8e2", - "value": "APT3 (G0022) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f", - "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - }, - "uuid": "1e91cd45-a725-4965-abe3-700694374432", - "value": "Rootkit Mitigation (T1014) mitigates Rootkit (T1014)" - }, - { - "meta": { - "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "4d90fd9d-9f9b-45f8-986d-3db43b679905", - "value": "Kasidet (S0088) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "fad44d26-02a8-4cdc-b566-5e24f32a93b3", - "value": "Molerats (G0021) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "5bb39b9d-3651-4cdf-80b1-9d88b2062258", - "value": "Shamoon (S0140) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" - }, - "uuid": "1a40426a-355c-4d7e-b51c-e95a102b31e2", - "value": "Lazarus Group (G0032) uses Access Token Manipulation (T1134)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4" - }, - "uuid": "64aab090-e7c2-4114-8c15-49700b611fb8", - "value": "Sowbug (G0054) uses Starloader (S0188)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "d8abe157-f6cd-4959-b9d5-e0c87d16bcfe", - "value": "ADVSTORESHELL (S0045) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" - }, - "uuid": "35ca6c35-f1e9-49b7-a8c9-a67951c57ea0", - "value": "TinyZBot (S0004) uses Clipboard Data (T1115)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "129cacdc-8acb-4209-a77c-a6a7e0820a97", - "value": "POWRUNER (S0184) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "1fe4be95-b162-4fc7-a3c9-4277547ea722", - "value": "Remsec (S0125) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52" - }, - "uuid": "1d5e0da2-7741-4a31-9c54-cbbe584fe27b", - "value": "APT1 (G0006) uses Cachedump (S0119)" - }, - { - "meta": { - "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "2a7d01e9-9c42-4d17-947a-629ca7a9d515", - "value": "Elise (S0081) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "93b12e1a-7f21-4fa0-9b2a-c96c7c270625", - "value": "PittyTiger (G0011) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1" - }, - "uuid": "e02d1cb4-1bb7-49b5-a918-5e0d194974aa", - "value": "Turla (G0010) uses Epic (S0091)" - }, - { - "meta": { - "source-uuid": "cba5667e-e3c6-44a4-811c-266dbc00e440", - "target-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0" - }, - "uuid": "f6483534-196c-4540-a456-985594171cd8", - "value": "Extra Window Memory Injection Mitigation (T1181) mitigates Extra Window Memory Injection (T1181)" - }, - { - "meta": { - "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "13a8be40-1190-4553-b026-58c5088c322a", - "value": "Suckfly (G0039) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "7cb48d6d-1171-4e9d-87c7-4779293f6921", - "value": "Duqu (S0038) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", - "target-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300" - }, - "uuid": "ded85906-e996-45cd-ae64-82adc22397e3", - "value": "MONSOON (G0042) uses AutoIt backdoor (S0129)" - }, - { - "meta": { - "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "5a77e097-3aed-4bd3-b5fc-997746da62ad", - "value": "BLACKCOFFEE (S0069) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "56648de3-8947-4559-90c4-eda10acc0f5a", - "target-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d" - }, - "uuid": "dce95526-cb24-4d3e-9b3b-de704e0730e4", - "value": "Keychain Mitigation (T1142) mitigates Keychain (T1142)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "ed94edc7-e687-409e-9143-20a15190bd83", - "value": "Shamoon (S0140) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "2d450e2f-25c9-49af-b83f-6c91029ed28a", - "value": "APT28 (G0007) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" - }, - "uuid": "3beb0c09-e584-4fd8-92bb-d7a1ae9192e6", - "value": "OilRig (G0049) uses Tasklist (S0057)" - }, - { - "meta": { - "source-uuid": "d01f473f-3cdc-4867-9e55-1de9cf1986f0", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "8104dfee-8883-4f7c-8f7d-84c9b409efc3", - "value": "Deobfuscate/Decode Files or Information Mitigation (T1140) mitigates Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "0dee5507-6e61-4244-86a8-c7e8a34469da", - "value": "OwaAuth (S0072) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "3fe9b64a-6435-4592-9181-2ad50ee93044", - "value": "Lazarus Group (G0032) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" - }, - "uuid": "ab069468-3dff-4c77-9293-adb0b2627a4e", - "value": "Deep Panda (G0009) uses Accessibility Features (T1015)" - }, - { - "meta": { - "source-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "3f416bd3-a06f-4ec2-8cf6-4a84e0611c63", - "value": "xCmd (S0123) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "79106ad4-28d3-4f67-a2c3-116d138ec84a", - "value": "PlugX (S0013) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234", - "target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c" - }, - "uuid": "e0d33a40-a0d1-49fe-bea1-d0e4f000f628", - "value": "Miner-C (S0133) uses Taint Shared Content (T1080)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "1d54c1d7-529f-4e4f-9a38-55b1b8cbff66", - "value": "Backdoor.Oldrea (S0093) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "6cac62ce-550b-4793-8ee6-6a1b8836edb0", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "dd21c8fe-caf8-40df-b049-787ba465eef7", - "value": "Indicator Removal on Host Mitigation (T1070) mitigates Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", - "target-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4" - }, - "uuid": "9155d072-d94b-4a63-b089-26781aff5275", - "value": "Scarlet Mimic (G0029) uses MobileOrder (S0079)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "e8193b28-b28a-4ab7-8390-8a5bd4d851b5", - "value": "Threat Group-3390 (G0027) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b" - }, - "uuid": "96077086-d811-47a1-a805-decbf6f249b7", - "value": "BBSRAT (S0127) uses Modify Existing Service (T1031)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566" - }, - "uuid": "506acc8a-e691-4f4e-b69f-bfab84cf2c73", - "value": "FIN7 (G0046) uses Application Shimming (T1138)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "818a401d-dd4d-426a-b89c-d33625380b8b", - "value": "MoonWind (S0149) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "d53d1e84-f4de-4e6a-bc84-5edfce84b055", - "value": "OwaAuth (S0072) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "b3981ca6-7ef0-4625-99a8-9cbec731bac9", - "value": "Helminth (S0170) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "8f897f1c-7bc6-4a85-8d3b-627f976af215", - "value": "BRONZE BUTLER (G0060) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "69682171-e717-4af7-a24a-06a39f381641", - "value": "Threat Group-3390 (G0027) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "fce2d07b-7bc7-497a-b21a-75a23fbccf50", - "value": "Prikormka (S0113) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "13c97dd2-5c0b-4f18-84ab-533949fbeb25", - "value": "SeaDuke (S0053) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "b51f3b69-d62b-4ccf-9ce8-62ec7f934e4b", - "value": "Lazarus Group (G0032) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "cc831c63-94af-4937-b8e6-668591ec7d04", - "value": "PittyTiger (G0011) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "64cb753d-eb72-4dce-a417-7df747334347", - "value": "BACKSPACE (S0031) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "95c29444-49f9-49f7-8b20-bcd68d8fcaa6", - "target-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025" - }, - "uuid": "0c2ba74b-a5b0-493c-84f3-41b6131070a0", - "value": "AppCert DLLs Mitigation (T1182) mitigates AppCert DLLs (T1182)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "d5c86dd3-3cfa-4ade-8984-fdf079b9f81b", - "value": "RTM (S0148) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "b69424ec-3af6-44aa-842a-81fba219b9f4", - "value": "Darkhotel (G0012) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "695c2f41-140a-48f9-9e14-0cd58d7712d1", - "value": "OLDBAIT (S0138) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "8961d93e-ec51-42dd-8f76-54d46ea21967", - "value": "H1N1 (S0132) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "bc72acee-e417-4de8-8084-153e141917b6", - "value": "MobileOrder (S0079) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "61fa303b-a9ff-419f-b3ac-96e43e37b6e5", - "value": "HALFBAKED (S0151) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "dd4c02ea-b54a-4753-beb5-3248d89a7e04", - "value": "APT1 (G0006) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "da44c85c-914b-41e0-aef7-68cd3c1faea1", - "value": "JHUHUGIT (S0044) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "fc4dd2b6-63a0-46fe-bfc4-90e58e5d1422", - "value": "BRONZE BUTLER (G0060) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "87b8b451-bf9b-4e93-b591-05ef502970f5", - "value": "Magic Hound (G0059) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "a1e74408-5c7b-4538-afd9-a01b23a92429", - "value": "Psylo (S0078) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "bb005145-438c-4fd8-9cac-a636df7465da", - "value": "XAgentOSX (S0161) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "ec6074e4-4137-42a4-86c8-1ea95ce54df6", - "value": "BBSRAT (S0127) uses Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "61dd6d75-a95b-488d-9a1d-924563592df7", - "value": "POWRUNER (S0184) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "a5ffea60-7694-48cd-92e9-b755669b2fdb", - "value": "Gamaredon Group (G0047) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "0f5d3626-1dc2-4ebe-ba37-3f86ab0df9ec", - "value": "Rover (S0090) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "edaf0203-4959-4e1e-9240-3d20cf0f3b6a", - "value": "APT28 (G0007) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "44090eb6-1166-4986-8583-60dcc8e69cc7", - "value": "RedLeaves (S0153) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", - "target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e" - }, - "uuid": "74486fa3-a5b8-49b2-82b7-0c453b4baf12", - "value": "Tor (S0183) uses Multilayer Encryption (T1079)" - }, - { - "meta": { - "source-uuid": "b52f41b9-ccf6-4da7-a6c0-167eeb71fbd8", - "target-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8" - }, - "uuid": "d18d4353-e344-4759-b51b-ed39ab2b5f46", - "value": "Browser Extensions Mitigation (T1176) mitigates Browser Extensions (T1176)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "e41ab3e7-2b69-4461-a693-e53a24c9ab59", - "value": "CORESHELL (S0137) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "b8f1354c-9cff-40ef-aa47-591952c735c3", - "value": "Backdoor.Oldrea (S0093) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "94f6b4f5-b528-4f50-91d5-f66457c2f8f7", - "target-uuid": "544b0346-29ad-41e1-a808-501bb4193f47" - }, - "uuid": "efa2ae6b-8942-4ea2-80ca-b4181dd01427", - "value": "Man in the Browser Mitigation (T1185) mitigates Man in the Browser (T1185)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69" - }, - "uuid": "76393f0c-a13c-48a8-ba7d-80502ae938a7", - "value": "APT1 (G0006) uses Pass-The-Hash Toolkit (S0122)" - }, - { - "meta": { - "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "f9669551-29f8-4aaf-83b9-50e541bbdced", - "value": "FLASHFLOOD (S0036) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "ed74954d-4717-4d63-9836-4cbd66c37345", - "value": "Crimson (S0115) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "555e47f2-54bb-4c97-8804-536aa354126c", - "value": "APT3 (G0022) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "22addc7b-b39f-483d-979a-1b35147da5de" - }, - "uuid": "45966f4c-51d4-4940-854d-79d712f63ed5", - "value": "Naikon (G0019) uses WinMM (S0059)" - }, - { - "meta": { - "source-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "c088f23e-b741-453c-a710-01990dead853", - "value": "Systeminfo (S0096) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "01e01c24-ba4c-41d7-8f30-8fca364dc2c6", - "value": "ifconfig (S0101) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "27834043-1004-4a70-9023-a318bd6db7c6", - "value": "FALLCHILL (S0181) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "515f6584-fa98-44fe-a4e8-e428c7188514", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "bb523d35-52f1-4c61-a8de-b4605ce9e596", - "value": "Fallback Channels Mitigation (T1008) mitigates Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd" - }, - "uuid": "3e497bf1-4fdc-40a2-b8a2-3492c1d605e5", - "value": "POSHSPY (S0150) uses Data Transfer Size Limits (T1030)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "25d96e8e-6893-4b90-82cc-253cbd499543", - "value": "Dragonfly (G0035) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "ed8b5029-835d-492c-a1f4-10ccbf084a76", - "value": "Pisloader (S0124) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "19edfa02-1a5f-47e4-ad82-3288f57f64cf", - "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" - }, - "uuid": "25a46055-25f5-4f91-9b0f-ba099f9dde4b", - "value": "Clipboard Data Mitigation (T1115) mitigates Clipboard Data (T1115)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "d4ca926c-6976-4ee8-a5b0-89aa11931bea", - "value": "RedLeaves (S0153) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "838b4a52-1360-4ca7-ab25-1b549508e687", - "value": "CHOPSTICK (S0023) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "b3f53743-4bd9-47a6-bf41-6f7786bbdc87", - "value": "BADNEWS (S0128) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "17594ffb-af22-4cdc-8849-ca31d2019a9e", - "value": "Threat Group-3390 (G0027) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "74febc44-8955-4e4d-aca0-d4dad2f967d7", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "f004e6c4-0c37-4060-9627-9ec0940aee9c", - "value": "Process Injection Mitigation (T1055) mitigates Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "c6f81350-a410-4ac7-a4b0-58bd4a9c1d9e", - "value": "Poseidon Group (G0033) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "d6e43621-ca4a-475f-b81c-037a0878728b", - "value": "Patchwork (G0040) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "ec362b37-1a64-4b28-8d34-7819d0aa5b2a", - "value": "XAgentOSX (S0161) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "3884be12-f73f-4f9b-875e-68d40798faf6", - "value": "BADNEWS (S0128) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "bbd9b8d7-431c-44fa-95ac-61f73271ae92", - "value": "BlackEnergy (S0089) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "ee51d531-5cc4-4836-a55c-6062bde1a4d4", - "value": "StreamEx (S0142) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41" - }, - "uuid": "3d16b34f-f58b-4469-a0ef-7585f88d6001", - "value": "T9000 (S0098) uses AppInit DLLs (T1103)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "3cb99d8e-8a3d-47ed-b4b7-e217cea48013", - "value": "Cobalt Strike (S0154) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2" - }, - "uuid": "4a1bfb6c-f110-4785-9dff-4c8e433bf04d", - "value": "Threat Group-3390 (G0027) uses ASPXSpy (S0073)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "5bb94c21-96c6-4c71-ae46-b222a69a493a", - "value": "NETEAGLE (S0034) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "7282eabe-73e0-4a10-824b-f18df7f892e2", - "value": "Trojan.Karagany (S0094) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" - }, - "uuid": "d8ac067b-f246-40bb-98bd-fcff74092139", - "value": "CosmicDuke (S0050) uses Automated Exfiltration (T1020)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "9b80479d-6f7a-45fd-af5b-1e8adfb1e7fd", - "value": "Mis-Type (S0084) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "a6150e37-2411-409f-82a0-e259d55d1166", - "value": "T9000 (S0098) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef" - }, - "uuid": "167d7b11-01f3-42d5-bb8a-78306dc80243", - "value": "CHOPSTICK (S0023) uses Communication Through Removable Media (T1092)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "cd58d271-9ee2-45d6-9ca3-22ae8da639b5", - "value": "Helminth (S0170) uses Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "a5888362-00f3-4c9e-98ee-048aee5169e1", - "value": "FIN10 (G0051) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "89da3f24-b9dc-4c68-9240-228215e51bfc", - "value": "Dragonfly (G0035) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8" - }, - "uuid": "16ef3e00-dc40-462c-9b74-5e8a8b24c86e", - "value": "APT3 (G0022) uses OSInfo (S0165)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "5f95e123-9f44-47a0-affc-aaae6929d269", - "value": "APT34 (G0057) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "d6e40826-7af0-4e4e-96c3-28493abda6c7", - "value": "Moafee (G0002) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" - }, - "uuid": "e9a2c6b5-c02a-404b-818c-d54915a53952", - "value": "APT34 (G0057) uses External Remote Services (T1133)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" - }, - "uuid": "842f8f4b-9d90-4533-850f-777f33ef8257", - "value": "T9000 (S0098) uses Audio Capture (T1123)" - }, - { - "meta": { - "source-uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "61528841-379e-4fa3-a233-34c745764c18", - "value": "Masquerading Mitigation (T1036) mitigates Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "a602be33-6ed6-4f73-b7f6-10b47581707a", - "value": "Poseidon Group (G0033) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "720be590-5ea0-43b6-8360-fa75dd4d1a67", - "value": "Poseidon Group (G0033) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "f5936bbd-f8cb-404a-bd43-87f7bc836294", - "value": "BlackEnergy (S0089) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "d57d1a71-6ac7-4028-ba73-86e5df98395f", - "value": "POSHSPY (S0150) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "3268cdc0-7cee-4fe5-92cc-2c3cdc06712b", - "value": "Derusbi (S0021) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda" - }, - "uuid": "19fce62c-ba70-4c20-bf74-0bca7886190c", - "value": "APT1 (G0006) uses BISCUIT (S0017)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "45522d60-160a-4c07-bd98-9a487175910e", - "value": "SeaDuke (S0053) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" - }, - "uuid": "9d081347-3446-47a4-b5a9-d7a9d2d499e7", - "value": "Deep Panda (G0009) uses Tasklist (S0057)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "448a35fc-fecf-4373-9888-30c37dd1d56a", - "value": "Duqu (S0038) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "44259d7d-e156-4e09-a401-ff62f0706cdd", - "value": "dsquery (S0105) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "c47a9b55-8f61-4b82-b833-1db6242c754e", - "target-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8" - }, - "uuid": "cfe1e092-57a9-4f7e-ba4a-794bfa797de8", - "value": "Local Job Scheduling Mitigation (T1168) mitigates Local Job Scheduling (T1168)" - }, - { - "meta": { - "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "b380ad90-2f3b-4f98-ae23-3dfdba448e0a", - "value": "POSHSPY (S0150) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", - "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - }, - "uuid": "eb74fa31-121d-4e43-9794-048a901f509a", - "value": "Uroburos (S0022) uses Rootkit (T1014)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "0b823cda-4775-4690-9ea6-02bbaa3522a1", - "value": "Duqu (S0038) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", - "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" - }, - "uuid": "88ad4d2e-745e-4712-8901-e772dfaf3298", - "value": "Epic (S0091) uses Code Signing (T1116)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "6f01abdc-bd94-4645-afed-8d3bd365bba4", - "value": "TinyZBot (S0004) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "94379dec-5c87-49db-b36e-66abc0b81344" - }, - "uuid": "ba4e03d1-f9b6-442d-974b-2fb7feddb551", - "value": "Deep Panda (G0009) uses Derusbi (S0021)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "1eac1b9e-28f1-4315-8070-6946e7e11444", - "value": "APT34 (G0057) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "6e757efa-8231-4674-a1ea-e234e2dfb838", - "value": "Molerats (G0021) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "7123a6ee-2026-4db8-a983-cbc2932c2a09", - "value": "Backdoor.Oldrea (S0093) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "e376d1ed-a35a-47c1-98c6-4d37f52b1b84", - "value": "ChChes (S0144) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "0bc3ce00-83bc-4a92-a042-79ffbc6af259", - "target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4" - }, - "uuid": "4b5bd2c6-b460-401d-8457-005add9037d9", - "value": "Windows Management Instrumentation Event Subscription Mitigation (T1084) mitigates Windows Management Instrumentation Event Subscription (T1084)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "8bb44b86-379d-49ba-9b28-2451e69db30d", - "value": "Patchwork (G0040) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "ad5f49b0-8b92-43d1-99f3-c691ccb7a8ac", - "value": "DustySky (S0062) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "47316750-4ca7-4ea3-b72c-9d7c7d895e3a", - "value": "Data Staged Mitigation (T1074) mitigates Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "d7903e1f-f31c-48bc-b7c3-3616cb1a792f", - "value": "RTM (S0148) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870" - }, - "uuid": "15aa00d1-11c0-4be1-a900-ede5e1376110", - "value": "menuPass (G0045) uses SNUGRIDE (S0159)" - }, - { - "meta": { - "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "7f3c015e-d95d-4d35-a583-236134464554", - "value": "Agent.btz (S0092) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "27375058-3002-4fc2-a964-a1e336a10a2a", - "value": "4H RAT (S0065) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "be5dadd8-71ce-40ac-8858-5d5c5fbe0e96", - "value": "Prikormka (S0113) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3", - "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" - }, - "uuid": "63d53308-7d7d-4777-a1cc-c7100735609c", - "value": "BOOTRASH (S0114) uses Bootkit (T1067)" - }, - { - "meta": { - "source-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "b91e06c1-9546-4184-9552-ba501bf9182e", - "value": "ipconfig (S0100) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "80ca0faf-6958-4158-a36d-b3e7936c5f5a", - "value": "Tasklist (S0057) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "3017cf15-f6a8-4281-8c74-9dd8f7c2666f", - "value": "FALLCHILL (S0181) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "ed2e17b5-171b-4878-a3ab-2b70e8ca132a", - "value": "Pisloader (S0124) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "0e12d7d1-5c46-4314-97fb-263853eed6af", - "value": "HTTPBrowser (S0070) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" - }, - "uuid": "6d819560-bdfb-4e0a-bf56-fddcba60cdb5", - "value": "S-Type (S0085) uses Create Account (T1136)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "9670979e-9785-45f0-a470-f591c97f6f8a", - "value": "POWRUNER (S0184) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" - }, - "uuid": "9abd0448-a3b7-4262-8753-fe81dc91c434", - "value": "FIN5 (G0053) uses External Remote Services (T1133)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "7a30e6e7-ed64-47b1-b368-c1cec96d5fbf", - "value": "Sykipot (S0018) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "3363ae54-1fe3-4c9f-b074-79dc0d7fbba5", - "value": "GeminiDuke (S0049) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "1dfbe8fe-0e7a-42a7-85f0-a94b086b470b", - "value": "Gazer (S0168) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "67f19627-27a5-4898-bab5-7b235aa4ad77", - "value": "APT18 (G0026) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b", - "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" - }, - "uuid": "3e89d94b-5e6f-48b3-ba80-d366940fa968", - "value": "Application Window Discovery Mitigation (T1010) mitigates Application Window Discovery (T1010)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "eaaf6671-ead6-441b-b8d0-037a1e47572e", - "value": "FIN6 (G0037) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "e432b3bc-5539-40e5-bce2-3ba6f463b571", - "value": "File and Directory Discovery Mitigation (T1083) mitigates File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "e0a0966c-7a2f-41b3-962f-3a6b22a5a8a9", - "value": "Reaver (S0172) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "427a9eb9-659d-433c-9e2c-9a66d115a9a3", - "value": "Felismus (S0171) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "ae3be82b-3d54-4be8-939b-e074a2cea170", - "value": "Misdat (S0083) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "4d4c8221-17a9-4e5b-86f9-6a0cffc42424", - "value": "S-Type (S0085) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "5918cee6-c2f1-41be-ab96-36f3d17e5293", - "value": "certutil (S0160) uses Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "b8a1739d-240b-46c1-a25a-b82d1c4e4765", - "value": "Turla (G0010) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "926d0b0c-9421-4b8e-a740-8823e35c642f", - "value": "Dragonfly (G0035) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "9c4a8336-5f5f-4e58-b00d-b6bf1c59ec03", - "value": "MoonWind (S0149) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "41023c59-b41e-454a-ace2-cd98d4fedb8e", - "value": "Mis-Type (S0084) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "72cd5bab-20d9-4895-a6be-7d33f28d4b65", - "value": "Dust Storm (G0031) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "33162cc2-a800-4d42-89bb-13ac1e75dfce", - "value": "Sakula (S0074) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "e94576ee-284c-4782-a6ef-b7dd8a780254", - "value": "OilRig (G0049) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "1881da33-fdf2-4eea-afd0-e04caf9c000f", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "9d0c7e94-b7d6-4ede-8223-a19e615e0a0b", - "value": "Peripheral Device Discovery Mitigation (T1120) mitigates Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "2ccda6d1-5196-4e22-b94a-01c3676fecc9", - "value": "APT34 (G0057) uses Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "3ada7220-b5a6-45b9-a7ca-4a26423da831", - "value": "hcdLoader (S0071) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "902286b2-96cc-4dd7-931f-e7340c9961da", - "target-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5" - }, - "uuid": "77fad92a-72ba-44d2-b4cb-a3079fbdb256", - "value": "File System Logical Offsets Mitigation (T1006) mitigates File System Logical Offsets (T1006)" - }, - { - "meta": { - "source-uuid": "d9727aee-48b8-4fdb-89e2-4c49746ba4dd", - "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" - }, - "uuid": "592d0c31-e61f-495e-a60e-70d7be59a719", - "value": "Data from Network Shared Drive Mitigation (T1039) mitigates Data from Network Shared Drive (T1039)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "26eafe5d-0ffc-48cf-ba1d-3681bdcbfaa3", - "value": "Threat Group-3390 (G0027) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" - }, - "uuid": "47e827f6-ec1d-4f16-80ab-0c54254ff42c", - "value": "Duqu (S0038) uses Custom Command and Control Protocol (T1094)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "5abaaa8f-19c7-448f-9e5a-66f1cbf412f9", - "value": "SeaDuke (S0053) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "1d808f62-cf63-4063-9727-ff6132514c22", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "191885b6-1282-4173-a2bd-174c30c8a1dc", - "value": "WEBC2 (S0109) uses DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "9aeda7e2-e452-4cd3-837f-e258cba1fc96", - "value": "CHOPSTICK (S0023) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31" - }, - "uuid": "4cb1c7b1-6efd-488c-857d-605ff8ca9ab5", - "value": "Dust Storm (G0031) uses ZLib (S0086)" - }, - { - "meta": { - "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "67f82f6c-18f1-4f1e-8352-b7ecf8839ea2", - "value": "Reaver (S0172) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "9a902722-cecd-4fbe-a6c9-49333aa0f8c2", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "863d6b6f-9e13-4925-a736-5e719a10a0b8", - "value": "Remote System Discovery Mitigation (T1018) mitigates Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "564de5da-7ecc-45c7-bbd5-619a8f316f70", - "value": "BACKSPACE (S0031) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "3565539f-7ebf-4288-8422-5212c774821b", - "value": "NETEAGLE (S0034) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "0942dc11-0fcd-480a-ae4d-d571ba96331b", - "value": "Threat Group-3390 (G0027) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "dc68cc0c-154a-4c69-a35a-b7fd843d8e98", - "value": "Misdat (S0083) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "552462b9-ae79-49dd-855c-5973014e157f", - "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" - }, - "uuid": "da6aa745-9eb5-44d9-80f8-e9f542d106d2", - "value": "Zeroaccess (S0027) uses Rootkit (T1014)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "02a629d3-b970-43e8-a11b-79f35107a4c0", - "value": "Pisloader (S0124) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "94211067-148f-4196-a216-c1bb1e5cfc70", - "value": "Putter Panda (G0024) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "d6e48ec5-1634-4ddd-865e-0bcb32a1fd1a", - "value": "APT34 (G0057) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", - "target-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21" - }, - "uuid": "a70d06e8-63dd-4cb3-83a5-f7bd8f2a8132", - "value": "Winnti Group (G0044) uses Winnti (S0141)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "c08ef8e9-9e12-4bb2-9e6a-061934f33ea0", - "value": "Komplex (S0162) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "71a8ae5e-3a78-49b5-9857-e202d636cedf", - "value": "APT32 (G0050) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "e6e324d1-b775-48bb-ac9f-02fcc2428752", - "value": "admin@338 (G0018) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "358047bf-1dd3-4fc4-bc1a-b7004bd54b8d", - "value": "OwaAuth (S0072) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "8b880b41-5139-4807-baa9-309690218719", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "d0332cfa-d932-4bc3-b661-9cd72c00b390", - "value": "SPACESHIP (S0035) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "41cff8e9-fd05-408e-b3d5-d98c54c20bcf", - "target-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb" - }, - "uuid": "b02c9017-5ec9-4be0-9aa9-b183d252c516", - "value": "SSH Hijacking Mitigation (T1184) mitigates SSH Hijacking (T1184)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e" - }, - "uuid": "a5d7526f-2b1f-4a69-abc7-926b22bc402b", - "value": "Hi-Zor (S0087) uses Multilayer Encryption (T1079)" - }, - { - "meta": { - "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "58f6b7ce-c0d0-4a54-b60d-1c39d6204796", - "value": "Psylo (S0078) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "ccc38b61-c517-4186-909a-760f12ef65e8", - "value": "CORESHELL (S0137) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "79f89b33-046c-4bfa-a12d-c50fa0d84ea6", - "value": "Magic Hound (G0059) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "ba1b953d-08ce-4b4b-924e-92556cdf1d90", - "value": "APT3 (G0022) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "f55d54fe-27ed-41f9-81db-11ccbe2d2125", - "value": "CHOPSTICK (S0023) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" - }, - "uuid": "09c10778-19ad-441a-8a75-a3cf1288f960", - "value": "Sykipot (S0018) uses System Service Discovery (T1007)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" - }, - "uuid": "6ce3735c-bfae-4eec-ab6b-bbf08cb7d60f", - "value": "Prikormka (S0113) uses DLL Search Order Hijacking (T1038)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e" - }, - "uuid": "89c6bcd7-e330-4902-8296-0918923d6573", - "value": "APT18 (G0026) uses cmd (S0106)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" - }, - "uuid": "6c030461-42c5-44db-908a-85ac9a5a9822", - "value": "Cobalt Strike (S0154) uses Bypass User Account Control (T1088)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "88c50625-6d02-42fb-aa82-4315a532b754", - "value": "Magic Hound (G0059) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "b22cebe6-129a-41a2-8a9e-70c222c88af6", - "value": "OilRig (G0049) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "eb85fa2e-3c50-4130-9717-8688237fecbc", - "value": "admin@338 (G0018) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "e47397b7-b3c7-4919-ac5e-1f3266ef97e3", - "value": "AutoIt backdoor (S0129) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "c3a1969b-1edb-4a78-80ab-b122cc2822e4", - "value": "Group5 (G0043) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "167e1e15-1fe1-4073-aac1-062557fdd79f", - "value": "CORESHELL (S0137) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "dcc2c503-25dc-47bb-b9cb-35ce27e73cd2", - "value": "CORESHELL (S0137) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "37dd9a3c-dd52-4541-be7c-b490d026305c", - "value": "RTM (S0148) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91" - }, - "uuid": "1258536b-6cf4-4cfe-98c7-e9c1d30c5a34", - "value": "APT3 (G0022) uses Multi-Stage Channels (T1104)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "d0d74930-6b1d-4d1d-ba7f-60b93c114fd9", - "value": "Hi-Zor (S0087) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "0c56b369-b665-4001-87ff-d27ae135cc64", - "value": "Pisloader (S0124) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "eb7a6a3f-cc88-4ed7-8421-4642c1eb1978", - "value": "BACKSPACE (S0031) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "98229d5a-fce3-442e-91cf-7ec7b7994248", - "value": "FIN6 (G0037) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" - }, - "uuid": "5e4ec089-c86d-4684-9783-af348d4aaa14", - "value": "Dragonfly (G0035) uses External Remote Services (T1133)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" - }, - "uuid": "3b521f87-a77d-4c8d-8ab8-ffc6dbc3d62e", - "value": "APT18 (G0026) uses External Remote Services (T1133)" - }, - { - "meta": { - "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "4abcf209-1dab-435b-a347-b8ff318ac5d8", - "value": "Daserf (S0187) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966" - }, - "uuid": "fb6a8268-5a73-4ac0-8f61-439f472063d6", - "value": "Threat Group-3390 (G0027) uses Windows Credential Editor (S0005)" - }, - { - "meta": { - "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "a06bd922-b887-4134-81cb-1e4180cf5a5a", - "value": "Molerats (G0021) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", - "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" - }, - "uuid": "66625422-17cd-4b04-beb5-fa2eabe350ad", - "value": "CosmicDuke (S0050) uses Clipboard Data (T1115)" - }, - { - "meta": { - "source-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "980e4dca-4d6b-4206-9c51-bff32c72a961", - "value": "nbtstat (S0102) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974" - }, - "uuid": "d4968f45-d06b-4843-8f72-6e08beb94cab", - "value": "Dragonfly (G0035) uses Backdoor.Oldrea (S0093)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "e362d1ad-5d36-4f6d-b2b0-63af2f5f08ff", - "value": "Stealth Falcon (G0038) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "8d0d938e-2e4c-49e8-9290-6bfb86161260", - "value": "Duqu (S0038) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54" - }, - "uuid": "3b6fc69c-9759-465a-b09c-a6161e4e2f56", - "value": "Threat Group-3390 (G0027) uses gsecdump (S0008)" - }, - { - "meta": { - "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "5ab3897a-4f37-4b59-99ca-f39605cb1a35", - "value": "Mivast (S0080) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "21ff06b5-022f-40bf-821b-3e08dc9f08a3", - "value": "Poseidon Group (G0033) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "863c1d57-db93-49a9-a953-eb7c2d6b2e5b", - "value": "Felismus (S0171) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "target-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2" - }, - "uuid": "a5015a35-a6a2-4289-8d79-79b583c23e63", - "value": "APT30 (G0013) uses NETEAGLE (S0034)" - }, - { - "meta": { - "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "e2e91dcc-87b0-4ff8-a6cd-0dfd6a813483", - "value": "Sakula (S0074) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec" - }, - "uuid": "9e77b81d-6298-4233-8baa-f419031a9d64", - "value": "FIN7 (G0046) uses Mshta (T1170)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd" - }, - "uuid": "4f33536d-eb06-4eba-8765-4379e399f3b8", - "value": "Gamaredon Group (G0047) uses Pteranodon (S0147)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "979812c4-939e-4a7e-96b3-348028db10ce", - "value": "Lazarus Group (G0032) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "71ee5336-929a-41c7-bfbd-42a7208ca29d", - "value": "4H RAT (S0065) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "891a97f1-d3e2-45ff-a079-43dcad21a175", - "value": "Patchwork (G0040) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "3de749e5-353a-4bdc-8951-9e0fa387bc70", - "value": "AutoIt backdoor (S0129) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a" - }, - "uuid": "4e167937-d152-4c57-a7b7-e3b407470720", - "value": "Net (S0039) uses Network Share Connection Removal (T1126)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "1a7d1db3-9383-4171-8938-382e9b0375c6", - "value": "BlackEnergy (S0089) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "a45f37c0-da3f-4766-bdb2-4cc1f4bda04d", - "value": "httpclient (S0068) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5", - "target-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db" - }, - "uuid": "143c0761-981a-4668-ab8a-9ba74cb58869", - "value": "Shared Webroot Mitigation (T1051) mitigates Shared Webroot (T1051)" - }, - { - "meta": { - "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "73fe447a-8d70-433f-be9a-5af74934a662", - "value": "WINDSHIELD (S0155) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "bd2554b8-634f-4434-a986-9b49c29da2ae", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "c0b07b4a-d421-4faa-8564-4cc89668afac", - "value": "Security Software Discovery Mitigation (T1063) mitigates Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "1cbf5583-626a-4a24-bc59-f3b973752cee", - "value": "PowerDuke (S0139) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "ec6002c7-a2ca-4792-8dc4-0f0746768762", - "value": "APT34 (G0057) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e" - }, - "uuid": "216c15b0-3091-49f2-ba85-356d56265671", - "value": "Lazarus Group (G0032) uses FALLCHILL (S0181)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "4cb1a0d0-6276-4c2c-b299-c26c982e9e1e", - "value": "PlugX (S0013) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "d6c628b9-789a-416b-8abe-cd457e566346", - "value": "Crimson (S0115) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "e89d06bc-31f3-49c0-a555-360eeff7f7c6", - "value": "Net Crawler (S0056) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93" - }, - "uuid": "f5acb12e-6d83-4628-9b1d-61f277a699b2", - "value": "Komplex (S0162) uses Hidden Files and Directories (T1158)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "e2e33068-b08e-45fd-89e0-0cf79868f902", - "value": "Stealth Falcon (G0038) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", - "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" - }, - "uuid": "64309b21-2dc2-4369-9c70-66f47f5c4b56", - "value": "ComRAT (S0126) uses Component Object Model Hijacking (T1122)" - }, - { - "meta": { - "source-uuid": "4a99fecc-680b-448e-8fe7-8144c60d272c", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "cade3e14-aab4-4297-b77d-019d3ee0ccef", - "value": "Brute Force Mitigation (T1110) mitigates Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "677f32ad-2aa1-4fe3-8dab-73494891aa4a", - "value": "T9000 (S0098) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "bb11119c-c409-4615-8c3f-8491749f2d3b", - "value": "T9000 (S0098) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53" - }, - "uuid": "d0560e25-020d-4cd6-b61c-5fc82a757edc", - "value": "APT28 (G0007) uses Office Application Startup (T1137)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" - }, - "uuid": "7ed59789-3b2d-4acf-9127-7af35234a373", - "value": "Remsec (S0125) uses Uncommonly Used Port (T1065)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "67469b79-67e2-4932-9776-b09a82871723", - "value": "OilRig (G0049) uses Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" - }, - "uuid": "d75ee2bd-801c-4521-8d70-f5e2d64c87f9", - "value": "admin@338 (G0018) uses netstat (S0104)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "a76e4748-2cef-4ee6-96a3-53ee227f0333", - "value": "Unknown Logger (S0130) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "5c6b3fda-2eec-4c7a-af09-5f880f260085", - "value": "Cachedump (S0119) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "cc065036-1b46-4f5c-935e-fb80bd3de7c7", - "value": "OLDBAIT (S0138) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "121b2863-5b97-4538-acb3-f8aae070ec13", - "target-uuid": "dd901512-6e37-4155-943b-453e3777b125" - }, - "uuid": "48b9ca0c-925b-4f6a-8f25-459b2489be7c", - "value": "Launch Agent Mitigation (T1159) mitigates Launch Agent (T1159)" - }, - { - "meta": { - "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "785abba4-fdb4-4aad-9049-5a0c748cc965", - "value": "XAgentOSX (S0161) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "df7fb8f2-e7a6-4342-8d67-09655ceefead", - "value": "StreamEx (S0142) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "7b29c94f-1834-42ac-933c-ae6cd125e87a", - "value": "PinchDuke (S0048) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", - "target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c" - }, - "uuid": "76037b22-a3e4-40d3-bd56-699d1ea4e97e", - "value": "Mimikatz (S0002) uses Pass the Ticket (T1097)" - }, - { - "meta": { - "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "17262c58-2f41-41d2-a86a-5bc86642ddb4", - "value": "menuPass (G0045) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "e7ac3ee3-a014-4b07-9bad-b93d3d1d0f4b", - "value": "Regin (S0019) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "f4c6cb3f-b24c-4a1e-9bba-7b129b89a17a", - "value": "Agent.btz (S0092) uses Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "4ffcf69a-c7ef-46dc-add7-9093e454a67e", - "value": "MobileOrder (S0079) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "761edf58-baad-4626-acca-a137c251b0e6", - "value": "MoonWind (S0149) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "8ca6a5e0-aae5-49bc-8d07-f888c7dba9ea", - "target-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53" - }, - "uuid": "140b4bbc-68c6-474a-adae-9b2275471f13", - "value": "Office Application Startup Mitigation (T1137) mitigates Office Application Startup (T1137)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "396edbf6-41b5-4377-90b6-4967c24de7fb", - "value": "DownPaper (S0186) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "2df910df-37cc-4349-96c3-f938fa5a9054", - "value": "Deep Panda (G0009) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", - "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" - }, - "uuid": "7cfafeb7-2662-4b65-8dfc-93db752f5e71", - "value": "FLIPSIDE (S0173) uses Connection Proxy (T1090)" - }, - { - "meta": { - "source-uuid": "3a476d83-43eb-4fad-9b75-b1febd834e3d", - "target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c" - }, - "uuid": "cb35f782-6fb4-4a0c-b549-8af99dbc57fd", - "value": "Pass the Ticket Mitigation (T1097) mitigates Pass the Ticket (T1097)" - }, - { - "meta": { - "source-uuid": "da987565-27b6-4b31-bbcd-74b909847116", - "target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091" - }, - "uuid": "c57efd0b-817e-45c2-9f11-e8e7ac11b44c", - "value": "Multiband Communication Mitigation (T1026) mitigates Multiband Communication (T1026)" - }, - { - "meta": { - "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "550bf43e-53da-467e-affd-9f44ad668508", - "value": "Sys10 (S0060) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "ef318b23-1b8c-4c24-ad20-09c0977a73b3", - "value": "DownPaper (S0186) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" - }, - "uuid": "dfcc52d8-4664-48c4-9e35-2be2cd649d93", - "value": "APT32 (G0050) uses Regsvr32 (T1117)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "84f40044-00a2-4015-be0d-1bb0107ef42b", - "value": "Crimson (S0115) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "717d87d5-df97-48a9-8766-c9a947541e1d", - "value": "Crimson (S0115) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "ae1600d0-8271-4709-a1a6-6fb62494fa23", - "value": "Sowbug (G0054) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "7296e1e2-514d-4a6c-a1fe-18558a5e3b0f", - "value": "ZLib (S0086) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "ca8ed9e2-f7a6-4d54-b450-94c187b1f9b6", - "value": "H1N1 (S0132) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f", - "target-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841" - }, - "uuid": "9755e169-0dd5-4bf5-a884-d50d31f33ad9", - "value": "RTM (G0048) uses RTM (S0148)" - }, - { - "meta": { - "source-uuid": "f6469191-1814-4dbe-a081-2a6daf83a10b", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "03f30a17-095b-4656-a7db-87d98628dfd8", - "value": "Process Discovery Mitigation (T1057) mitigates Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "32568a57-ff9c-42f5-9b60-0b78d7b0a7c0", - "value": "ZLib (S0086) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "4a419b18-5fb2-43a0-8c0a-6521b8d9de63", - "value": "H1N1 (S0132) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "65f7704a-358a-464d-b09b-fee5dd96adf3", - "value": "Magic Hound (G0059) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "122e6f20-ab3b-4bf0-bef1-0372399bee7c", - "value": "NETEAGLE (S0034) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "b1c49faa-0b6f-4a0e-85da-5ab8ddeab2ce", - "value": "FIN6 (G0037) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" - }, - "uuid": "1e03e95c-1c9a-4fa8-9d6d-b5d244b06509", - "value": "RTM (S0148) uses Clipboard Data (T1115)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" - }, - "uuid": "075e7d33-8d5c-4016-9a24-dc6e61f56fcd", - "value": "ADVSTORESHELL (S0045) uses Component Object Model Hijacking (T1122)" - }, - { - "meta": { - "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "89424d69-a426-4f76-9e7f-7b2dabe459be", - "value": "POWERSOURCE (S0145) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "e97b39d6-7be1-4f59-8959-7f1f01402152", - "value": "XTunnel (S0117) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "2e69a835-6443-455e-8ff0-775bb8c823f1", - "value": "GeminiDuke (S0049) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "5b2c87e3-8eac-48b3-832b-2290b367403d", - "value": "BlackEnergy (S0089) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "6a5bd9f5-f8ff-4eab-a4bc-edb2e098c47d", - "value": "APT34 (G0057) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "bcc91b8c-f104-4710-964e-1d5409666736", - "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" - }, - "uuid": "38d4c148-6fe8-4703-94e5-1b79b1cf5b8c", - "value": "Web Shell Mitigation (T1100) mitigates Web Shell (T1100)" - }, - { - "meta": { - "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "6184b127-47cf-43fc-880b-890554d9cc9a", - "value": "Rover (S0090) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "548e7315-5055-4434-96c1-1429779b0e2b", - "value": "Pisloader (S0124) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "519630c5-f03f-4882-825c-3af924935817" - }, - "uuid": "cc13f316-0f88-4ed1-8790-b13bc35be119", - "value": "BRONZE BUTLER (G0060) uses Binary Padding (T1009)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" - }, - "uuid": "0ef9bb79-c221-40a8-94b0-58bfc816565f", - "value": "Naikon (G0019) uses Net (S0039)" - }, - { - "meta": { - "source-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "c945e5f2-5622-46ce-8b35-468d41d2af46", - "value": "RIPTIDE (S0003) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" - }, - "uuid": "968610c5-7fa5-4840-b9bb-2f70eecd87fa", - "value": "Duqu (S0038) uses Access Token Manipulation (T1134)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "8edb0383-cae8-43ee-9241-b25e5068cc95", - "value": "OilRig (G0049) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "e5728c4d-d404-44e8-9e28-3411942c5234", - "value": "FLASHFLOOD (S0036) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" - }, - "uuid": "bd74b90d-ff9f-4ce3-96af-9b809fffc3da", - "value": "Derusbi (S0021) uses Fallback Channels (T1008)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" - }, - "uuid": "46660a8a-7724-4577-b09e-551a1ce61bfc", - "value": "Duqu (S0038) uses New Service (T1050)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "6c303446-f8d1-424c-b1ac-8c10f82d33d7", - "value": "Cobalt Strike (S0154) uses Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "c4ce39f8-371c-45dd-a8d2-a411a6f0678d", - "value": "RIPTIDE (S0003) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "d2560c35-b2f6-47d2-b573-236ef99894d5", - "value": "Matroyshka (S0167) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "3afd226c-934f-44fd-8194-9a6dee5cba59", - "value": "Lazarus Group (G0032) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" - }, - "uuid": "8c763d80-4c50-4ebd-b2c6-3cad22c55bfa", - "value": "Ke3chang (G0004) uses Data from Local System (T1005)" - }, - { - "meta": { - "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "b5a1cf65-c128-4d2e-bd28-54514d1a3aae", - "value": "GeminiDuke (S0049) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "943d370b-2054-44df-8be2-ab4139bde1c5", - "target-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d" - }, - "uuid": "758b6582-b988-4ab9-911e-e40c9bbebc2d", - "value": "Authentication Package Mitigation (T1131) mitigates Authentication Package (T1131)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "c4962ae6-91e2-407d-9f42-aa0381574476", - "value": "admin@338 (G0018) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" - }, - "uuid": "1e1b566b-152a-4778-a03f-0ce94b72c5f2", - "value": "Dragonfly (G0035) uses Network Share Discovery (T1135)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "b13fd1c9-a42c-45fc-9db8-1cd691740e0a", - "value": "HTTPBrowser (S0070) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "c3ee174d-fd40-4636-97b2-afe80854f987", - "value": "SOUNDBITE (S0157) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", - "target-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039" - }, - "uuid": "c8253944-3a69-42e6-b36a-1c3defbb088e", - "value": "Dust Storm (G0031) uses Misdat (S0083)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81" - }, - "uuid": "ba64e6d1-4deb-440a-a4eb-1c3476b6fb47", - "value": "APT28 (G0007) uses CORESHELL (S0137)" - }, - { - "meta": { - "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "2864eb81-71a5-4325-b42a-7a725f0c6887", - "value": "MoonWind (S0149) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "a12a471b-39b2-4abf-80d0-af88d5a4f038", - "value": "Misdat (S0083) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "800825f5-6e74-43ad-a732-476fdf471225", - "value": "CloudDuke (S0054) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "210f5206-8763-48ac-a4c3-a08440892b5d", - "value": "Carbanak (S0030) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" - }, - "uuid": "9a615c7f-986d-4769-bea6-af9ffe0d575e", - "value": "APT3 (G0022) uses Account Discovery (T1087)" - }, - { - "meta": { - "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "7507eb37-407e-4428-b29f-da0bda3f7970", - "value": "OSInfo (S0165) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "target-uuid": "8b880b41-5139-4807-baa9-309690218719" - }, - "uuid": "fca5a601-68fd-4b20-ad1e-0592cadecb73", - "value": "APT30 (G0013) uses SPACESHIP (S0035)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "1ace08c6-0f1a-487d-92b2-6c61c2299270", - "value": "FIN5 (G0053) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "7105ecea-8da8-4723-b717-ae9c3152cfdd", - "value": "ADVSTORESHELL (S0045) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" - }, - "uuid": "a0f1273a-e422-4801-a911-e7cb223ebea2", - "value": "ADVSTORESHELL (S0045) uses Peripheral Device Discovery (T1120)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "5206976b-ac4d-4286-a954-4b1ef5c20adc", - "value": "Shamoon (S0140) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" - }, - "uuid": "79cd2ec8-068c-4a7a-8133-1855381d3bd3", - "value": "APT1 (G0006) uses Tasklist (S0057)" - }, - { - "meta": { - "source-uuid": "f27ef4f2-71fe-48b6-b7f4-02dcac14320e", - "target-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe" - }, - "uuid": "5718d7a3-c402-4816-92fb-4322094b84f8", - "value": "Private Keys Mitigation (T1145) mitigates Private Keys (T1145)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "4ffe2425-c971-45e5-9256-0b1a2bf63bbf", - "value": "Mis-Type (S0084) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" - }, - "uuid": "28471736-5b62-4132-b4ed-c22ae449b455", - "value": "BRONZE BUTLER (G0060) uses Mimikatz (S0002)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "c1884e62-7b2e-45a1-89fd-c76b1b717f50", - "value": "OwaAuth (S0072) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "166c430d-0272-4dca-8d30-318cda0a0a63", - "value": "CozyCar (S0046) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "47e4d006-2685-4628-a46b-f6d9066f3585", - "value": "BlackEnergy (S0089) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "a00d3582-7c2d-45dc-8580-1de25356ae70", - "value": "FakeM (S0076) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "b42378e0-f147-496f-992a-26a49705395b", - "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" - }, - "uuid": "7d020981-51b3-4ff6-825f-7cd192c934e1", - "value": "PoisonIvy (S0012) uses Process Injection (T1055)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "83ba5b2c-b3fd-4558-a3f8-cef4c31e02bd", - "value": "Lazarus Group (G0032) uses Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" - }, - "uuid": "28139c5b-be96-44d2-8e54-425311d108d6", - "value": "Patchwork (G0040) uses Process Hollowing (T1093)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "b028b9a6-4031-4b56-8dd5-0bdd3c59dbec", - "value": "APT3 (G0022) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "f0cf3ea2-5345-48d7-9685-be0180eb0e4a", - "value": "RTM (S0148) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" - }, - "uuid": "47545d87-b0ae-45ae-aeea-dc849eac2f6f", - "value": "APT1 (G0006) uses PoisonIvy (S0012)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f" - }, - "uuid": "d0ed3128-67f0-43dd-b1d9-01843eb71b77", - "value": "Turla (G0010) uses Reg (S0075)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e" - }, - "uuid": "7dc4c8b9-a380-4dc0-9973-a8a2f8d0175c", - "value": "APT18 (G0026) uses hcdLoader (S0071)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" - }, - "uuid": "9c7ecbf4-88fe-4144-8dc4-f5bca2c3156d", - "value": "Helminth (S0170) uses Data Staged (T1074)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "16632790-94dc-40ce-9c0a-2f6af0f691b1", - "value": "Pteranodon (S0147) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", - "target-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39" - }, - "uuid": "df8350d6-a7a7-421d-a9e8-64d7e0cc0653", - "value": "Threat Group-3390 (G0027) uses Windows Remote Management (T1028)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "b0791504-fc65-402b-bc47-bd96ed4abea1", - "value": "APT3 (G0022) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "7e216050-e850-4591-a870-7148d4544642", - "value": "APT34 (G0057) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "9ea25bfb-3e3a-42cb-8d2a-939169057806", - "value": "SHOTPUT (S0063) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "59df5f14-e570-417e-8184-e8e7c6c1ea75", - "value": "Shamoon (S0140) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "f1d5a985-406e-4b03-9f55-2706a2adba92", - "value": "Fgdump (S0120) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "1d3296a5-9a15-4bd9-a294-ee014348136c", - "value": "Unknown Logger (S0130) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "ed202147-4026-4330-b5bd-1e8dfa8cf7cc", - "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" - }, - "uuid": "ff93eedd-e788-4541-9a9b-ccead3df0d13", - "value": "Modify Registry Mitigation (T1112) mitigates Modify Registry (T1112)" - }, - { - "meta": { - "source-uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b", - "target-uuid": "1f47e2fd-fa77-4f2f-88ee-e85df308f125" - }, - "uuid": "05d3fd1d-6041-4395-906a-e3104a192e1c", - "value": "Port Monitors Mitigation (T1013) mitigates Port Monitors (T1013)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "1fbf92c8-747b-4c0f-ab33-ce63cbff8197", - "value": "Deep Panda (G0009) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", - "target-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d" - }, - "uuid": "9820c1e9-a414-4af1-a78c-aaf2cb164361", - "value": "APT30 (G0013) uses BACKSPACE (S0031)" - }, - { - "meta": { - "source-uuid": "1e4ef2c7-ee96-4484-9baa-3b5777561301", - "target-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b" - }, - "uuid": "620ab17a-3e46-4083-82b0-aeff74d104cd", - "value": "AppleScript Mitigation (T1155) mitigates AppleScript (T1155)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" - }, - "uuid": "291df761-474b-4c5f-a9bd-2aaef0f80d70", - "value": "Unknown Logger (S0130) uses Replication Through Removable Media (T1091)" - }, - { - "meta": { - "source-uuid": "d0415180-51e9-40ce-b57c-c332b0b441f2", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "1f8f6283-6004-4204-a54f-759e9c0519b1", - "value": "PowerShell Mitigation (T1086) mitigates PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e" - }, - "uuid": "d242dc5a-3969-498c-b7eb-5d850e7d384d", - "value": "APT12 (G0005) uses RIPTIDE (S0003)" - }, - { - "meta": { - "source-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", - "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" - }, - "uuid": "d6fd820e-09ea-494d-a5f7-9de4431a309d", - "value": "RemoteCMD (S0166) uses Remote Services (T1021)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "7606ad11-1322-4b97-83b9-aaafaee02c07", - "value": "APT28 (G0007) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "a20b8e4c-330f-4e91-b4f6-e58e5800d690", - "value": "Pteranodon (S0147) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "d256cb63-b021-4b4a-bb6d-1b42eea179a3", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "371d43af-ef68-4471-9db9-f2d40d2baefc", - "value": "Network Service Scanning Mitigation (T1046) mitigates Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" - }, - "uuid": "397e4a59-23b1-47ef-9a57-9f401375b2cb", - "value": "Dragonfly (G0035) uses PsExec (S0029)" - }, - { - "meta": { - "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", - "target-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71" - }, - "uuid": "e2e2d332-f27b-46fb-b48f-4ee1872b321f", - "value": "Carbanak (G0008) uses netsh (S0108)" - }, - { - "meta": { - "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "55120727-0b7f-4d6a-a881-d17bdc9c85ba", - "value": "Putter Panda (G0024) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "3caec960-fa9c-4b2f-80e4-6dd4471e26ba", - "value": "Prikormka (S0113) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "71ede2de-7e5f-49fa-ac07-9322ef4857ae", - "value": "HTTPBrowser (S0070) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", - "target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd" - }, - "uuid": "ee2739de-6829-4c73-b72b-91ba4b9fac5c", - "value": "DragonOK (G0017) uses PlugX (S0013)" - }, - { - "meta": { - "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "83ad6071-8874-49c9-98cd-0d493a8eeb07", - "value": "Sykipot (S0018) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "0bd2ee1a-6202-4ff5-9a42-4869a276a92c", - "value": "POWRUNER (S0184) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", - "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" - }, - "uuid": "d8c5b193-b49d-4c0e-a9da-072302ff47a0", - "value": "FakeM (S0076) uses Data Obfuscation (T1001)" - }, - { - "meta": { - "source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "bdd64378-e348-4156-8490-528392c6ea82", - "value": "CallMe (S0077) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "922c214d-ad32-4490-bb3f-a4db73b718d5", - "value": "Psylo (S0078) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "66819f02-7a22-4f21-8e4f-df24969e5567", - "value": "ADVSTORESHELL (S0045) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", - "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" - }, - "uuid": "9b360cf4-4600-4ea8-a28c-99d91e0d1734", - "value": "Suckfly (G0039) uses Network Service Scanning (T1046)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" - }, - "uuid": "233d1a32-f826-4705-a535-806edee8a5aa", - "value": "CozyCar (S0046) uses Web Service (T1102)" - }, - { - "meta": { - "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", - "target-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1" - }, - "uuid": "b2496438-9431-40e5-8ca0-2ec713f342c3", - "value": "Sowbug (G0054) uses Felismus (S0171)" - }, - { - "meta": { - "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "0df8e968-716a-4de9-9669-862af62d6eb6", - "value": "SslMM (S0058) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "78e8d9e6-48b7-473f-af94-43f626de7931", - "value": "APT28 (G0007) uses Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "3e7018e9-7389-48e7-9208-0bdbcbba9483", - "target-uuid": "d3046a90-580c-4004-8208-66915bc29830" - }, - "uuid": "02f28dfb-4e72-47e2-a390-2ec3fa67d26d", - "value": "Clear Command History Mitigation (T1146) mitigates Clear Command History (T1146)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "cdca2bdf-a29b-45d5-90ff-17ab56b094a4", - "value": "Komplex (S0162) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "408db284-4c7a-4ad4-8399-90a8102b4bfa", - "value": "POWRUNER (S0184) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", - "target-uuid": "dd901512-6e37-4155-943b-453e3777b125" - }, - "uuid": "6c879d75-7f07-44ff-9801-815a549cdc44", - "value": "Komplex (S0162) uses Launch Agent (T1159)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2" - }, - "uuid": "324a5331-cce7-4154-a803-ad68d5de1f94", - "value": "APT1 (G0006) uses GLOOXMAIL (S0026)" - }, - { - "meta": { - "source-uuid": "a569295c-a093-4db4-9fb4-7105edef85ad", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "442aa7b4-00a0-4d73-ae61-5a09c319ac1c", - "value": "Custom Cryptographic Protocol Mitigation (T1024) mitigates Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" - }, - "uuid": "892ff1d1-3da9-489e-89c3-374ab07a417b", - "value": "Crimson (S0115) uses Email Collection (T1114)" - }, - { - "meta": { - "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "a0186caf-482a-4f2a-bf2f-cac9fc51244a", - "value": "Crimson (S0115) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" - }, - "uuid": "a58983e1-45d7-4b45-a578-307659a619dc", - "value": "Helminth (S0170) uses Clipboard Data (T1115)" - }, - { - "meta": { - "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "01ab8fee-5204-40c1-ac7a-b11a5683a87d", - "value": "Misdat (S0083) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", - "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" - }, - "uuid": "813e4416-bee6-4192-a712-6b5f80a7fff3", - "value": "S-Type (S0085) uses Data Encoding (T1132)" - }, - { - "meta": { - "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" - }, - "uuid": "7ba62129-a4ba-42b4-9971-4a650682cb52", - "value": "Flame (S0143) uses Screen Capture (T1113)" - }, - { - "meta": { - "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "df4b49f1-71ca-4744-8554-47bf36174d89", - "value": "APT3 (G0022) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "399d9038-b100-43ef-b28d-a5065106b935", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "aa80b239-dc67-4883-adfd-6a10e96c18c6", - "value": "Standard Non-Application Layer Protocol Mitigation (T1095) mitigates Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" - }, - "uuid": "b719d37b-8f0e-4704-b21d-8977a5c7cceb", - "value": "APT28 (G0007) uses Access Token Manipulation (T1134)" - }, - { - "meta": { - "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", - "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" - }, - "uuid": "ae8a95fa-c0ad-40b4-a573-a9441ed94fab", - "value": "USBStealer (S0136) uses Automated Exfiltration (T1020)" - }, - { - "meta": { - "source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", - "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" - }, - "uuid": "2355c588-ff82-4eaf-82db-54af59ede582", - "value": "Net Crawler (S0056) uses Brute Force (T1110)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "c52eb151-c8c5-45f1-984b-d99a12ca05cf", - "value": "Derusbi (S0021) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830" - }, - "uuid": "0e0197fe-eca5-4d70-bf72-2d9092bc777b", - "value": "APT29 (G0016) uses meek (S0175)" - }, - { - "meta": { - "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "d8f5283b-fe44-4206-8a7d-393d216beb7e", - "value": "TinyZBot (S0004) uses Input Capture (T1056)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" - }, - "uuid": "b258b8da-ddd2-4f0e-b5da-83a89f018d54", - "value": "RTM (S0148) uses Rundll32 (T1085)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" - }, - "uuid": "75f7d0e0-b1e9-4289-8895-d8a262930523", - "value": "Net (S0039) uses Permission Groups Discovery (T1069)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "5183147b-4563-4a01-a360-a419691e35f8", - "value": "POWRUNER (S0184) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" - }, - "uuid": "0024d82d-97ea-4dc5-81a1-8738862e1f3b", - "value": "Shamoon (S0140) uses System Time Discovery (T1124)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" - }, - "uuid": "bbc31a33-f55f-43d4-a3fd-23426c5fc638", - "value": "Duqu (S0038) uses Application Window Discovery (T1010)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "87fb2671-e71a-4630-bde2-67e546fdeaa6", - "value": "RTM (S0148) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", - "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" - }, - "uuid": "77ea5d03-715b-4247-8484-6c1cf2bc7984", - "value": "HALFBAKED (S0151) uses Windows Management Instrumentation (T1047)" - }, - { - "meta": { - "source-uuid": "c1676218-c16a-41c9-8f7a-023779916e39", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "b6f00052-49e3-48c5-8f5e-492be4e67acf", - "value": "System Network Connections Discovery Mitigation (T1049) mitigates System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "0fa0f5d6-be0b-4a48-938c-6d9bb8b1a170", - "value": "OilRig (G0049) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" - }, - "uuid": "11f6ad22-0293-47bd-95d1-34bf4ee1de9e", - "value": "FIN5 (G0053) uses Redundant Access (T1108)" - }, - { - "meta": { - "source-uuid": "624d063d-cda8-4616-b4e4-54c04e427aec", - "target-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2" - }, - "uuid": "e8c25f99-67f0-4aae-aeee-55e5bcea2d8e", - "value": "Netsh Helper DLL Mitigation (T1128) mitigates Netsh Helper DLL (T1128)" - }, - { - "meta": { - "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "b41abaa3-a21f-4d2c-9c60-c90c4f360b00", - "value": "NETEAGLE (S0034) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "48b75b8b-5bef-4f99-baa8-5fa978d371d2", - "value": "Remsec (S0125) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", - "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" - }, - "uuid": "3b5d1788-c59b-4e84-97b0-b109df608619", - "value": "Net (S0039) uses Network Share Discovery (T1135)" - }, - { - "meta": { - "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", - "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" - }, - "uuid": "b94e707d-b2f8-4b68-acac-44d3777dd93f", - "value": "RedLeaves (S0153) uses Standard Cryptographic Protocol (T1032)" - }, - { - "meta": { - "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "42d2f816-9db2-47bf-9481-3065d038725d", - "value": "Ke3chang (G0004) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", - "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" - }, - "uuid": "8924eb12-0841-48ca-9d36-69de932b1f21", - "value": "Cobalt Strike (S0154) uses Commonly Used Port (T1043)" - }, - { - "meta": { - "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", - "target-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481" - }, - "uuid": "956303a4-558c-433d-bc2f-28a7e69192ae", - "value": "Naikon (G0019) uses Sys10 (S0060)" - }, - { - "meta": { - "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", - "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" - }, - "uuid": "1088fc27-2de5-4b73-83fd-6741ab3ff4d6", - "value": "OwaAuth (S0072) uses Masquerading (T1036)" - }, - { - "meta": { - "source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "771c349e-1b23-41ea-bcab-59bdbd6c935f", - "value": "ELMER (S0064) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "ea5f9e1f-68fb-46dd-9e09-f66066808d0c", - "value": "POWRUNER (S0184) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef" - }, - "uuid": "c569059f-8a7d-4777-a111-d3ab62d178ca", - "value": "APT28 (G0007) uses Communication Through Removable Media (T1092)" - }, - { - "meta": { - "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", - "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" - }, - "uuid": "1984ba26-2309-49db-8c42-75951d0ef678", - "value": "WINDSHIELD (S0155) uses Standard Non-Application Layer Protocol (T1095)" - }, - { - "meta": { - "source-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", - "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" - }, - "uuid": "1782abeb-8d28-42a1-8abe-c137f23b282c", - "value": "ComRAT (S0126) uses Standard Application Layer Protocol (T1071)" - }, - { - "meta": { - "source-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "17f9d6c8-f938-4532-b834-3834655911b8", - "value": "Dyre (S0024) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "eeeac3c6-78d1-4506-a9a9-2518d0c6e500", - "value": "schtasks (S0111) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "ae38c68d-cc08-4460-9d98-ddf957f837e2", - "value": "CozyCar (S0046) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", - "target-uuid": "b35068ec-107a-4266-bda8-eb7036267aea" - }, - "uuid": "1ab3f63b-bd80-4e4c-8f62-79f26b9724ab", - "value": "Turla (G0010) uses nbtstat (S0102)" - }, - { - "meta": { - "source-uuid": "8bd1ae32-a686-48f4-a6f8-470287f76152", - "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" - }, - "uuid": "fa04ac7f-206f-42ad-b0c7-499e57bc99ce", - "value": "Automated Collection Mitigation (T1119) mitigates Automated Collection (T1119)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "de376ec3-0fad-4c41-944d-2d74cee6968c", - "value": "Lazarus Group (G0032) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df", - "target-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b" - }, - "uuid": "67bde2b2-49d1-4a61-8fe7-1a48c58089e6", - "value": "Input Prompt Mitigation (T1141) mitigates Input Prompt (T1141)" - }, - { - "meta": { - "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", - "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" - }, - "uuid": "b1371fd9-1bfd-40b2-90a2-4876d89029bf", - "value": "Wingbird (S0176) uses Security Software Discovery (T1063)" - }, - { - "meta": { - "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", - "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" - }, - "uuid": "fb1ff794-8060-42c8-8969-b6660b07068f", - "value": "Unknown Logger (S0130) uses Disabling Security Tools (T1089)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e" - }, - "uuid": "ce288414-89f3-40d4-9a85-004d8a064eb4", - "value": "APT34 (G0057) uses Helminth (S0170)" - }, - { - "meta": { - "source-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", - "target-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3" - }, - "uuid": "6ab0ff01-1695-4301-ac9a-1cd0719be532", - "value": "Hacking Team UEFI Rootkit (S0047) uses System Firmware (T1019)" - }, - { - "meta": { - "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "3b0a7f6a-173f-41e6-8dec-2d1b4a0851d9", - "value": "Duqu (S0038) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "788ca56e-1194-4c5f-a12b-72678390f1ef", - "value": "StreamEx (S0142) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "39706d54-0d06-4a25-816a-78cc43455100", - "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" - }, - "uuid": "bb283a5e-7d61-4b33-aa30-e7c2f0bacbe6", - "value": "Data from Removable Media Mitigation (T1025) mitigates Data from Removable Media (T1025)" - }, - { - "meta": { - "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", - "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" - }, - "uuid": "0512a63b-58c8-4b0c-b2b4-e4da562cee5f", - "value": "Threat Group-1314 (G0028) uses Windows Admin Shares (T1077)" - }, - { - "meta": { - "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "8dd9d97d-0eb1-4e17-94ac-5589db51f878", - "value": "Shamoon (S0140) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "85c95ce3-8685-4d2a-9d6f-7e4be4cd9623", - "value": "Gazer (S0168) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "2c3ce852-06a2-40ee-8fe6-086f6402a739", - "target-uuid": "4be89c7c-ace6-4876-9377-c8d54cef3d63" - }, - "uuid": "4aecd118-a823-4859-9245-90155a0bbe11", - "value": "Hypervisor Mitigation (T1062) mitigates Hypervisor (T1062)" - }, - { - "meta": { - "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", - "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" - }, - "uuid": "ecb0d858-dd15-4181-b15b-76459db1d294", - "value": "Hi-Zor (S0087) uses Regsvr32 (T1117)" - }, - { - "meta": { - "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "e2ce90d2-7470-4f2d-a86c-f429b934ab35", - "value": "Poseidon Group (G0033) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", - "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" - }, - "uuid": "a5efdeb3-10db-4e40-b8cd-61dee7d72cc0", - "value": "SHOTPUT (S0063) uses System Network Connections Discovery (T1049)" - }, - { - "meta": { - "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", - "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" - }, - "uuid": "eb0307d6-901d-4140-84f9-a08c6a8ea14c", - "value": "Gazer (S0168) uses Scheduled Task (T1053)" - }, - { - "meta": { - "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2" - }, - "uuid": "8c8cc494-628c-4540-b5ba-862cd937f94e", - "value": "Dragonfly (G0035) uses Forced Authentication (T1187)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "d20b659b-3595-4171-9beb-668ab26bf398", - "value": "BRONZE BUTLER (G0060) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0" - }, - "uuid": "69f57458-bfb2-44a2-a8cf-0fce0e2b0a22", - "value": "APT28 (G0007) uses Dynamic Data Exchange (T1173)" - }, - { - "meta": { - "source-uuid": "6e7db820-9735-4545-bc64-039bc4ce354b", - "target-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373" - }, - "uuid": "0a4e270a-5641-424d-a343-437ae9548125", - "value": "LC_MAIN Hijacking Mitigation (T1149) mitigates LC_MAIN Hijacking (T1149)" - }, - { - "meta": { - "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" - }, - "uuid": "74e737cf-67fb-4f80-ac4e-0ddff90b6f8e", - "value": "FIN6 (G0037) uses Exploitation of Vulnerability (T1068)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "d35f6c6f-c1ed-4b0d-b95f-9fd762eb3ac7", - "value": "Lazarus Group (G0032) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" - }, - "uuid": "6c9649b7-00c6-4503-a911-9e8b9086eac4", - "value": "BADNEWS (S0128) uses Data from Network Shared Drive (T1039)" - }, - { - "meta": { - "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", - "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" - }, - "uuid": "464ce0ed-31a5-4a99-9791-9ce5bb987f58", - "value": "PlugX (S0013) uses DLL Side-Loading (T1073)" - }, - { - "meta": { - "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "93f1726f-f172-4705-a13a-d5adaeb4e91b", - "value": "APT32 (G0050) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", - "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" - }, - "uuid": "4856de0a-2635-4081-97a8-3f15593c2aa5", - "value": "FIN7 (G0046) uses PowerShell (T1086)" - }, - { - "meta": { - "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "a9bc7666-f637-4093-a5bb-4edb61710e45", - "value": "Group5 (G0043) uses File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target-uuid": "0998045d-f96e-4284-95ce-3c8219707486" - }, - "uuid": "47214641-972c-4924-828a-3db470553dcb", - "value": "APT34 (G0057) uses SEASHARPEE (S0185)" - }, - { - "meta": { - "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "e11d4f32-842a-4684-8974-f368e52b8632", - "value": "JHUHUGIT (S0044) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", - "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" - }, - "uuid": "8a48e56d-f837-4a5a-99b6-db0f60b541a0", - "value": "SeaDuke (S0053) uses Software Packing (T1045)" - }, - { - "meta": { - "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", - "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" - }, - "uuid": "51742efe-5f0c-4fbf-9eb7-5e765a0a408f", - "value": "Remsec (S0125) uses Remote System Discovery (T1018)" - }, - { - "meta": { - "source-uuid": "2a8de25c-f743-4348-b101-3ee33ab5871b", - "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" - }, - "uuid": "bd5699e8-8765-4f24-8307-c81a296b87e0", - "value": "Data Encrypted Mitigation (T1022) mitigates Data Encrypted (T1022)" - }, - { - "meta": { - "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", - "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" - }, - "uuid": "1ac5bace-cdc2-4a1b-abad-d30ca0ed7f45", - "value": "APT18 (G0026) uses Valid Accounts (T1078)" - }, - { - "meta": { - "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", - "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" - }, - "uuid": "2816f512-1a04-4cf8-94e9-36720b949c76", - "value": "Patchwork (G0040) uses Remote Desktop Protocol (T1076)" - }, - { - "meta": { - "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", - "target-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b" - }, - "uuid": "013ab34f-54bf-4813-bd37-42a4eebb8d52", - "value": "admin@338 (G0018) uses BUBBLEWRAP (S0043)" - }, - { - "meta": { - "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", - "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" - }, - "uuid": "f017f6c0-96f4-46f1-905f-44e9950effbc", - "value": "Derusbi (S0021) uses Process Discovery (T1057)" - }, - { - "meta": { - "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", - "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" - }, - "uuid": "99e9583f-433d-437d-bf37-7ea2b3f1b613", - "value": "BRONZE BUTLER (G0060) uses Data Compressed (T1002)" - }, - { - "meta": { - "source-uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", - "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" - }, - "uuid": "44b56e08-7cd1-442c-8806-c69bb65fd231", - "value": "ROCKBOOT (S0112) uses Bootkit (T1067)" - }, - { - "meta": { - "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", - "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" - }, - "uuid": "59aabb7b-9211-4577-9c6b-ba2cf6e3704c", - "value": "XTunnel (S0117) uses Remote File Copy (T1105)" - }, - { - "meta": { - "source-uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d", - "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" - }, - "uuid": "8ff745b7-9985-4781-a8bc-dae6d71233d3", - "value": "File Deletion Mitigation (T1107) mitigates File Deletion (T1107)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" - }, - "uuid": "6b429676-7b77-4453-a6ce-2d6a6cb0dfe7", - "value": "FIN5 (G0053) uses Credential Dumping (T1003)" - }, - { - "meta": { - "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", - "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" - }, - "uuid": "573916d8-804d-4453-be37-e6b1865e87db", - "value": "Matroyshka (S0167) uses Obfuscated Files or Information (T1027)" - }, - { - "meta": { - "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "81cfd1fd-999b-4730-b5dc-363d367dd92e", - "value": "RTM (S0148) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd" - }, - "uuid": "f81274dc-2f5b-47f7-b91f-70a4ebdfde95", - "value": "Helminth (S0170) uses Data Transfer Size Limits (T1030)" - }, - { - "meta": { - "source-uuid": "f0a42cad-9b1f-44da-a672-718f18381018", - "target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c" - }, - "uuid": "37781434-3f1e-4f45-af34-b2378647c13a", - "value": "Taint Shared Content Mitigation (T1080) mitigates Taint Shared Content (T1080)" - }, - { - "meta": { - "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", - "target-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14" - }, - "uuid": "8d6cf235-4a33-4866-9b73-a7119293e5db", - "value": "APT29 (G0016) uses SeaDuke (S0053)" - }, - { - "meta": { - "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", - "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" - }, - "uuid": "9b43f780-6a8b-477f-826f-c45e867749c9", - "value": "FIN5 (G0053) uses Indicator Removal on Host (T1070)" - }, - { - "meta": { - "source-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", - "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" - }, - "uuid": "a66aff09-0635-44a3-b591-a530a25c9012", - "value": "PsExec (S0029) uses Service Execution (T1035)" - }, - { - "meta": { - "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", - "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" - }, - "uuid": "efbe5efa-6863-4334-90e5-d7caab9806a6", - "value": "Stealth Falcon (G0038) uses System Information Discovery (T1082)" - }, - { - "meta": { - "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", - "target-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad" - }, - "uuid": "71416f0d-b037-48b2-a14d-acb1a5f3a4a4", - "value": "PittyTiger (G0011) uses Lurid (S0010)" - }, - { - "meta": { - "source-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "b8e6bb17-9652-464d-8e5d-bd21e1f69a2e", - "value": "TEXTMATE (S0146) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "2a7cd52f-46e5-4a18-bdf6-4c38edfcb97c", - "value": "Helminth (S0170) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08" - }, - "uuid": "e46836e5-8ffe-45e5-9398-bb9fbb3a4aeb", - "value": "Lazarus Group (G0032) uses Volgmer (S0180)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" - }, - "uuid": "1036833a-1d4c-4d9e-b716-1e52606ab684", - "value": "APT28 (G0007) uses Timestomp (T1099)" - }, - { - "meta": { - "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", - "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" - }, - "uuid": "8cbcb17a-01f4-4899-bc83-9b02fd44f861", - "value": "Deep Panda (G0009) uses Scripting (T1064)" - }, - { - "meta": { - "source-uuid": "d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2", - "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" - }, - "uuid": "a93e5f9f-5c8c-4832-93db-a6c180840a43", - "value": "External Remote Services Mitigation (T1133) mitigates External Remote Services (T1133)" - }, - { - "meta": { - "source-uuid": "0998045d-f96e-4284-95ce-3c8219707486", - "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" - }, - "uuid": "7276fbbe-3237-4e95-b2ad-8518327432ba", - "value": "SEASHARPEE (S0185) uses Command-Line Interface (T1059)" - }, - { - "meta": { - "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", - "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" - }, - "uuid": "1684e405-53bd-4951-a26d-e7c39887b06a", - "value": "WinMM (S0059) uses File and Directory Discovery (T1083)" - }, - { - "meta": { - "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", - "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" - }, - "uuid": "847752f4-59a2-46e9-ae28-befe0142b223", - "value": "GeminiDuke (S0049) uses System Network Configuration Discovery (T1016)" - }, - { - "meta": { - "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", - "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" - }, - "uuid": "d361058d-a11b-470d-bed8-44bfd8e50393", - "value": "Gamaredon Group (G0047) uses Exfiltration Over Command and Control Channel (T1041)" - }, - { - "meta": { - "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" - }, - "uuid": "cd2a7854-1339-4f40-8ba1-be032dc5249e", - "value": "BlackEnergy (S0089) uses Registry Run Keys / Start Folder (T1060)" - }, - { - "meta": { - "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", - "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" - }, - "uuid": "9c79076c-341f-4eb3-bed7-300723747b18", - "value": "POWERSOURCE (S0145) uses Query Registry (T1012)" - }, - { - "meta": { - "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", - "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" - }, - "uuid": "a1e9769e-5172-4959-84d3-5a28796f86e1", - "value": "Mis-Type (S0084) uses System Owner/User Discovery (T1033)" - }, - { - "meta": { - "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" - }, - "uuid": "f4e53b40-abcf-4157-9e53-4ab9632619f1", - "value": "CORESHELL (S0137) uses Custom Cryptographic Protocol (T1024)" - }, - { - "meta": { - "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", - "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" - }, - "uuid": "d15cda3e-7ed6-4914-a0a8-ff1f4fe668ec", - "value": "BADNEWS (S0128) uses Execution through API (T1106)" - }, - { - "meta": { - "source-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", - "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" - }, - "uuid": "283bdd5f-f356-43a2-864c-6f8211073d45", - "value": "Starloader (S0188) uses Deobfuscate/Decode Files or Information (T1140)" - }, - { - "meta": { - "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" - }, - "uuid": "7f695d14-17e1-46c6-92eb-7c2f57fc6553", - "value": "Lazarus Group (G0032) uses Input Capture (T1056)" - } - ], - "version": 3 -} diff --git a/clusters/mitre-mobile-attack-relationship.json b/clusters/mitre-mobile-attack-relationship.json deleted file mode 100644 index db9449a..0000000 --- a/clusters/mitre-mobile-attack-relationship.json +++ /dev/null @@ -1,1973 +0,0 @@ -{ - "authors": [ - "MITRE" - ], - "description": "MITRE Relationship", - "name": "Mobile Attack - Relationship", - "source": "https://github.com/mitre/cti", - "type": "mitre-mobile-attack-relationship", - "uuid": "02f1fc42-1708-11e8-a4f2-eb70472c5901", - "values": [ - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd" - }, - "uuid": "6eca2456-fdcf-42e9-bcbb-a4c51ce54139", - "value": "Security Updates (MOB-M1001) mitigates Lockscreen Bypass (MOB-T1064)" - }, - { - "meta": { - "source-uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "69bb264a-3f44-4132-9248-dd80a9f5efa2", - "value": "Charger (MOB-S0039) uses Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "c91c304a-975d-4501-9789-0db1c57afd3f" - }, - "uuid": "ca7c3278-1d12-4e55-b320-39efa5a285db", - "value": "Use Recent OS Version (MOB-M1006) mitigates Exploit Baseband Vulnerability (MOB-T1058)" - }, - { - "meta": { - "source-uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", - "target-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69" - }, - "uuid": "0008005f-ca51-47c3-8369-55ee5de1c65a", - "value": "SpyNote RAT (MOB-S0021) uses App Auto-Start at Device Boot (MOB-T1005)" - }, - { - "meta": { - "source-uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c", - "value": "Adups (MOB-S0025) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "4088b31b-d542-4935-84b4-82b592159591", - "value": "RCSAndroid (MOB-S0011) uses Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "da4296d7-5fdb-45b6-9791-b023d634c08d", - "value": "RCSAndroid (MOB-S0011) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "f58cd69a-e548-478b-9248-8a9af881dc34" - }, - "uuid": "690111d3-c281-4d55-a7ed-73b8dab72a85", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Downgrade to Insecure Protocols (MOB-T1069)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "e30cc912-7ea1-4683-9219-543b86cbdec9" - }, - "uuid": "a834341f-d909-41e3-adaf-5f3450e4090e", - "value": "Application Vetting (MOB-M1005) mitigates Fake Developer Accounts (MOB-T1045)" - }, - { - "meta": { - "source-uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "c65661a6-6047-4901-ac2c-3ca4b1bbbb28", - "value": "DroidJack RAT (MOB-S0036) uses Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3" - }, - "uuid": "9e83607e-2936-4f25-b6d2-c357846840f3", - "value": "Application Vetting (MOB-M1005) mitigates Access Sensitive Data in Device Logs (MOB-T1016)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6" - }, - "uuid": "ebdb9385-6311-4532-b021-2da48734aab7", - "value": "Use Recent OS Version (MOB-M1006) mitigates Modify cached executable code (MOB-T1006)" - }, - { - "meta": { - "source-uuid": "c8770c81-c29f-40d2-a140-38544206b2b4", - "target-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69" - }, - "uuid": "f947d845-4d70-41f3-ae3c-18ea8b44e667", - "value": "HummingBad (MOB-S0038) uses Manipulate App Store Rankings or Ratings (MOB-T1055)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "dd818ea5-adf5-41c7-93b5-f3b839a219fb" - }, - "uuid": "de1b1f92-c060-4d8c-81bf-465b7fb21be4", - "value": "Application Vetting (MOB-M1005) mitigates Local Network Connections Discovery (MOB-T1024)" - }, - { - "meta": { - "source-uuid": "d2a199d2-dfea-4d0c-987d-6195ed17be9c", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "be2895e2-7e1d-4467-8b6a-ac06b17ce0bb", - "value": "Use Device-Provided Credential Storage (MOB-M1008) mitigates Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "e829ee51-1caf-4665-ba15-7f8979634124", - "target-uuid": "52651225-0b3a-482d-aa7e-10618fd063b5" - }, - "uuid": "6f8b3839-ea91-44d5-ba68-b9d1e6076c19", - "value": "Interconnection Filtering (MOB-M1014) mitigates Exploit SS7 to Track Device Location (MOB-T1053)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "69d6f3fc-17ea-4a32-b4dd-a006c75362d6", - "value": "Application Vetting (MOB-M1005) mitigates Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2" - }, - "uuid": "b104c62f-771c-46c5-afc4-a964a94cea50", - "value": "User Guidance (MOB-M1011) mitigates App Delivered via Web Download (MOB-T1034)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "50986206-ad56-4dea-baed-846545fb2f5a", - "value": "Application Vetting (MOB-M1005) mitigates Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "c8770c81-c29f-40d2-a140-38544206b2b4", - "target-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf" - }, - "uuid": "ac523dfb-36be-4402-acf2-abe98e183eef", - "value": "HummingBad (MOB-S0038) uses Generate Fraudulent Advertising Revenue (MOB-T1075)" - }, - { - "meta": { - "source-uuid": "25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", - "target-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3" - }, - "uuid": "fab8c40d-b934-4ee0-8e83-f017af2e347a", - "value": "Application Developer Guidance (MOB-M1013) mitigates Access Sensitive Data in Device Logs (MOB-T1016)" - }, - { - "meta": { - "source-uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", - "target-uuid": "6c49d50f-494d-4150-b774-a655022d20a6" - }, - "uuid": "d54bdaff-8eb8-4a02-9f64-bc33c892e9d1", - "value": "ZergHelper (MOB-S0003) uses Download New Code at Runtime (MOB-T1010)" - }, - { - "meta": { - "source-uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9", - "target-uuid": "b928b94a-4966-4e2a-9e61-36505b896ebc" - }, - "uuid": "8e4b2305-1280-4456-8ec7-93c66da5c674", - "value": "XcodeGhost (MOB-S0013) uses Malicious Software Development Tools (MOB-T1065)" - }, - { - "meta": { - "source-uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "290a627d-172d-494d-a0cc-685f480a1034", - "value": "AndroRAT (MOB-S0008) uses Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "936be60d-90eb-4c36-9247-4b31128432c4", - "target-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77" - }, - "uuid": "bb3be217-08e2-4bb0-9f1a-d8e538010451", - "value": "RuMMS (MOB-S0029) uses System Information Discovery (MOB-T1029)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63" - }, - "uuid": "74155759-4c76-42d3-b64f-a898f7b582f9", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Manipulate Device Communication (MOB-T1066)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69" - }, - "uuid": "8e94da58-86b7-4a45-886e-6da58828eacd", - "value": "Application Vetting (MOB-M1005) mitigates App Auto-Start at Device Boot (MOB-T1005)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5" - }, - "uuid": "4cf9511e-da0e-4055-bc8c-56121ae120d2", - "value": "Security Updates (MOB-M1001) mitigates Modify OS Kernel or Boot Partition (MOB-T1001)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "f1c3d071-0c24-483d-aca0-e8b8496ce468" - }, - "uuid": "62480750-2218-4ea0-b168-b9035b9ee998", - "value": "Security Updates (MOB-M1001) mitigates Modify Trusted Execution Environment (MOB-T1002)" - }, - { - "meta": { - "source-uuid": "c80a6bef-b3ce-44d0-b113-946e93124898", - "target-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f" - }, - "uuid": "ebc0aa93-93ac-4b7e-ad87-9d5743a09c8e", - "value": "Shedun (MOB-S0010) uses Repackaged Application (MOB-T1047)" - }, - { - "meta": { - "source-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "9e66ec3b-cdd6-461c-bd84-e75316818e15", - "value": "X-Agent (MOB-S0030) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "633baf01-6de4-4963-bb54-ff6c6357bed3" - }, - "uuid": "cda9f3cf-01e4-41b3-8e45-4dda9fe5eb30", - "value": "Enterprise Policy (MOB-M1012) mitigates Rogue Wi-Fi Access Points (MOB-T1068)" - }, - { - "meta": { - "source-uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "b4180067-52b6-4109-91df-52fd9a7ed2e8", - "value": "AndroRAT (MOB-S0008) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "936be60d-90eb-4c36-9247-4b31128432c4", - "target-uuid": "6a3f6490-9c44-40de-b059-e5940f246673" - }, - "uuid": "4d7e937d-7ea1-49cb-939c-5244815e51d7", - "value": "RuMMS (MOB-S0029) uses Standard Application Layer Protocol (MOB-T1040)" - }, - { - "meta": { - "source-uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", - "target-uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df" - }, - "uuid": "d792bffd-6745-4da6-a70f-2d5843ef05ca", - "value": "Adups (MOB-S0025) uses Malicious or Vulnerable Built-in Device Functionality (MOB-T1076)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692" - }, - "uuid": "ba556d98-4ff2-43a4-bb93-52f99265ff99", - "value": "Application Vetting (MOB-M1005) mitigates Capture Clipboard Data (MOB-T1017)" - }, - { - "meta": { - "source-uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9", - "target-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692" - }, - "uuid": "2de76a24-ec87-4808-b0d3-b84d318ac22c", - "value": "XcodeGhost (MOB-S0013) uses Capture Clipboard Data (MOB-T1017)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708", - "value": "Android/Chuli.A (MOB-S0020) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "85c7e956-3ce5-4495-b52e-385ae2ee4f9b", - "value": "Charger (MOB-S0039) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a" - }, - "uuid": "8cb42e3d-69f4-4b0d-98c9-0bb7560947c1", - "value": "RCSAndroid (MOB-S0011) uses Alternate Network Mediums (MOB-T1041)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "e2ea7f6b-8d4f-49c3-819d-660530d12b77" - }, - "uuid": "7af7d094-3a49-4e5e-99d0-385c79f95f06", - "value": "Pegasus (MOB-S0005) uses System Information Discovery (MOB-T1029)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "2065382f-45ae-4b9a-a77c-027ecd6c1735", - "value": "RCSAndroid (MOB-S0011) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "537ea573-8a1c-468c-956b-d16d2ed9d067" - }, - "uuid": "69efe716-affe-419e-ac06-924d2e416695", - "value": "User Guidance (MOB-M1011) mitigates Remotely Wipe Data Without Authorization (MOB-T1072)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "16f55053-285d-411d-881c-6f8c1bdef8d7", - "value": "Application Vetting (MOB-M1005) mitigates Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "eb6dbe2a-6f76-4bce-ab37-66ec67148041", - "value": "Enterprise Policy (MOB-M1012) mitigates Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "ef771e03-e080-43b4-a619-ac6f84899884" - }, - "uuid": "6d8ea31a-da35-442a-8e0d-1d0c0dcdf14b", - "value": "Security Updates (MOB-M1001) mitigates Exploit TEE Vulnerability (MOB-T1008)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05" - }, - "uuid": "83991b5c-59b9-4fe5-9ef2-39c6ddc8b835", - "value": "Android/Chuli.A (MOB-S0020) uses Device Type Discovery (MOB-T1022)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "6f86d346-f092-4abc-80df-8558a90c426a" - }, - "uuid": "0818895a-0d6d-47cc-ad34-a09bdb76a81b", - "value": "User Guidance (MOB-M1011) mitigates Remotely Track Device Without Authorization (MOB-T1071)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "4d2d892c-9d3a-445c-b9bf-1eab45703dcc", - "value": "Use Recent OS Version (MOB-M1006) mitigates Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "c709da93-20c3-4d17-ab68-48cba76b2137", - "target-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" - }, - "uuid": "789cb76e-27b0-4762-a2f7-3ff32ce0762d", - "value": "PJApps (MOB-S0007) uses Local Network Configuration Discovery (MOB-T1025)" - }, - { - "meta": { - "source-uuid": "c8770c81-c29f-40d2-a140-38544206b2b4", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "d87b468e-f610-4e95-8dfb-8cf029f0e891", - "value": "HummingBad (MOB-S0038) uses Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "2074b2ad-612e-4758-adce-7901c1b49bbc", - "target-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5" - }, - "uuid": "373f33be-9b40-44f5-bfd3-db2a9f5fa72c", - "value": "OldBoot (MOB-S0001) uses Modify OS Kernel or Boot Partition (MOB-T1001)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "a0464539-e1b7-4455-a355-12495987c300" - }, - "uuid": "2388ba94-8e49-40d0-a697-eea948e6cfb6", - "value": "Security Updates (MOB-M1001) mitigates Attack PC via USB Connection (MOB-T1030)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56", - "value": "Use Recent OS Version (MOB-M1006) mitigates Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "0c71033e-401e-4b97-9309-7a7c95e43a5d" - }, - "uuid": "2bd272ca-8a14-42cd-9664-6cc6f7451e42", - "value": "User Guidance (MOB-M1011) mitigates Obtain Device Cloud Backups (MOB-T1073)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a" - }, - "uuid": "4f2ae057-ef0b-4995-b24d-348a76a74a4f", - "value": "Pegasus (MOB-S0005) uses Alternate Network Mediums (MOB-T1041)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" - }, - "uuid": "db3fc82d-d353-438d-aa5e-9b5e7e60f0ac", - "value": "Pegasus for Android (MOB-S0032) uses Local Network Configuration Discovery (MOB-T1025)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "abd2e863-4bd3-4686-b2aa-f8a097a41c99", - "value": "Use Recent OS Version (MOB-M1006) mitigates Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad" - }, - "uuid": "903660e1-3996-4ed2-9e7a-4f8c397a71eb", - "value": "Application Vetting (MOB-M1005) mitigates Malicious Third Party Keyboard App (MOB-T1020)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483" - }, - "uuid": "b2c289bf-e981-4bcd-87dd-b6c0680557e9", - "value": "Use Recent OS Version (MOB-M1006) mitigates Abuse Device Administrator Access to Prevent Removal (MOB-T1004)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2" - }, - "uuid": "f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3", - "value": "Pegasus for Android (MOB-S0032) uses Application Discovery (MOB-T1021)" - }, - { - "meta": { - "source-uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9", - "target-uuid": "8e27551a-5080-4148-a584-c64348212e4f" - }, - "uuid": "465ff71b-2b1b-43b6-ab78-afb273d956d2", - "value": "Caution with Device Administrator Access (MOB-M1007) mitigates Wipe Device Data (MOB-T1050)" - }, - { - "meta": { - "source-uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", - "target-uuid": "6c49d50f-494d-4150-b774-a655022d20a6" - }, - "uuid": "706c698c-aa8d-4fac-a6c1-2e047c3f965c", - "value": "BrainTest (MOB-S0009) uses Download New Code at Runtime (MOB-T1010)" - }, - { - "meta": { - "source-uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "69de3f7e-faa7-4342-b755-4777a68fd89b", - "value": "DroidJack RAT (MOB-S0036) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "8f142a25-f6c3-4520-bd50-2ae3ab50ed3e" - }, - "uuid": "3a446bee-007b-4b1f-849e-60e9d39c2e92", - "value": "Application Vetting (MOB-M1005) mitigates URL Scheme Hijacking (MOB-T1018)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "6c49d50f-494d-4150-b774-a655022d20a6" - }, - "uuid": "8d027310-93a0-4046-b7ad-d1f461f30838", - "value": "RCSAndroid (MOB-S0011) uses Download New Code at Runtime (MOB-T1010)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "a0464539-e1b7-4455-a355-12495987c300" - }, - "uuid": "09fa9342-34cb-4f0d-8cdf-df4d51d0ae12", - "value": "Use Recent OS Version (MOB-M1006) mitigates Attack PC via USB Connection (MOB-T1030)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "ef771e03-e080-43b4-a619-ac6f84899884" - }, - "uuid": "a01af4da-0910-4a20-805f-86b3ae1dc046", - "value": "Application Vetting (MOB-M1005) mitigates Exploit TEE Vulnerability (MOB-T1008)" - }, - { - "meta": { - "source-uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", - "target-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac" - }, - "uuid": "40581c90-e948-4e91-8530-a9bc59cce9d7", - "value": "ZergHelper (MOB-S0003) uses Abuse of iOS Enterprise App Signing Key (MOB-T1048)" - }, - { - "meta": { - "source-uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde", - "target-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483" - }, - "uuid": "51757971-17ac-40c3-bae7-78365579db49", - "value": "OBAD (MOB-S0002) uses Abuse Device Administrator Access to Prevent Removal (MOB-T1004)" - }, - { - "meta": { - "source-uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "1218ed50-bd44-4f37-baba-1aae998b5a1f", - "value": "Xbot (MOB-S0014) uses Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "3f973c3c-45f8-432a-9859-e8749f2e7418", - "value": "Pegasus for Android (MOB-S0032) uses Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", - "target-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" - }, - "uuid": "bee6407a-1f05-4f91-b6e7-a8f8b58fa421", - "value": "Charger (MOB-S0039) uses Obfuscated or Encrypted Payload (MOB-T1009)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "a290a8ca-e650-456c-b33e-03343fe5ea4e", - "value": "Pegasus (MOB-S0005) uses Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "cf2cccb1-cab8-431a-8ecf-f7874d05f433", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "1ed76ca9-0ed6-40f9-89c6-64662fdd447d", - "value": "Deploy Compromised Device Detection Method (MOB-M1010) mitigates Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "e829ee51-1caf-4665-ba15-7f8979634124", - "target-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d" - }, - "uuid": "26a9db86-5ecf-400a-bdd9-419448c2f776", - "value": "Interconnection Filtering (MOB-M1014) mitigates Exploit SS7 to Redirect Phone Calls/SMS (MOB-T1052)" - }, - { - "meta": { - "source-uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "e87aa0d6-241f-4f72-bdb6-54e8d5584ae2", - "value": "Adups (MOB-S0025) uses Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", - "target-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5" - }, - "uuid": "ce6c7f21-91a5-4d63-bd03-a6b57e025afe", - "value": "Lock Bootloader (MOB-M1003) mitigates Modify OS Kernel or Boot Partition (MOB-T1001)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a" - }, - "uuid": "2f5da3a1-19da-421f-be48-cfdcd3c79be1", - "value": "Security Updates (MOB-M1001) mitigates Device Unlock Code Guessing or Brute Force (MOB-T1062)" - }, - { - "meta": { - "source-uuid": "4bf6ba32-4165-42c1-b911-9c36165891c8", - "target-uuid": "6a3f6490-9c44-40de-b059-e5940f246673" - }, - "uuid": "f2e23cb7-7bac-4938-91ea-7dd42b41ba29", - "value": "ANDROIDOS_ANSERVER.A (MOB-S0026) uses Standard Application Layer Protocol (MOB-T1040)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "62adb627-f647-498e-b4cc-41499361bacb" - }, - "uuid": "85328449-c231-444d-905a-2988c14d3e82", - "value": "Application Vetting (MOB-M1005) mitigates Access Calendar Entries (MOB-T1038)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483" - }, - "uuid": "4a697724-4457-436b-97ad-9d6f445fb6b0", - "value": "Application Vetting (MOB-M1005) mitigates Abuse Device Administrator Access to Prevent Removal (MOB-T1004)" - }, - { - "meta": { - "source-uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", - "target-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" - }, - "uuid": "b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b", - "value": "WireLurker (MOB-S0028) uses Obfuscated or Encrypted Payload (MOB-T1009)" - }, - { - "meta": { - "source-uuid": "6447e3a1-ef4d-44b1-99d5-6b1c4888674f", - "target-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf" - }, - "uuid": "b263e4e9-972d-4ba7-8be8-e55eb6a483c0", - "value": "HummingWhale (MOB-S0037) uses Generate Fraudulent Advertising Revenue (MOB-T1075)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a" - }, - "uuid": "718949aa-6841-48d2-9343-f01be0aa32c1", - "value": "Enterprise Policy (MOB-M1012) mitigates Device Unlock Code Guessing or Brute Force (MOB-T1062)" - }, - { - "meta": { - "source-uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "bc4e848a-adb7-40a2-94a1-d5ab9854ff0f", - "value": "SpyNote RAT (MOB-S0021) uses Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19" - }, - "uuid": "024f9ee4-cb7d-49f4-b180-ad1e5e168a4c", - "value": "Use Recent OS Version (MOB-M1006) mitigates Process Discovery (MOB-T1027)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "d731c21e-f27d-4756-b418-0e2aaabd6d63" - }, - "uuid": "6f1cadef-283b-466b-bfa2-0cb51edf88f7", - "value": "Application Vetting (MOB-M1005) mitigates Manipulate Device Communication (MOB-T1066)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "a9cab8f6-4c94-4c9b-9e7d-9d863ff53431" - }, - "uuid": "176ba064-0657-4850-baa3-626bc845efd3", - "value": "Use Recent OS Version (MOB-M1006) mitigates Malicious Media Content (MOB-T1060)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "68e5789c-9f60-421e-9c79-fae207a29e83", - "value": "Android/Chuli.A (MOB-S0020) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57" - }, - "uuid": "638f3d4b-f1d4-4c61-91a0-7c125ef8437a", - "value": "Pegasus (MOB-S0005) uses Malicious Web Content (MOB-T1059)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9" - }, - "uuid": "8aa790cc-0d42-4114-8cbe-783abc595b8b", - "value": "Security Updates (MOB-M1001) mitigates Network Traffic Capture or Redirection (MOB-T1013)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "198ce408-1470-45ee-b47f-7056050d4fc2" - }, - "uuid": "5b14149e-09f1-4d38-82bc-0ff3cff8b650", - "value": "Application Vetting (MOB-M1005) mitigates Application Discovery (MOB-T1021)" - }, - { - "meta": { - "source-uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "6bb99599-aa51-4492-9c79-296a772233b4", - "value": "Caution with Device Administrator Access (MOB-M1007) mitigates Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7", - "target-uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2" - }, - "uuid": "f14af74f-fb6b-480f-91de-d755c89960ce", - "value": "AndroidOverlayMalware (MOB-S0012) uses App Delivered via Web Download (MOB-T1034)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac" - }, - "uuid": "8e49feb1-e401-4e63-acfa-7f8b9a8ca026", - "value": "Enterprise Policy (MOB-M1012) mitigates Abuse of iOS Enterprise App Signing Key (MOB-T1048)" - }, - { - "meta": { - "source-uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", - "target-uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2" - }, - "uuid": "6fce6a21-ab9b-44a5-be20-9b631109487b", - "value": "MazarBOT (MOB-S0019) uses App Delivered via Web Download (MOB-T1034)" - }, - { - "meta": { - "source-uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", - "target-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" - }, - "uuid": "78cc0d6d-6347-45a4-a18c-ca76150aa7a9", - "value": "BrainTest (MOB-S0009) uses Obfuscated or Encrypted Payload (MOB-T1009)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "b7652f27-1cf6-4310-bf6b-5fb99c4fd725", - "value": "Pegasus (MOB-S0005) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "8e27551a-5080-4148-a584-c64348212e4f" - }, - "uuid": "b1f2770e-11f0-429c-9bac-9fa5bc5859b0", - "value": "Application Vetting (MOB-M1005) mitigates Wipe Device Data (MOB-T1050)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "0bcc4ec1-a897-49a9-a9ff-c00df1d1209d" - }, - "uuid": "69bdeed3-d6a8-4d10-8bf5-44c6cb4392e5", - "value": "Security Updates (MOB-M1001) mitigates Malicious SMS Message (MOB-T1057)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "0cae6859-d7d1-483b-b473-4f32084938a9", - "value": "Pegasus for Android (MOB-S0032) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57" - }, - "uuid": "3f3d63f0-1f03-4931-9624-10eaf4b207b4", - "value": "Use Recent OS Version (MOB-M1006) mitigates Malicious Web Content (MOB-T1059)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "94040d2e-3f60-423c-8a93-a83b61cafe7d", - "value": "Pegasus (MOB-S0005) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "8ed14c81-0b30-4bfc-8552-439aa0e920c3", - "value": "Adups (MOB-S0025) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "c80a6bef-b3ce-44d0-b113-946e93124898", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "f0851531-e554-4658-920c-f2342632c19a", - "value": "Shedun (MOB-S0010) uses Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "d9e07aea-baad-4b68-bdca-90c77647d7f9", - "target-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2" - }, - "uuid": "13efc415-5e17-4a16-81c2-64e74815907f", - "value": "XcodeGhost (MOB-S0013) uses User Interface Spoofing (MOB-T1014)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "0bcc4ec1-a897-49a9-a9ff-c00df1d1209d" - }, - "uuid": "a912f528-5218-4e0b-a350-7e9012cccdf3", - "value": "Use Recent OS Version (MOB-M1006) mitigates Malicious SMS Message (MOB-T1057)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a" - }, - "uuid": "64a6fb42-65ce-4160-a5c8-ac176f60a2ae", - "value": "User Guidance (MOB-M1011) mitigates Device Unlock Code Guessing or Brute Force (MOB-T1062)" - }, - { - "meta": { - "source-uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "9f737872-3503-4ef4-b575-ab6037b33a98", - "value": "KeyRaider (MOB-S0004) uses Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "56660521-6db4-4e5a-a927-464f22954b7c", - "target-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f" - }, - "uuid": "efcfe1a3-3351-4b4f-ae36-101f103b4798", - "value": "X-Agent (MOB-S0030) uses Repackaged Application (MOB-T1047)" - }, - { - "meta": { - "source-uuid": "ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", - "target-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d" - }, - "uuid": "81db3270-4cb8-4982-8ff8-c28a874e8421", - "value": "DressCode (MOB-S0016) uses Exploit Enterprise Resources (MOB-T1031)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf" - }, - "uuid": "31942635-81b1-4657-8882-50fb97fae64b", - "value": "Application Vetting (MOB-M1005) mitigates Generate Fraudulent Advertising Revenue (MOB-T1075)" - }, - { - "meta": { - "source-uuid": "ff4821f6-5afb-481b-8c0f-26c28c0d666c", - "target-uuid": "46d818a5-67fa-4585-a7fc-ecf15376c8d5" - }, - "uuid": "49f0f7b8-7208-4650-89c2-5d6b1f166113", - "value": "Attestation (MOB-M1002) mitigates Modify OS Kernel or Boot Partition (MOB-T1001)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "a5de0540-73e7-4c67-96da-4143afedc7ed" - }, - "uuid": "b2b31911-5b7e-4df3-89c6-00b5b372fb4f", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Rogue Cellular Base Station (MOB-T1070)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "ef771e03-e080-43b4-a619-ac6f84899884" - }, - "uuid": "51186ad6-e721-49cf-9cf7-89466d5f29f4", - "value": "Use Recent OS Version (MOB-M1006) mitigates Exploit TEE Vulnerability (MOB-T1008)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "f6fa0801-418e-43e5-bfae-332e909624fc", - "value": "Security Updates (MOB-M1001) mitigates Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "fd339382-bfec-4bf0-8d47-1caedc9e7e57" - }, - "uuid": "d98a030f-c551-4fd0-9948-32e1ea01f79c", - "value": "Security Updates (MOB-M1001) mitigates Malicious Web Content (MOB-T1059)" - }, - { - "meta": { - "source-uuid": "41e3fd01-7b83-471f-835d-d2b1dc9a770c", - "target-uuid": "6a3f6490-9c44-40de-b059-e5940f246673" - }, - "uuid": "9d7ac1b2-3fa9-4236-b72d-5565f0c66eab", - "value": "Twitoor (MOB-S0018) uses Standard Application Layer Protocol (MOB-T1040)" - }, - { - "meta": { - "source-uuid": "d89c132d-7752-4c7f-9372-954a71522985", - "target-uuid": "6a3f6490-9c44-40de-b059-e5940f246673" - }, - "uuid": "2cdd5474-620c-499e-8b9c-835505febc2c", - "value": "Trojan-SMS.AndroidOS.OpFake.a (MOB-S0024) uses Standard Application Layer Protocol (MOB-T1040)" - }, - { - "meta": { - "source-uuid": "7b1cf46f-784b-405a-a8dd-4624c19d8321", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "0977107c-9dd3-4cc5-b769-7e29da9f4bb6", - "value": "System Partition Integrity (MOB-M1004) mitigates Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "20d56cd6-8dff-4871-9889-d32d254816de", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "aa8e45c2-4276-451b-b1eb-59c396bf720a", - "value": "Gooligan (MOB-S0006) uses Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "5f6f5913-cade-4b14-aa96-5a921b0927a7", - "value": "Application Vetting (MOB-M1005) mitigates Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "fa1da6db-da32-45d2-98a8-6bbe153166da", - "value": "AndroRAT (MOB-S0008) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "ef7f8f51-6aea-4f5c-9c96-f353a14cf062", - "value": "Lock Bootloader (MOB-M1003) mitigates Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274" - }, - "uuid": "d6930d98-f8a2-4556-baa4-95275d3fa23d", - "value": "Use Recent OS Version (MOB-M1006) mitigates Premium SMS Toll Fraud (MOB-T1051)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2" - }, - "uuid": "dfc1f490-f8b9-4287-8c79-652d42f0a64a", - "value": "Use Recent OS Version (MOB-M1006) mitigates User Interface Spoofing (MOB-T1014)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "3d24d88e-a0ab-42c6-8e8f-11f721082bba", - "value": "Pegasus for Android (MOB-S0032) uses Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "f6ac21b6-2592-400c-8472-10d0e2f1bfaf", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "a8079e6a-ef87-4e3b-9f71-cf1ea2360892", - "value": "Adups (MOB-S0025) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", - "target-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f" - }, - "uuid": "5f82db63-d7c2-43c7-a056-3cf718201ced", - "value": "DroidJack RAT (MOB-S0036) uses Repackaged Application (MOB-T1047)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "63e67cba-4eae-4495-8897-2610103a0c41", - "value": "Pegasus (MOB-S0005) uses Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "936be60d-90eb-4c36-9247-4b31128432c4", - "target-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" - }, - "uuid": "3c291ee5-1782-4e5b-8131-5188c7388f45", - "value": "RuMMS (MOB-S0029) uses Local Network Configuration Discovery (MOB-T1025)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "b28c1e81-4f78-4e40-9899-2872cdbcceba", - "value": "Use Recent OS Version (MOB-M1006) mitigates Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4" - }, - "uuid": "c5b80ca7-eceb-43ea-991e-10af5d9ca4bc", - "value": "Application Vetting (MOB-M1005) mitigates Encrypt Files for Ransom (MOB-T1074)" - }, - { - "meta": { - "source-uuid": "3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", - "target-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9" - }, - "uuid": "b596251a-73db-4e53-a04d-51be783b0241", - "value": "KeyRaider (MOB-S0004) uses Network Traffic Capture or Redirection (MOB-T1013)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "14143e21-51bf-4fa7-a949-d22a8271f590", - "value": "RCSAndroid (MOB-S0011) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9" - }, - "uuid": "ee0afd88-a0fc-4b1d-b047-9b9bf04d36fe", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Network Traffic Capture or Redirection (MOB-T1013)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "bd4d32f5-eed4-4018-a649-40b229dd1d69" - }, - "uuid": "19df76ee-fa85-43cf-96ce-422d46f29a13", - "value": "Pegasus for Android (MOB-S0032) uses App Auto-Start at Device Boot (MOB-T1005)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2" - }, - "uuid": "0673ca70-d403-4e49-8e18-de4bf8ab700c", - "value": "Enterprise Policy (MOB-M1012) mitigates App Delivered via Email Attachment (MOB-T1037)" - }, - { - "meta": { - "source-uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "0f7e7c29-43f0-4aff-ae83-dfff331915ef", - "value": "SpyNote RAT (MOB-S0021) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2" - }, - "uuid": "bf859944-d097-45ba-ae01-2f85a00cad1f", - "value": "User Guidance (MOB-M1011) mitigates App Delivered via Email Attachment (MOB-T1037)" - }, - { - "meta": { - "source-uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", - "target-uuid": "76c12fc8-a4eb-45d6-a3b7-e371a7248f69" - }, - "uuid": "6086e1e2-1b39-4ff2-910e-4a4eb86d57b7", - "value": "BrainTest (MOB-S0009) uses Manipulate App Store Rankings or Ratings (MOB-T1055)" - }, - { - "meta": { - "source-uuid": "8ccd428d-39da-4e8f-a55b-d48ea1d56e58", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "3230c032-17e0-49f7-b948-c157049aafe2", - "value": "Lock Bootloader (MOB-M1003) mitigates Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "0bcc4ec1-a897-49a9-a9ff-c00df1d1209d" - }, - "uuid": "9e77b80d-4981-4908-9203-c4e7cea5b5d8", - "value": "Pegasus (MOB-S0005) uses Malicious SMS Message (MOB-T1057)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a" - }, - "uuid": "55f12292-dc9d-4bfd-9de9-2d07cd67b044", - "value": "Use Recent OS Version (MOB-M1006) mitigates Abuse Accessibility Features (MOB-T1056)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "7baa3cab-c4f8-4b91-a6c3-189ad7a6416c", - "value": "Pegasus (MOB-S0005) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "e2ee6825-43c2-441f-ba96-404a330a9059", - "value": "Charger (MOB-S0039) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "e944670c-d03a-4e93-a21c-b3d4c53ec4c9", - "target-uuid": "82f04b1e-5371-4a6f-be06-411f0f43b483" - }, - "uuid": "3c2d7ccc-5980-4012-8aab-64979bcd0ea6", - "value": "Caution with Device Administrator Access (MOB-M1007) mitigates Abuse Device Administrator Access to Prevent Removal (MOB-T1004)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" - }, - "uuid": "b4e055cf-f77e-4888-9610-6cd328e035c8", - "value": "Application Vetting (MOB-M1005) mitigates Obfuscated or Encrypted Payload (MOB-T1009)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" - }, - "uuid": "554ec347-c8b2-43da-876b-36608dcc543d", - "value": "Use Recent OS Version (MOB-M1006) mitigates Local Network Configuration Discovery (MOB-T1025)" - }, - { - "meta": { - "source-uuid": "20d56cd6-8dff-4871-9889-d32d254816de", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "a25d58af-dbb3-4025-b91d-898c6adffcb3", - "value": "Gooligan (MOB-S0006) uses Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "1b51f5bc-b97a-498a-8dbd-bc6b1901bf19" - }, - "uuid": "6c0491ee-53e0-44ae-bcd0-253fc47de61e", - "value": "Application Vetting (MOB-M1005) mitigates Process Discovery (MOB-T1027)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "393e8c12-a416-4575-ba90-19cc85656796" - }, - "uuid": "b5097495-f417-46ed-88e2-02cba2371936", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Eavesdrop on Insecure Network Communication (MOB-T1042)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df" - }, - "uuid": "aa23a2c6-ed8a-4453-95d1-f9a47e14b0f9", - "value": "User Guidance (MOB-M1011) mitigates Malicious or Vulnerable Built-in Device Functionality (MOB-T1076)" - }, - { - "meta": { - "source-uuid": "317a2c10-d489-431e-b6b2-f0251fddc88e", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "ed06f5dc-9d02-4896-a0a3-2f457c64f125", - "value": "Dendroid (MOB-S0017) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "a4b53160-fdb8-4cab-90cc-ad12ab13a8a0", - "value": "Use Recent OS Version (MOB-M1006) mitigates Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "a15c9357-2be0-4836-beec-594f28b9b4a9", - "target-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac" - }, - "uuid": "c5d6fb25-1782-44c4-b3ae-0cd72e8a6d37", - "value": "YiSpecter (MOB-S0027) uses Abuse of iOS Enterprise App Signing Key (MOB-T1048)" - }, - { - "meta": { - "source-uuid": "05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "910009da-65c0-4e6a-aeb2-386c643d1c0e", - "value": "DroidJack RAT (MOB-S0036) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "1f96d624-8409-4472-ad8a-30618ee6b2e2" - }, - "uuid": "fb371daf-2771-488f-90ca-5e08b9a36c5c", - "value": "Android/Chuli.A (MOB-S0020) uses App Delivered via Email Attachment (MOB-T1037)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "dfe29258-ce59-421c-9dee-e85cb9fa90cd" - }, - "uuid": "37c4a0cf-0552-46fd-b067-419b15833044", - "value": "Use Recent OS Version (MOB-M1006) mitigates Lockscreen Bypass (MOB-T1064)" - }, - { - "meta": { - "source-uuid": "936be60d-90eb-4c36-9247-4b31128432c4", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "29dc105c-0b1b-4645-85ef-436c096bd3e2", - "value": "RuMMS (MOB-S0029) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "77e30eee-fd48-40b4-99ec-73e97c158b58" - }, - "uuid": "5b9a54cd-4925-4a2b-ad61-27d70e673093", - "value": "Application Vetting (MOB-M1005) mitigates Android Intent Hijacking (MOB-T1019)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9" - }, - "uuid": "8ccfab20-58cf-4af6-9fb0-6bbf59258ac9", - "value": "Use Recent OS Version (MOB-M1006) mitigates Network Traffic Capture or Redirection (MOB-T1013)" - }, - { - "meta": { - "source-uuid": "23040c15-e7d8-47b5-8c16-8fd3e0e297fe", - "target-uuid": "22379609-a99f-4a01-bd7e-70f3e105859d" - }, - "uuid": "ffc24804-42db-4be1-a418-7f5ab9de453c", - "value": "NotCompatible (MOB-S0015) uses Exploit Enterprise Resources (MOB-T1031)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "00b20e5c-5f52-4a07-bfec-e30872e793e3", - "value": "Security Updates (MOB-M1001) mitigates Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "5012c647-9b58-4a4f-b64f-468c9b76a60c", - "value": "SpyNote RAT (MOB-S0021) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "936be60d-90eb-4c36-9247-4b31128432c4", - "target-uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2" - }, - "uuid": "e3a03a80-0e31-43ef-b802-d6f65c44896d", - "value": "RuMMS (MOB-S0029) uses App Delivered via Web Download (MOB-T1034)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" - }, - "uuid": "450a1b75-efa5-4d7a-bcd5-d3e63723b408", - "value": "Pegasus (MOB-S0005) uses Local Network Configuration Discovery (MOB-T1025)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "89fcd02f-62dc-40b9-a54b-9ac4b1baef05" - }, - "uuid": "05c87985-4f8a-4a38-b1cd-ab01f0a628ed", - "value": "Application Vetting (MOB-M1005) mitigates Device Type Discovery (MOB-T1022)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "a93ccb8f-3996-42e2-b7c7-bb599d4e205f" - }, - "uuid": "634e2691-341f-4e5b-83e7-e28369d88c64", - "value": "User Guidance (MOB-M1011) mitigates Repackaged Application (MOB-T1047)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "cf28ca46-1fd3-46b4-b1f6-ec0b72361848" - }, - "uuid": "7260c8fe-6b3b-48a2-889f-f329fb5b4ef0", - "value": "Use Recent OS Version (MOB-M1006) mitigates File and Directory Discovery (MOB-T1023)" - }, - { - "meta": { - "source-uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "980c49f8-d991-4e1f-8feb-6173e3dfca1f", - "value": "AndroRAT (MOB-S0008) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "51aedbd6-2837-4d15-aeb0-cb09f2bf22ac" - }, - "uuid": "49fe6eac-73a7-4147-9121-85fb71fca4ed", - "value": "User Guidance (MOB-M1011) mitigates Abuse of iOS Enterprise App Signing Key (MOB-T1048)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "cfa1d194-7401-46ba-bfed-5f311aeb22d3", - "value": "Android/Chuli.A (MOB-S0020) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "c91c304a-975d-4501-9789-0db1c57afd3f" - }, - "uuid": "047ab474-c4ec-4675-a817-1e0a9f8dd92f", - "value": "Security Updates (MOB-M1001) mitigates Exploit Baseband Vulnerability (MOB-T1058)" - }, - { - "meta": { - "source-uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1", - "value": "BrainTest (MOB-S0009) uses Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "6b846ad0-cc20-4db6-aa34-91561397c5e2" - }, - "uuid": "cdb1ed75-d8a5-4088-b282-0b85588bbc8c", - "value": "Enterprise Policy (MOB-M1012) mitigates App Delivered via Web Download (MOB-T1034)" - }, - { - "meta": { - "source-uuid": "ca4f63b9-a358-4214-bb26-8c912318cfde", - "target-uuid": "d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a" - }, - "uuid": "b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab", - "value": "OBAD (MOB-S0002) uses Obfuscated or Encrypted Payload (MOB-T1009)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df" - }, - "uuid": "3baf01c5-591b-43a0-8963-506531313e68", - "value": "Use Recent OS Version (MOB-M1006) mitigates Malicious or Vulnerable Built-in Device Functionality (MOB-T1076)" - }, - { - "meta": { - "source-uuid": "a1867c56-8c86-455a-96ad-b0d5f7e2bc17", - "target-uuid": "6a3f6490-9c44-40de-b059-e5940f246673" - }, - "uuid": "319d46b5-de41-4f23-9001-2fa75f954720", - "value": "Trojan-SMS.AndroidOS.Agent.ao (MOB-S0023) uses Standard Application Layer Protocol (MOB-T1040)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "45dcbc83-4abc-4de1-b643-e528d1e9df09" - }, - "uuid": "1a62c9c7-2d3b-4ee7-87d1-d8774050c566", - "value": "Enterprise Policy (MOB-M1012) mitigates Biometric Spoofing (MOB-T1063)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "34351abd-1f58-420a-a893-ad822839815d", - "value": "Pegasus (MOB-S0005) uses Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "f296fc9c-2ff5-43ee-941e-6b49c438270a" - }, - "uuid": "fa7b38df-eedc-469b-bcec-facdd8365231", - "value": "Use Recent OS Version (MOB-M1006) mitigates Device Unlock Code Guessing or Brute Force (MOB-T1062)" - }, - { - "meta": { - "source-uuid": "326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "0791f28b-d06f-4fee-9cdb-85a6fd2eed61", - "value": "WireLurker (MOB-S0028) uses Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274" - }, - "uuid": "4caf3ad1-6ef8-42de-851d-bdc3a22977b3", - "value": "Application Vetting (MOB-M1005) mitigates Premium SMS Toll Fraud (MOB-T1051)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a" - }, - "uuid": "c83c84e8-a556-4efe-ae24-75970ee8ad4b", - "value": "Android/Chuli.A (MOB-S0020) uses Alternate Network Mediums (MOB-T1041)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "a9cab8f6-4c94-4c9b-9e7d-9d863ff53431" - }, - "uuid": "3a9467d4-09df-4266-ba5a-d40309949e70", - "value": "Security Updates (MOB-M1001) mitigates Malicious Media Content (MOB-T1060)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "3b0b604f-10db-41a0-b54c-493124d455b9" - }, - "uuid": "6407562a-d297-43cd-95df-aec9cf501ce2", - "value": "Application Vetting (MOB-M1005) mitigates Network Traffic Capture or Redirection (MOB-T1013)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b" - }, - "uuid": "0e81eb1d-cd1e-43e1-8c09-03927681ce76", - "value": "Pegasus for Android (MOB-S0032) uses Detect App Analysis Environment (MOB-T1043)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "e183af70-44d5-4d56-9aad-753eb4c1c964", - "value": "Application Vetting (MOB-M1005) mitigates Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", - "target-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274" - }, - "uuid": "5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a", - "value": "MazarBOT (MOB-S0019) uses Premium SMS Toll Fraud (MOB-T1051)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "a0464539-e1b7-4455-a355-12495987c300" - }, - "uuid": "86696d32-0af7-4308-b1fe-52306b9f839a", - "value": "User Guidance (MOB-M1011) mitigates Attack PC via USB Connection (MOB-T1030)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "92333055-88ce-4db2-a589-e0e1e617d8e0", - "value": "Security Updates (MOB-M1001) mitigates Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "62adb627-f647-498e-b4cc-41499361bacb" - }, - "uuid": "a7b276ac-6f07-4d1f-8d24-dc5682acf62d", - "value": "Pegasus for Android (MOB-S0032) uses Access Calendar Entries (MOB-T1038)" - }, - { - "meta": { - "source-uuid": "3c3b55a6-c3e9-4043-8aae-283fe96220c0", - "target-uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b" - }, - "uuid": "eb686f55-85de-42d8-a5a1-69a78af0f1f3", - "value": "ZergHelper (MOB-S0003) uses Detect App Analysis Environment (MOB-T1043)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "a8c31121-852b-46bd-9ba4-674ae5afe7ad" - }, - "uuid": "7b899be0-4a9c-4e52-aeab-d8acedfe26d0", - "value": "User Guidance (MOB-M1011) mitigates Malicious Third Party Keyboard App (MOB-T1020)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "96027d55-0bdb-4f5f-a559-66c93eab3a17", - "value": "Security Updates (MOB-M1001) mitigates Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "c709da93-20c3-4d17-ab68-48cba76b2137", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "27247071-356b-4b5f-bc8f-6436a3fec095", - "value": "PJApps (MOB-S0007) uses Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "99e6295e-741b-4857-b6e5-64989eb039b4" - }, - "uuid": "d22dc053-24a7-4a5b-ae51-8a626569ec9b", - "value": "Application Vetting (MOB-M1005) mitigates Location Tracking (MOB-T1033)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "7d481598-ece7-469c-b231-619a804c25e5", - "value": "Pegasus (MOB-S0005) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", - "target-uuid": "c4b96c0b-cb58-497a-a1c2-bb447d79d692" - }, - "uuid": "9e3921a8-a9e1-48c4-9b61-ff190c104f63", - "value": "RCSAndroid (MOB-S0011) uses Capture Clipboard Data (MOB-T1017)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "3911658a-6506-4deb-9ab4-595a51ae71ad" - }, - "uuid": "7c966cde-22fd-4eb2-b518-3e37a8fad88b", - "value": "Android/Chuli.A (MOB-S0020) uses Commonly Used Port (MOB-T1039)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d" - }, - "uuid": "dc6eb5d7-acef-4eb4-bece-4e8c90c914dc", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Exploit SS7 to Redirect Phone Calls/SMS (MOB-T1052)" - }, - { - "meta": { - "source-uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "833b4c44-7370-4b27-b9b2-a058c27dcf8c", - "value": "Xbot (MOB-S0014) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "8220b57e-c400-4525-bf69-f8edc6b389a8", - "target-uuid": "633baf01-6de4-4963-bb54-ff6c6357bed3" - }, - "uuid": "4df969b3-f5a0-4802-b87e-a458e3e439ed", - "value": "Encrypt Network Traffic (MOB-M1009) mitigates Rogue Wi-Fi Access Points (MOB-T1068)" - }, - { - "meta": { - "source-uuid": "20d56cd6-8dff-4871-9889-d32d254816de", - "target-uuid": "f981d199-2720-467e-9dc9-eea04dbe05cf" - }, - "uuid": "42ae42eb-ea75-457a-bf39-4ea04304dd0b", - "value": "Gooligan (MOB-S0006) uses Generate Fraudulent Advertising Revenue (MOB-T1075)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "d7ae7fb1-c363-4969-a4af-e2dd44a3c064", - "value": "Pegasus for Android (MOB-S0032) uses Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "33d9d91d-aad9-49d5-a516-220ce101ac8a", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "69718f1d-7761-41ae-b9d0-12c45f6b4ac4", - "value": "Pegasus (MOB-S0005) uses Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "b332a960-3c04-495a-827f-f17a5daed3a6" - }, - "uuid": "15a2702e-4e49-4255-909d-bbf94abfd1d7", - "value": "Security Updates (MOB-M1001) mitigates Disguise Root/Jailbreak Indicators (MOB-T1011)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "2204c371-6100-4ae0-82f3-25c07c29772a" - }, - "uuid": "077da2d7-0913-4040-b25e-2f6913ed4ea0", - "value": "Application Vetting (MOB-M1005) mitigates Abuse Accessibility Features (MOB-T1056)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3" - }, - "uuid": "c761ed82-24cc-4c40-94ef-c4d0f4d1cd7a", - "value": "Use Recent OS Version (MOB-M1006) mitigates Access Sensitive Data in Device Logs (MOB-T1016)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "f9e4f526-ac9d-4df5-8949-833a82a1d2df" - }, - "uuid": "1a493cb6-452f-46ce-a7b4-267eacd5d2ff", - "value": "Security Updates (MOB-M1001) mitigates Malicious or Vulnerable Built-in Device Functionality (MOB-T1076)" - }, - { - "meta": { - "source-uuid": "d05f7357-4cbe-47ea-bf83-b8604226d533", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "2bedbf86-2ef0-45bf-950d-b9d072c03bdc", - "value": "Android/Chuli.A (MOB-S0020) uses Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "e13d084c-382f-40fd-aa9a-98d69e20301e", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "02b3c8fe-1539-4c77-b67e-07fa8a22c91e", - "value": "BrainTest (MOB-S0009) uses Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "93a524e2-cb17-4b40-8640-a03949e89775", - "value": "Security Updates (MOB-M1001) mitigates Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "79eec66a-9bd0-4a3f-ac82-19159e94bd44" - }, - "uuid": "4f366c8c-9c70-44ed-baa8-d433d5dbfe49", - "value": "Pegasus for Android (MOB-S0032) uses Access Call Log (MOB-T1036)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "29e07491-8947-43a3-8d4e-9a787c45f3d3" - }, - "uuid": "b23ec81b-8610-4bb0-a837-2c316c67fa79", - "value": "Security Updates (MOB-M1001) mitigates Access Sensitive Data in Device Logs (MOB-T1016)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "88932a8c-3a17-406f-9431-1da3ff19f6d6" - }, - "uuid": "72d7fa07-e559-4e35-b791-64b7bf8a0aef", - "value": "Security Updates (MOB-M1001) mitigates Modify cached executable code (MOB-T1006)" - }, - { - "meta": { - "source-uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", - "target-uuid": "d9e88203-2b5d-405f-a406-2933b1e3d7e4" - }, - "uuid": "70f8cbed-b20d-4ff2-ad02-8d78e7d49159", - "value": "Xbot (MOB-S0014) uses Encrypt Files for Ransom (MOB-T1074)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2" - }, - "uuid": "095f71ad-9a93-45ce-9b77-a101f6c894de", - "value": "Application Vetting (MOB-M1005) mitigates User Interface Spoofing (MOB-T1014)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "a21a6a79-f9a1-4c87-aed9-ba2d79536881" - }, - "uuid": "aaf0ae2f-07ea-479e-8419-e524e23dbaef", - "value": "User Guidance (MOB-M1011) mitigates Stolen Developer Credentials or Signing Keys (MOB-T1044)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "831e3269-da49-48ac-94dc-948008e8fd16" - }, - "uuid": "8f7c14bf-4c0f-4e54-99c2-41b511220b33", - "value": "User Guidance (MOB-M1011) mitigates Remotely Install Application (MOB-T1046)" - }, - { - "meta": { - "source-uuid": "28e39395-91e7-4f02-b694-5e079c964da9", - "target-uuid": "6a3f6490-9c44-40de-b059-e5940f246673" - }, - "uuid": "54151897-cc7e-4f92-af50-bed41ea78d92", - "value": "Trojan-SMS.AndroidOS.FakeInst.a (MOB-S0022) uses Standard Application Layer Protocol (MOB-T1040)" - }, - { - "meta": { - "source-uuid": "c80a6bef-b3ce-44d0-b113-946e93124898", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "18afa4ad-4fd7-47ad-acdb-3b298b640d3c", - "value": "Shedun (MOB-S0010) uses Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "702055ac-4e54-4ae9-9527-e23a38e0b160" - }, - "uuid": "7ec08d5c-73a1-4444-bd27-892090d6b2e3", - "value": "Application Vetting (MOB-M1005) mitigates Access Sensitive Data or Credentials in Files (MOB-T1012)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "56660521-6db4-4e5a-a927-464f22954b7c" - }, - "uuid": "3e3cad6c-dd73-43c9-bf99-d4796ba97fb1", - "value": "APT28 (G0007) uses X-Agent (MOB-S0030)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "11bd699b-f2c2-4e48-bf46-fb3f8acd9799" - }, - "uuid": "c2437c8b-709f-47e8-ae65-21ae48410a9e", - "value": "Application Vetting (MOB-M1005) mitigates Insecure Third-Party Libraries (MOB-T1028)" - }, - { - "meta": { - "source-uuid": "d1c600f8-0fb6-4367-921b-85b71947d950", - "target-uuid": "b765efd1-02e6-4e67-aebf-0fef5c37e54b" - }, - "uuid": "7e4be913-d916-4a79-ac00-262a49afe070", - "value": "Charger (MOB-S0039) uses Detect App Analysis Environment (MOB-T1043)" - }, - { - "meta": { - "source-uuid": "b6d3657a-2d6a-400f-8b7e-4d60391aa1f7", - "target-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2" - }, - "uuid": "3faed885-6a3d-444f-8e57-fd8818abb1cc", - "value": "AndroidOverlayMalware (MOB-S0012) uses User Interface Spoofing (MOB-T1014)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "d4536441-1bcc-49fa-80ae-a596ed3f7ffd" - }, - "uuid": "513c05e2-afc6-4d1b-8a8e-6d6935a8626f", - "value": "Application Vetting (MOB-M1005) mitigates Local Network Configuration Discovery (MOB-T1025)" - }, - { - "meta": { - "source-uuid": "0beabf44-e8d8-4ae4-9122-ef56369a2564", - "target-uuid": "351c0927-2fc1-4a2c-ad84-cbbee7eb8172" - }, - "uuid": "08e7c0ad-f2d7-472c-97de-3627ca5d2991", - "value": "Use Recent OS Version (MOB-M1006) mitigates Exploit OS Vulnerability (MOB-T1007)" - }, - { - "meta": { - "source-uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "e0ebf0cd-9244-4cef-9171-128a12b87b58", - "value": "SpyNote RAT (MOB-S0021) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "e84ad4b0-9f7a-48a5-89ae-33804b11eb56", - "value": "Pegasus for Android (MOB-S0032) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "a3dad2be-ce62-4440-953b-00fbce7aba93", - "target-uuid": "4e6620ac-c30c-4f6d-918e-fa20cae7c1ce" - }, - "uuid": "aaf55dd1-33df-4f02-8025-eaae01f30b33", - "value": "AndroRAT (MOB-S0008) uses Access Contact List (MOB-T1035)" - }, - { - "meta": { - "source-uuid": "649f7268-4c12-483b-ac84-4b7bca9fe2ee", - "target-uuid": "b928b94a-4966-4e2a-9e61-36505b896ebc" - }, - "uuid": "9adde9d7-4ba0-4e35-93ba-1e85e9eb16bc", - "value": "Enterprise Policy (MOB-M1012) mitigates Malicious Software Development Tools (MOB-T1065)" - }, - { - "meta": { - "source-uuid": "5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", - "target-uuid": "e8b4e1ec-8e3b-484c-9038-4459b1ed8060" - }, - "uuid": "721cc30c-74cf-4eed-89a8-7a8e63e6c0e1", - "value": "MazarBOT (MOB-S0019) uses Capture SMS Messages (MOB-T1015)" - }, - { - "meta": { - "source-uuid": "653492e3-27be-4a0e-b08c-938dd2b7e0e1", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "95f4db59-e0b4-4c1b-b888-1fc76b21e8c0", - "value": "User Guidance (MOB-M1011) mitigates Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "c709da93-20c3-4d17-ab68-48cba76b2137", - "target-uuid": "8f0e39c6-82c9-41ec-9f93-5696c0f2e274" - }, - "uuid": "4454a696-7619-40ee-971b-cbf646e4ee61", - "value": "PJApps (MOB-S0007) uses Premium SMS Toll Fraud (MOB-T1051)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "9d7c32f4-ab39-49dc-8055-8106bc2294a1" - }, - "uuid": "bebf345c-21d5-410f-9015-90c144161e5d", - "value": "Application Vetting (MOB-M1005) mitigates Lock User Out of Device (MOB-T1049)" - }, - { - "meta": { - "source-uuid": "da21929e-40c0-443d-bdf4-6b60d15448b4", - "target-uuid": "3dd58c80-4c2e-458c-9503-1b2cd273c4d2" - }, - "uuid": "1cca5e17-80ae-4b6e-8919-2768153aa966", - "value": "Xbot (MOB-S0014) uses User Interface Spoofing (MOB-T1014)" - }, - { - "meta": { - "source-uuid": "507fe748-5e4a-4b45-9e9f-8b1115f4e878", - "target-uuid": "667e5707-3843-4da8-bd34-88b922526f0d" - }, - "uuid": "b7282bf9-63f8-49ad-8ee0-f2ad523a367e", - "value": "DualToy (MOB-S0031) uses Exploit via Charging Station or PC (MOB-T1061)" - }, - { - "meta": { - "source-uuid": "bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", - "target-uuid": "c5089859-b21f-40a3-8be4-63e381b8b1c0" - }, - "uuid": "aa39b402-7ecc-4057-a989-663887e540e7", - "value": "Security Updates (MOB-M1001) mitigates Modify System Partition (MOB-T1003)" - }, - { - "meta": { - "source-uuid": "93799a9d-3537-43d8-b6f4-17215de1657c", - "target-uuid": "b3c2e5de-0941-4b57-ba61-af029eb5517a" - }, - "uuid": "f6098dca-3a9e-4991-8d51-1310b12161b6", - "value": "Pegasus for Android (MOB-S0032) uses Alternate Network Mediums (MOB-T1041)" - }, - { - "meta": { - "source-uuid": "20dbaf05-59b8-4dc6-8777-0b17f4553a23", - "target-uuid": "6683aa0c-d98a-4f5b-ac57-ca7e9934a760" - }, - "uuid": "bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1", - "value": "SpyNote RAT (MOB-S0021) uses Microphone or Camera Recordings (MOB-T1032)" - }, - { - "meta": { - "source-uuid": "1553b156-6767-47f7-9eb4-2a692505666d", - "target-uuid": "6c49d50f-494d-4150-b774-a655022d20a6" - }, - "uuid": "94a737af-9a72-48f6-a85e-d9d7fa93bfdd", - "value": "Application Vetting (MOB-M1005) mitigates Download New Code at Runtime (MOB-T1010)" - } - ], - "version": 2 -} diff --git a/clusters/mitre-pre-attack-relationship.json b/clusters/mitre-pre-attack-relationship.json deleted file mode 100644 index da91fd6..0000000 --- a/clusters/mitre-pre-attack-relationship.json +++ /dev/null @@ -1,925 +0,0 @@ -{ - "authors": [ - "MITRE" - ], - "description": "MITRE Relationship", - "name": "Pre Attack - Relationship", - "source": "https://github.com/mitre/cti", - "type": "mitre-pre-attack-relationship", - "uuid": "1ffd3108-1708-11e8-9f98-67b378d9094c", - "values": [ - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "58d0b955-ae3d-424a-a537-2804dab38793" - }, - "uuid": "1eed277b-a2a7-43f9-bf12-6e30abf0841a", - "value": "APT28 (G0007) uses Unconditional client-side exploitation/Injected Website/Driveby (PRE-T1149)" - }, - { - "meta": { - "source-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d", - "target-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33" - }, - "uuid": "4a69750c-47d5-40f5-b753-c6bb2a27a359", - "value": "Friend/Follow/Connect to targets of interest (PRE-T1141) related-to Friend/Follow/Connect to targets of interest (PRE-T1121)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "15ef4da5-3b93-4bb1-a39a-5396661956d3" - }, - "uuid": "2b6a71e4-e5d5-41d2-a193-9a95c94dc924", - "value": "APT1 (G0006) uses Build and configure delivery systems (PRE-T1124)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" - }, - "uuid": "57723021-1eb3-4bf2-86eb-fdbf8a1b8125", - "value": "Night Dragon (G0014) uses Spear phishing messages with malicious attachments (PRE-T1144)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "9755ecdc-deb0-40e6-af49-713cb0f8ed92" - }, - "uuid": "a34c16e9-bc7e-45f5-a9a2-8b05d868e6a0", - "value": "Night Dragon (G0014) uses Remote access tool development (PRE-T1128)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "d69c3e06-8311-4093-8e3e-0a8e06b15d92" - }, - "uuid": "307e24f8-4d7c-49a8-88f6-fb0a99fe8ff4", - "value": "APT16 (G0023) uses Assess targeting options (PRE-T1073)" - }, - { - "meta": { - "source-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", - "target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc" - }, - "uuid": "2dbdcf5e-af75-4f92-b4ad-942a06aab259", - "value": "Analyze organizational skillsets and deficiencies (PRE-T1077) related-to Analyze organizational skillsets and deficiencies (PRE-T1066)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "f4c5d1d9-8f0e-46f1-a9fa-f9a440926046" - }, - "uuid": "9af7194c-1eea-4aef-bab1-49bd29be069c", - "value": "APT1 (G0006) uses Confirmation of launched compromise achieved (PRE-T1160)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "89a79d91-53e0-4ef5-ba28-558cb8b01f76" - }, - "uuid": "f6dd74d9-ed02-4fe4-aff6-9ef25906592f", - "value": "Night Dragon (G0014) uses Identify groups/roles (PRE-T1047)" - }, - { - "meta": { - "source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", - "target-uuid": "271e6d40-e191-421a-8f87-a8102452c201" - }, - "uuid": "614f64d8-c221-4789-b1e1-787e9326a37b", - "value": "APT17 (G0025) uses Develop social network persona digital footprint (PRE-T1119)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" - }, - "uuid": "84943231-1b44-4029-ae09-0dbf05440bef", - "value": "APT1 (G0006) uses Spear phishing messages with malicious attachments (PRE-T1144)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "d3999268-740f-467e-a075-c82e2d04be62" - }, - "uuid": "51d03816-347c-4716-9524-da99a58f5ea6", - "value": "APT1 (G0006) uses Assess leadership areas of interest (PRE-T1001)" - }, - { - "meta": { - "source-uuid": "af358cad-eb71-4e91-a752-236edc237dae", - "target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1" - }, - "uuid": "ad510f42-e745-42d0-8b54-4bf7a2f3cf34", - "value": "Conduct social engineering (PRE-T1045) related-to Conduct social engineering (PRE-T1026)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4" - }, - "uuid": "ab356c7a-6922-4143-90eb-5be632e2f6cd", - "value": "Cleaver (G0003) uses Build social network persona (PRE-T1118)" - }, - { - "meta": { - "source-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", - "target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407" - }, - "uuid": "ab313887-ff00-4aa9-8edb-ab107c517c19", - "value": "Identify job postings and needs/gaps (PRE-T1025) related-to Identify job postings and needs/gaps (PRE-T1055)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" - }, - "uuid": "edb31962-2310-4618-bd4f-d34f8e7d58e8", - "value": "APT16 (G0023) uses Acquire OSINT data sets and information (PRE-T1024)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "286cc500-4291-45c2-99a1-e760db176402" - }, - "uuid": "0adf353d-688b-46ce-88bb-62a008675fe0", - "value": "Night Dragon (G0014) uses Acquire and/or use 3rd party infrastructure services (PRE-T1084)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64" - }, - "uuid": "e95ea206-3962-43af-aac1-042ac9928679", - "value": "Night Dragon (G0014) uses Identify gap areas (PRE-T1002)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234" - }, - "uuid": "b09b41c4-670f-4f00-b8d5-a8c6a2dcfcfb", - "value": "Cleaver (G0003) uses Create custom payloads (PRE-T1122)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "c860af4a-376e-46d7-afbf-262c41012227" - }, - "uuid": "26bf68a4-af3c-4d39-bad3-5f0ce824f4a3", - "value": "APT28 (G0007) uses Determine operational element (PRE-T1019)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "45242287-2964-4a3e-9373-159fad4d8195" - }, - "uuid": "3d65fc7e-87a5-4113-bd9c-09453fba4d1e", - "value": "APT28 (G0007) uses Buy domain name (PRE-T1105)" - }, - { - "meta": { - "source-uuid": "7718e92f-b011-4f88-b822-ae245a1de407", - "target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84" - }, - "uuid": "22d4f32c-63c1-400f-8e2c-10e4a200d133", - "value": "Identify job postings and needs/gaps (PRE-T1055) related-to Identify job postings and needs/gaps (PRE-T1025)" - }, - { - "meta": { - "source-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a", - "target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549" - }, - "uuid": "ac1dfc58-d5a2-4b6f-9bf4-c6c0d2d3ae80", - "value": "Identify business relationships (PRE-T1060) related-to Identify business relationships (PRE-T1049)" - }, - { - "meta": { - "source-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549", - "target-uuid": "73e7d7d5-1782-4cd0-a4d7-00c7ec051c2a" - }, - "uuid": "9524754d-7743-47b3-8395-3cbfb633c020", - "value": "Identify business relationships (PRE-T1049) related-to Identify business relationships (PRE-T1060)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "271e6d40-e191-421a-8f87-a8102452c201" - }, - "uuid": "d26a1746-b577-4a89-be5e-c49611e8c65a", - "value": "Cleaver (G0003) uses Develop social network persona digital footprint (PRE-T1119)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "c2ffd229-11bb-4fd8-9208-edbe97b14c93" - }, - "uuid": "f43faad4-a016-4da0-8de6-53103d429268", - "value": "Cleaver (G0003) uses Obfuscation or cryptography (PRE-T1090)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c" - }, - "uuid": "0e7905fd-77c8-43cb-b499-7d6e37fefbeb", - "value": "APT1 (G0006) uses Dynamic DNS (PRE-T1088)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "b79a1960-d0be-4b51-bb62-b27e91e1dea0" - }, - "uuid": "3f8694fa-8e16-465b-8357-ec0a85316e9c", - "value": "Cleaver (G0003) uses Conduct social engineering or HUMINT operation (PRE-T1153)" - }, - { - "meta": { - "source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", - "target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39" - }, - "uuid": "9c87b627-de61-42da-a658-7bdb33358754", - "value": "APT17 (G0025) uses Obfuscate infrastructure (PRE-T1108)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "fddd81e9-dd3d-477e-9773-4fb8ae227234" - }, - "uuid": "6d809b32-a5db-4e1e-bea6-ef29a2c680e5", - "value": "APT28 (G0007) uses Create custom payloads (PRE-T1122)" - }, - { - "meta": { - "source-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c", - "target-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe" - }, - "uuid": "f24a6bf4-c60f-4fa6-8f6a-f2806ae92cdd", - "value": "Dynamic DNS (PRE-T1088) related-to Dynamic DNS (PRE-T1110)" - }, - { - "meta": { - "source-uuid": "54eb2bab-125f-4d1c-b999-0c692860bafe", - "target-uuid": "20a66013-8dab-4ca3-a67d-766c842c561c" - }, - "uuid": "94daf955-fb3e-4f13-af60-0e3ffa185be0", - "value": "Dynamic DNS (PRE-T1110) related-to Dynamic DNS (PRE-T1088)" - }, - { - "meta": { - "source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", - "target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4" - }, - "uuid": "545cd36e-572e-413d-82b9-db65788791f9", - "value": "APT17 (G0025) uses Build social network persona (PRE-T1118)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b" - }, - "uuid": "8a2c46d3-92f2-4ff7-a912-8d47189a7d79", - "value": "APT1 (G0006) uses Compromise 3rd party infrastructure to support delivery (PRE-T1111)" - }, - { - "meta": { - "source-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", - "target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88" - }, - "uuid": "60b6c9a6-7705-4c72-93bb-67de0caf11f4", - "value": "Acquire OSINT data sets and information (PRE-T1024) related-to Acquire OSINT data sets and information (PRE-T1054)" - }, - { - "meta": { - "source-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", - "target-uuid": "78e41091-d10d-4001-b202-89612892b6ff" - }, - "uuid": "9c44b2ec-70b0-4f5c-800e-426477330658", - "value": "Identify supply chains (PRE-T1053) related-to Identify supply chains (PRE-T1023)" - }, - { - "meta": { - "source-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b", - "target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077" - }, - "uuid": "bc165934-7ef6-4aed-a0d7-81d3372589f4", - "value": "Compromise 3rd party infrastructure to support delivery (PRE-T1111) related-to Compromise 3rd party infrastructure to support delivery (PRE-T1089)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "288b3cc3-f4da-4250-ab8c-d8b5dbed94ca" - }, - "uuid": "643d984b-0c82-4e14-8ba9-1b8dec0c91e2", - "value": "APT28 (G0007) uses Identify web defensive services (PRE-T1033)" - }, - { - "meta": { - "source-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc", - "target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41" - }, - "uuid": "715a66b4-7925-40b4-868a-e47aba879f8b", - "value": "Analyze organizational skillsets and deficiencies (PRE-T1077) related-to Analyze organizational skillsets and deficiencies (PRE-T1074)" - }, - { - "meta": { - "source-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", - "target-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88" - }, - "uuid": "28bf7e8b-9948-40a8-945b-6b5f2c78ec53", - "value": "Acquire OSINT data sets and information (PRE-T1043) related-to Acquire OSINT data sets and information (PRE-T1054)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768" - }, - "uuid": "2b0ec032-eaca-4f0c-be55-39471f0f2bf5", - "value": "APT1 (G0006) uses Obtain/re-use payloads (PRE-T1123)" - }, - { - "meta": { - "source-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b", - "target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a" - }, - "uuid": "1143e6a6-deef-4dbd-8c91-7bf537d8f5ce", - "value": "Acquire OSINT data sets and information (PRE-T1024) related-to Acquire OSINT data sets and information (PRE-T1043)" - }, - { - "meta": { - "source-uuid": "78e41091-d10d-4001-b202-89612892b6ff", - "target-uuid": "59369f72-3005-4e54-9095-3d00efcece73" - }, - "uuid": "a29f2adc-c328-4cf3-9984-2c0c72ec7061", - "value": "Identify supply chains (PRE-T1023) related-to Identify supply chains (PRE-T1042)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "abd5bed1-4c12-45de-a623-ab8dc4ff862a" - }, - "uuid": "eab3be4e-4130-4898-a7b6-d9e9eb34f2bd", - "value": "APT28 (G0007) uses Research relevant vulnerabilities/CVEs (PRE-T1068)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11" - }, - "uuid": "39db1df8-f786-480c-9faf-5b870de2250b", - "value": "APT1 (G0006) uses Acquire and/or use 3rd party software services (PRE-T1085)" - }, - { - "meta": { - "source-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88", - "target-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a" - }, - "uuid": "6ba71250-1dc7-4b8d-88e7-698440ea18a0", - "value": "Acquire OSINT data sets and information (PRE-T1054) related-to Acquire OSINT data sets and information (PRE-T1043)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" - }, - "uuid": "6238613d-8683-420d-baf7-6050aa27eb9d", - "value": "APT28 (G0007) uses Spear phishing messages with malicious attachments (PRE-T1144)" - }, - { - "meta": { - "source-uuid": "286cc500-4291-45c2-99a1-e760db176402", - "target-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6" - }, - "uuid": "5dc0b076-5f25-4bda-83c7-1d8bd214b81a", - "value": "Acquire and/or use 3rd party infrastructure services (PRE-T1084) related-to Acquire and/or use 3rd party infrastructure services (PRE-T1106)" - }, - { - "meta": { - "source-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c", - "target-uuid": "59369f72-3005-4e54-9095-3d00efcece73" - }, - "uuid": "7aaa32b6-73f3-4b6e-98ae-da16976e6003", - "value": "Identify supply chains (PRE-T1053) related-to Identify supply chains (PRE-T1042)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077" - }, - "uuid": "cc22ab71-f2fc-4885-832b-e75dadeefa2d", - "value": "APT1 (G0006) uses Compromise 3rd party infrastructure to support delivery (PRE-T1089)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" - }, - "uuid": "60e79ac2-3dc1-4005-a1f8-260d58117dab", - "value": "APT28 (G0007) uses Acquire OSINT data sets and information (PRE-T1024)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "9a8c47f6-ae69-4044-917d-4b1602af64d9" - }, - "uuid": "7da16587-3861-4404-9043-0076e4766ac4", - "value": "APT12 (G0005) uses Choose pre-compromised persona and affiliated accounts (PRE-T1120)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "6cfc9229-9928-414e-bfaf-f63e815b4c84", - "value": "APT28 (G0007) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05", - "target-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f" - }, - "uuid": "a7f177e4-7e7f-4883-af3d-c95db9ea7a53", - "value": "Determine 3rd party infrastructure services (PRE-T1061) related-to Determine 3rd party infrastructure services (PRE-T1037)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768" - }, - "uuid": "515e7665-040c-44ac-a379-44d4399d6e2b", - "value": "Cleaver (G0003) uses Obtain/re-use payloads (PRE-T1123)" - }, - { - "meta": { - "source-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", - "target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc" - }, - "uuid": "b180dee5-0d48-448f-94b9-4997f0c584d5", - "value": "Analyze organizational skillsets and deficiencies (PRE-T1074) related-to Analyze organizational skillsets and deficiencies (PRE-T1077)" - }, - { - "meta": { - "source-uuid": "4900fabf-1142-4c1f-92f5-0b590e049077", - "target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b" - }, - "uuid": "28815a00-1cf4-4fbc-9039-306a9542c7fd", - "value": "Compromise 3rd party infrastructure to support delivery (PRE-T1089) related-to Compromise 3rd party infrastructure to support delivery (PRE-T1111)" - }, - { - "meta": { - "source-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84", - "target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1" - }, - "uuid": "8bcaccd1-403b-40f1-82d3-ac4d873263f8", - "value": "Identify job postings and needs/gaps (PRE-T1025) related-to Identify job postings and needs/gaps (PRE-T1044)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957" - }, - "uuid": "5aab758c-79d2-4219-9053-f50791d98531", - "value": "APT28 (G0007) uses Discover target logon/email address format (PRE-T1032)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6" - }, - "uuid": "b55534ba-37ce-47f2-a961-edeaeedcb399", - "value": "APT12 (G0005) uses Obfuscate infrastructure (PRE-T1086)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "27f3ddf8-1b77-4cc2-a4c0-e6da3d31a768" - }, - "uuid": "709bb5af-c484-48f2-bb19-bd7630e42e2d", - "value": "APT28 (G0007) uses Obtain/re-use payloads (PRE-T1123)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "4e06cf53-00b1-46a6-a6b6-8e33e761b83f", - "value": "APT12 (G0005) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "89754a0d-03b1-44e3-94c5-7a892d171a28", - "value": "APT17 (G0025) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "af358cad-eb71-4e91-a752-236edc237dae", - "target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5" - }, - "uuid": "984d13eb-ba9c-4e7c-8675-85dde9877a81", - "value": "Conduct social engineering (PRE-T1045) related-to Conduct social engineering (PRE-T1056)" - }, - { - "meta": { - "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "target-uuid": "d3999268-740f-467e-a075-c82e2d04be62" - }, - "uuid": "2daad934-bf08-4a2f-b656-4f7d197eb8fa", - "value": "APT28 (G0007) uses Assess leadership areas of interest (PRE-T1001)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" - }, - "uuid": "1895866a-4689-4527-8460-95e9cd7dd037", - "value": "APT12 (G0005) uses Spear phishing messages with malicious attachments (PRE-T1144)" - }, - { - "meta": { - "source-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", - "target-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1" - }, - "uuid": "51c20b46-16cc-4b58-80d7-89d48b14b064", - "value": "Conduct social engineering (PRE-T1056) related-to Conduct social engineering (PRE-T1026)" - }, - { - "meta": { - "source-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983", - "target-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59" - }, - "uuid": "fe31fa7c-be01-47ca-90bb-0fb49b49eb03", - "value": "Acquire or compromise 3rd party signing certificates (PRE-T1109) related-to Acquire or compromise 3rd party signing certificates (PRE-T1087)" - }, - { - "meta": { - "source-uuid": "59369f72-3005-4e54-9095-3d00efcece73", - "target-uuid": "78e41091-d10d-4001-b202-89612892b6ff" - }, - "uuid": "432c700b-4bf3-4824-a530-a6e86882c4b7", - "value": "Identify supply chains (PRE-T1042) related-to Identify supply chains (PRE-T1023)" - }, - { - "meta": { - "source-uuid": "7718e92f-b011-4f88-b822-ae245a1de407", - "target-uuid": "0722cd65-0c83-4c89-9502-539198467ab1" - }, - "uuid": "ef32147c-d309-4867-aaba-998088290e32", - "value": "Identify job postings and needs/gaps (PRE-T1055) related-to Identify job postings and needs/gaps (PRE-T1044)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "e51398e6-53dc-4e9f-a323-e54683d8672b" - }, - "uuid": "f8559304-7ef6-4c48-8d76-a56ebf37c0be", - "value": "APT16 (G0023) uses Compromise 3rd party infrastructure to support delivery (PRE-T1111)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "2141aea0-cf38-49aa-9e51-ac34092bc30a" - }, - "uuid": "3d3eb711-5054-4b32-8006-15ba67d3bb25", - "value": "APT1 (G0006) uses Procure required equipment and software (PRE-T1112)" - }, - { - "meta": { - "source-uuid": "0722cd65-0c83-4c89-9502-539198467ab1", - "target-uuid": "7718e92f-b011-4f88-b822-ae245a1de407" - }, - "uuid": "689ebb39-52f4-4b2f-8678-72cfed67cb9f", - "value": "Identify job postings and needs/gaps (PRE-T1044) related-to Identify job postings and needs/gaps (PRE-T1055)" - }, - { - "meta": { - "source-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41", - "target-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc" - }, - "uuid": "36990d75-9fbd-43f0-9966-ae58f0388e1d", - "value": "Analyze organizational skillsets and deficiencies (PRE-T1074) related-to Analyze organizational skillsets and deficiencies (PRE-T1066)" - }, - { - "meta": { - "source-uuid": "795c1a92-3a26-453e-b99a-6a566aa94dc6", - "target-uuid": "286cc500-4291-45c2-99a1-e760db176402" - }, - "uuid": "9a1f729c-72a9-4735-9d48-ecb54ea018a9", - "value": "Acquire and/or use 3rd party infrastructure services (PRE-T1106) related-to Acquire and/or use 3rd party infrastructure services (PRE-T1084)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "eb517589-eefc-480e-b8e3-7a8b1066f6f1" - }, - "uuid": "7c68bb22-457e-4942-9e07-36f6cd5ac5ba", - "value": "APT1 (G0006) uses Targeted social media phishing (PRE-T1143)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa" - }, - "uuid": "75c781d7-f9ef-42c8-b610-0dc1ecb3b350", - "value": "Cleaver (G0003) uses Authorized user performs requested cyber action (PRE-T1163)" - }, - { - "meta": { - "source-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", - "target-uuid": "7baccb84-356c-4e89-8c5d-58e701f033fc" - }, - "uuid": "d5bd7a33-a249-46e5-bb19-a498eba42bdb", - "value": "Analyze organizational skillsets and deficiencies (PRE-T1066) related-to Analyze organizational skillsets and deficiencies (PRE-T1077)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "15d5eaa4-597a-47fd-a692-f2bed434d904" - }, - "uuid": "8a2549fa-9e7c-4d47-9678-8ed0bb8fa3aa", - "value": "APT1 (G0006) uses Derive intelligence requirements (PRE-T1007)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "0440f60f-9056-4791-a740-8eae96eb61fa" - }, - "uuid": "0f97c2ae-2b89-4dd5-a270-42b1dcb5d403", - "value": "APT1 (G0006) uses Authorized user performs requested cyber action (PRE-T1163)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "e24a9f99-cb76-42a3-a50b-464668773e97" - }, - "uuid": "c90a4d6a-af21-4103-ba57-3ddeb6e973e7", - "value": "APT16 (G0023) uses Spear phishing messages with malicious attachments (PRE-T1144)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "c860af4a-376e-46d7-afbf-262c41012227" - }, - "uuid": "eca0f05c-5025-4149-9826-3715cc243180", - "value": "Cleaver (G0003) uses Determine operational element (PRE-T1019)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "d778cb83-2292-4995-b006-d38f52bc1e64" - }, - "uuid": "683d4e44-f763-492c-b510-fa469a923798", - "value": "APT12 (G0005) uses Identify gap areas (PRE-T1002)" - }, - { - "meta": { - "source-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39", - "target-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6" - }, - "uuid": "db4dfa09-7f19-437a-9d79-15f2dc8ba0da", - "value": "Obfuscate infrastructure (PRE-T1108) related-to Obfuscate infrastructure (PRE-T1086)" - }, - { - "meta": { - "source-uuid": "0722cd65-0c83-4c89-9502-539198467ab1", - "target-uuid": "c721b235-679a-4d76-9ae9-e08921fccf84" - }, - "uuid": "bbb1c074-a93a-4e40-b11e-2151403f7f1d", - "value": "Identify job postings and needs/gaps (PRE-T1044) related-to Identify job postings and needs/gaps (PRE-T1025)" - }, - { - "meta": { - "source-uuid": "028ad431-84c5-4eb7-a364-2b797c234f88", - "target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" - }, - "uuid": "0e52753e-0a02-4bec-88f9-f8ee21b46bae", - "value": "Acquire OSINT data sets and information (PRE-T1054) related-to Acquire OSINT data sets and information (PRE-T1024)" - }, - { - "meta": { - "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "3c7c0851-1cf8-458f-862d-4e4827f8f474", - "value": "Cleaver (G0003) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "e5164428-03ca-4336-a9a7-4d9ea1417e59", - "target-uuid": "03f4a766-7a21-4b5e-9ccf-e0cf422ab983" - }, - "uuid": "c388ed7c-3820-41a3-98af-a48dd7e4d88b", - "value": "Acquire or compromise 3rd party signing certificates (PRE-T1087) related-to Acquire or compromise 3rd party signing certificates (PRE-T1109)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "9108e212-1c94-4f8d-be76-1aad9b4c86a4" - }, - "uuid": "34ba5998-4e43-4669-9701-1877aa267354", - "value": "APT1 (G0006) uses Build social network persona (PRE-T1118)" - }, - { - "meta": { - "source-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", - "target-uuid": "af358cad-eb71-4e91-a752-236edc237dae" - }, - "uuid": "f8504a07-758c-4c51-ac94-c2e7ba652e29", - "value": "Conduct social engineering (PRE-T1026) related-to Conduct social engineering (PRE-T1045)" - }, - { - "meta": { - "source-uuid": "78e41091-d10d-4001-b202-89612892b6ff", - "target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c" - }, - "uuid": "9ad9966d-4a8d-4b15-b503-c5d27104fcdd", - "value": "Identify supply chains (PRE-T1023) related-to Identify supply chains (PRE-T1053)" - }, - { - "meta": { - "source-uuid": "856a9371-4f0f-4ea9-946e-f3144204240f", - "target-uuid": "dfa4eaf4-50d9-49de-89e9-d33f579f3e05" - }, - "uuid": "e4501560-7850-4467-8422-2cf336429e8a", - "value": "Determine 3rd party infrastructure services (PRE-T1037) related-to Determine 3rd party infrastructure services (PRE-T1061)" - }, - { - "meta": { - "source-uuid": "74a3288e-eee9-4f8e-973a-fbc128e033f1", - "target-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5" - }, - "uuid": "66e4da4a-6eb6-46e0-9baf-74059f341b4a", - "value": "Conduct social engineering (PRE-T1026) related-to Conduct social engineering (PRE-T1056)" - }, - { - "meta": { - "source-uuid": "e6ca2820-a564-4b74-b42a-b6bdf052e5b6", - "target-uuid": "72c8d526-1247-42d4-919c-6d7a31ca8f39" - }, - "uuid": "41be9f31-9d2b-44b8-a7dc-31f8c4519751", - "value": "Obfuscate infrastructure (PRE-T1086) related-to Obfuscate infrastructure (PRE-T1108)" - }, - { - "meta": { - "source-uuid": "2b9a666e-bd59-4f67-9031-ed41b428e04a", - "target-uuid": "784ff1bc-1483-41fe-a172-4cd9ae25c06b" - }, - "uuid": "be031f72-737b-4afd-b2c1-c565f5ab7369", - "value": "Acquire OSINT data sets and information (PRE-T1043) related-to Acquire OSINT data sets and information (PRE-T1024)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7" - }, - "uuid": "90d7f0f0-6e41-431a-a024-9375cbc18d2b", - "value": "APT1 (G0006) uses Post compromise tool development (PRE-T1130)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "e60a165e-cfad-43e5-ba83-ea2430a377c5", - "value": "APT16 (G0023) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "a071fc8f-6323-420b-9812-b51f12fc7956", - "value": "Night Dragon (G0014) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "ec739e26-d097-4804-b04a-54dd81ff11e0" - }, - "uuid": "970531a2-4927-41a3-b2cd-09d445322f51", - "value": "APT1 (G0006) uses Create strategic plan (PRE-T1008)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "4aeafdb3-eb0b-4e8e-b93f-95cd499088b4" - }, - "uuid": "c2571ca8-98c4-490d-b8f8-f3678b0ce74d", - "value": "Night Dragon (G0014) uses Compromise of externally facing system (PRE-T1165)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "489a7797-01c3-4706-8cd1-ec56a9db3adc" - }, - "uuid": "e78023e7-98de-4973-9331-843bfa28c9f7", - "value": "APT1 (G0006) uses Spear phishing messages with malicious links (PRE-T1146)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "357e137c-7589-4af1-895c-3fbad35ea4d2" - }, - "uuid": "f76d74b6-c797-487c-8388-536367d1b922", - "value": "APT1 (G0006) uses Obfuscate or encrypt code (PRE-T1096)" - }, - { - "meta": { - "source-uuid": "103d72e6-7e0d-4b3a-9373-c38567305c33", - "target-uuid": "eacd1efe-ee30-4b03-b58f-5b3b1adfe45d" - }, - "uuid": "87239038-7693-49b3-b595-b828cc2be1ba", - "value": "Friend/Follow/Connect to targets of interest (PRE-T1121) related-to Friend/Follow/Connect to targets of interest (PRE-T1141)" - }, - { - "meta": { - "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", - "target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11" - }, - "uuid": "c6e43693-2a6d-4ba8-8fa7-ec1ab5239528", - "value": "Night Dragon (G0014) uses Acquire and/or use 3rd party software services (PRE-T1085)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "91a3735f-817a-4450-8ed4-f05a0f5c3877" - }, - "uuid": "5ed44a06-bcb4-4293-8bf4-aaebefddc09c", - "value": "APT1 (G0006) uses Determine strategic target (PRE-T1018)" - }, - { - "meta": { - "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", - "target-uuid": "aadaee0d-794c-4642-8293-7ec22a99fb1a" - }, - "uuid": "db10491f-a854-4404-9271-600349484bc3", - "value": "APT1 (G0006) uses Domain registration hijacking (PRE-T1103)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "5b6ce031-bb86-407a-9984-2b9700ac4549" - }, - "uuid": "4eb0e01c-85ae-466a-a8ff-0cf7891c5ab2", - "value": "APT16 (G0023) uses Identify business relationships (PRE-T1049)" - }, - { - "meta": { - "source-uuid": "092f05e3-f7c0-4cd2-91be-3a8d6ed3cadc", - "target-uuid": "96eb59d1-6c46-44bb-bfcd-56be02a00d41" - }, - "uuid": "7bd3d2ba-f114-4835-97b6-1c3e2208d3f3", - "value": "Analyze organizational skillsets and deficiencies (PRE-T1066) related-to Analyze organizational skillsets and deficiencies (PRE-T1074)" - }, - { - "meta": { - "source-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6", - "target-uuid": "1a295f87-af63-4d94-b130-039d6221fb11" - }, - "uuid": "2bf984b5-1a48-4d9a-a4f2-e97801254b84", - "value": "Acquire and/or use 3rd party software services (PRE-T1107) related-to Acquire and/or use 3rd party software services (PRE-T1085)" - }, - { - "meta": { - "source-uuid": "59369f72-3005-4e54-9095-3d00efcece73", - "target-uuid": "7860e21e-7514-4a3f-8a9d-56405ccfdb0c" - }, - "uuid": "c124f0ba-f4bc-430a-b40c-eebe0577f812", - "value": "Identify supply chains (PRE-T1042) related-to Identify supply chains (PRE-T1053)" - }, - { - "meta": { - "source-uuid": "1a295f87-af63-4d94-b130-039d6221fb11", - "target-uuid": "488da8ed-2887-4ef6-a39a-5b69bc6682c6" - }, - "uuid": "3d781e9a-d3f8-4e9f-bb23-ba6c2ff22267", - "value": "Acquire and/or use 3rd party software services (PRE-T1085) related-to Acquire and/or use 3rd party software services (PRE-T1107)" - }, - { - "meta": { - "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", - "target-uuid": "ef0f816a-d561-4953-84c6-2a2936c96957" - }, - "uuid": "597be8e7-58a4-4aff-a803-48a7a08164a2", - "value": "APT16 (G0023) uses Discover target logon/email address format (PRE-T1032)" - }, - { - "meta": { - "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", - "target-uuid": "df42286d-dfbd-4455-bc9d-aef52ac29aa7" - }, - "uuid": "7a254f4d-c7cf-4b98-94e9-3937785b7d68", - "value": "APT12 (G0005) uses Post compromise tool development (PRE-T1130)" - }, - { - "meta": { - "source-uuid": "a757670d-d600-48d9-8ae9-601d42c184a5", - "target-uuid": "af358cad-eb71-4e91-a752-236edc237dae" - }, - "uuid": "46f1e7d4-4d73-4e33-b88b-b3bcde5d81fb", - "value": "Conduct social engineering (PRE-T1056) related-to Conduct social engineering (PRE-T1045)" - } - ], - "version": 2 -} diff --git a/galaxies/mitre-enterprise-attack-relationship.json b/galaxies/mitre-enterprise-attack-relationship.json deleted file mode 100644 index 9353050..0000000 --- a/galaxies/mitre-enterprise-attack-relationship.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Mitre Relationship", - "icon": "link", - "name": "Enterprise Attack - Relationship", - "namespace": "mitre-attack", - "type": "mitre-enterprise-attack-relationship", - "uuid": "fc404638-1707-11e8-a5cf-b78b9b562766", - "version": 4 -} diff --git a/galaxies/mitre-mobile-attack-relationship.json b/galaxies/mitre-mobile-attack-relationship.json deleted file mode 100644 index e99d84d..0000000 --- a/galaxies/mitre-mobile-attack-relationship.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Mitre Relationship", - "icon": "link", - "name": "Mobile Attack - Relationship", - "namespace": "mitre-attack", - "type": "mitre-mobile-attack-relationship", - "uuid": "fc8471aa-1707-11e8-b306-33cbe96a1ede", - "version": 4 -} diff --git a/galaxies/mitre-pre-attack-relationship.json b/galaxies/mitre-pre-attack-relationship.json deleted file mode 100644 index 1385b72..0000000 --- a/galaxies/mitre-pre-attack-relationship.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "description": "Mitre Relationship", - "icon": "link", - "name": "Pre Attack - Relationship", - "namespace": "mitre-attack", - "type": "mitre-pre-attack-relationship", - "uuid": "1f8e3bae-1708-11e8-8e97-4bd2150e5aae", - "version": 5 -} From ca6c1caa8f17cabaef47b892a741e735452038d4 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 17 Oct 2018 08:26:45 +0200 Subject: [PATCH 04/17] fix: jq all the things --- clusters/mitre-enterprise-attack-course-of-action.json | 2 +- clusters/mitre-enterprise-attack-intrusion-set.json | 2 +- clusters/mitre-enterprise-attack-malware.json | 2 +- clusters/mitre-enterprise-attack-tool.json | 2 +- clusters/mitre-mobile-attack-course-of-action.json | 2 +- clusters/mitre-mobile-attack-malware.json | 2 +- clusters/mitre-mobile-attack-tool.json | 2 +- clusters/mitre-pre-attack-attack-pattern.json | 2 +- clusters/mitre-pre-attack-intrusion-set.json | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/clusters/mitre-enterprise-attack-course-of-action.json b/clusters/mitre-enterprise-attack-course-of-action.json index 4c29ae1..584f5d0 100644 --- a/clusters/mitre-enterprise-attack-course-of-action.json +++ b/clusters/mitre-enterprise-attack-course-of-action.json @@ -3665,4 +3665,4 @@ } ], "version": 5 -} \ No newline at end of file +} diff --git a/clusters/mitre-enterprise-attack-intrusion-set.json b/clusters/mitre-enterprise-attack-intrusion-set.json index b47a847..bfacbdb 100644 --- a/clusters/mitre-enterprise-attack-intrusion-set.json +++ b/clusters/mitre-enterprise-attack-intrusion-set.json @@ -2461,4 +2461,4 @@ } ], "version": 6 -} \ No newline at end of file +} diff --git a/clusters/mitre-enterprise-attack-malware.json b/clusters/mitre-enterprise-attack-malware.json index 89fe9ae..4130409 100644 --- a/clusters/mitre-enterprise-attack-malware.json +++ b/clusters/mitre-enterprise-attack-malware.json @@ -5914,4 +5914,4 @@ } ], "version": 7 -} \ No newline at end of file +} diff --git a/clusters/mitre-enterprise-attack-tool.json b/clusters/mitre-enterprise-attack-tool.json index 7ca5e71..e14a2d3 100644 --- a/clusters/mitre-enterprise-attack-tool.json +++ b/clusters/mitre-enterprise-attack-tool.json @@ -1194,4 +1194,4 @@ } ], "version": 7 -} \ No newline at end of file +} diff --git a/clusters/mitre-mobile-attack-course-of-action.json b/clusters/mitre-mobile-attack-course-of-action.json index ad091ce..c0b32e7 100644 --- a/clusters/mitre-mobile-attack-course-of-action.json +++ b/clusters/mitre-mobile-attack-course-of-action.json @@ -248,4 +248,4 @@ } ], "version": 4 -} \ No newline at end of file +} diff --git a/clusters/mitre-mobile-attack-malware.json b/clusters/mitre-mobile-attack-malware.json index 58ad3eb..11befb3 100644 --- a/clusters/mitre-mobile-attack-malware.json +++ b/clusters/mitre-mobile-attack-malware.json @@ -963,4 +963,4 @@ } ], "version": 6 -} \ No newline at end of file +} diff --git a/clusters/mitre-mobile-attack-tool.json b/clusters/mitre-mobile-attack-tool.json index e895d9a..848eaa4 100644 --- a/clusters/mitre-mobile-attack-tool.json +++ b/clusters/mitre-mobile-attack-tool.json @@ -55,4 +55,4 @@ } ], "version": 6 -} \ No newline at end of file +} diff --git a/clusters/mitre-pre-attack-attack-pattern.json b/clusters/mitre-pre-attack-attack-pattern.json index 6e2f84c..db225d9 100644 --- a/clusters/mitre-pre-attack-attack-pattern.json +++ b/clusters/mitre-pre-attack-attack-pattern.json @@ -2743,4 +2743,4 @@ } ], "version": 4 -} \ No newline at end of file +} diff --git a/clusters/mitre-pre-attack-intrusion-set.json b/clusters/mitre-pre-attack-intrusion-set.json index 4212740..e75f561 100644 --- a/clusters/mitre-pre-attack-intrusion-set.json +++ b/clusters/mitre-pre-attack-intrusion-set.json @@ -327,4 +327,4 @@ } ], "version": 5 -} \ No newline at end of file +} From 1e90cac7175f0c06a2afdba230f25e80662fccd1 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 17 Oct 2018 16:59:01 +0200 Subject: [PATCH 05/17] fix: intrusion is an actor and not a tool --- clusters/android.json | 55 +---- clusters/banker.json | 72 +------ clusters/botnet.json | 74 +------ clusters/exploit-kit.json | 25 +-- clusters/malpedia.json | 132 ++---------- ...mitre-enterprise-attack-intrusion-set.json | 93 ++++++++- clusters/mitre-enterprise-attack-malware.json | 114 ++++------- clusters/mitre-intrusion-set.json | 149 +++++++++++++- clusters/mitre-malware.json | 107 ++++------ .../mitre-mobile-attack-intrusion-set.json | 48 +---- clusters/mitre-pre-attack-intrusion-set.json | 9 +- clusters/ransomware.json | 54 +---- clusters/rat.json | 23 ++- clusters/threat-actor.json | 144 ++++++------- clusters/tool.json | 190 +++++++++++++----- tools/gen_mapping.py | 2 +- 16 files changed, 591 insertions(+), 700 deletions(-) diff --git a/clusters/android.json b/clusters/android.json index 4dadc9f..c84eeae 100644 --- a/clusters/android.json +++ b/clusters/android.json @@ -138,13 +138,6 @@ ] }, "related": [ - { - "dest-uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "b8fa5036-813f-4887-b4d4-bb17b4a7eba0", "tags": [ @@ -3802,7 +3795,7 @@ }, "related": [ { - "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", + "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -3821,41 +3814,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729", @@ -4605,15 +4563,6 @@ "https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/" ] }, - "related": [ - { - "dest-uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§", "value": "HenBox" }, @@ -4676,5 +4625,5 @@ "value": "Triout" } ], - "version": 15 + "version": 16 } diff --git a/clusters/banker.json b/clusters/banker.json index 8820196..0937e4f 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -99,26 +99,12 @@ ], "type": "similar" }, - { - "dest-uuid": "7ca93488-c357-44c3-b246-3f88391aca5a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "66781866-f064-467d-925d-5e5f290352f0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e", @@ -200,13 +186,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369", @@ -241,13 +220,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "ffbbbc14-1cdb-4be9-a631-ed53c5407369", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "0f96a666-bf26-44e0-8ad6-f2136208c924", @@ -480,13 +452,6 @@ ] }, "related": [ - { - "dest-uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "75f53ead-1aee-4f91-8cb9-b4170d747cfc", "tags": [ @@ -559,20 +524,6 @@ ], "type": "similar" }, - { - "dest-uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "66781866-f064-467d-925d-5e5f290352f0", "tags": [ @@ -643,13 +594,6 @@ ], "type": "similar" }, - { - "dest-uuid": "6e1168e6-7768-4fa2-951f-6d6934531633", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", "tags": [ @@ -757,13 +701,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c", @@ -1000,13 +937,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "87b69cb4-8b65-47ee-91b0-9b1decdd5c5c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "e159c4f8-3c22-49f9-a60a-16588a9c22b0", @@ -1244,5 +1174,5 @@ "value": "CamuBot" } ], - "version": 14 + "version": 15 } diff --git a/clusters/botnet.json b/clusters/botnet.json index dee8b15..47a56be 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -195,20 +195,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "b2ec1f16-2a76-4910-adc5-ecb3570e7c1a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "6e1168e6-7768-4fa2-951f-6d6934531633", @@ -721,20 +707,6 @@ ], "type": "similar" }, - { - "dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "variant-of" - }, - { - "dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "variant-of" - }, { "dest-uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", "tags": [ @@ -877,27 +849,6 @@ ] }, "related": [ - { - "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "variant-of" - }, - { - "dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "variant-of" - }, - { - "dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "variant-of" - }, { "dest-uuid": "ec67f206-6464-48cf-a012-3cdfc1278488", "tags": [ @@ -1085,29 +1036,6 @@ "Mirai Sora" ] }, - "related": [ - { - "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "variant-of" - }, - { - "dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "variant-of" - }, - { - "dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "variant-of" - } - ], "uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56", "value": "Sora" }, @@ -1151,5 +1079,5 @@ "value": "Persirai" } ], - "version": 16 + "version": 17 } diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index fb1d618..43bb6ce 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -53,15 +53,6 @@ "Fallout" ] }, - "related": [ - { - "dest-uuid": "5920464b-e093-4fa0-a275-438dffef228f", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "dropped" - } - ], "uuid": "1f05f646-5af6-4a95-825b-164f49616aa4", "value": "Fallout" }, @@ -280,20 +271,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "5594b171-32ec-4145-b712-e7701effffdd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "5eee35b6-bd21-4b67-b198-e9320fcf2c88", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c", @@ -761,5 +738,5 @@ "value": "Unknown" } ], - "version": 11 + "version": 12 } diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 95aadce..721cca0 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -495,13 +495,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "fbda9705-677b-4c5b-9b0b-13b52eff587c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "a6f481fe-b6db-4507-bb3c-28f10d800e2f", @@ -2812,13 +2805,6 @@ ], "type": "similar" }, - { - "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", "tags": [ @@ -2840,26 +2826,12 @@ ], "type": "similar" }, - { - "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", @@ -5280,6 +5252,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "16794655-c0e2-4510-9169-f862df104045", @@ -7481,20 +7460,6 @@ "type": [] }, "related": [ - { - "dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "66781866-f064-467d-925d-5e5f290352f0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e", "tags": [ @@ -7503,7 +7468,7 @@ "type": "similar" }, { - "dest-uuid": "7ca93488-c357-44c3-b246-3f88391aca5a", + "dest-uuid": "276c2c2e-09da-44cf-a3f7-806b3feb41da", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -8294,20 +8259,6 @@ ], "type": "similar" }, - { - "dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "44754726-e1d5-4e5f-a113-234c4a8ca65e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "7ca93488-c357-44c3-b246-3f88391aca5a", "tags": [ @@ -9558,13 +9509,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "cd201689-4bf1-4c5b-ac4d-21c4dcc39e7d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", @@ -9609,13 +9553,6 @@ "type": [] }, "related": [ - { - "dest-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "d7183f66-59ec-4803-be20-237b442259fc", "tags": [ @@ -10716,6 +10653,13 @@ "type": [] }, "related": [ + { + "dest-uuid": "2a16a1d4-a098-4f17-80f3-3cfc6c60b539", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "74167065-90b3-4c29-807a-79b6f098e45b", "tags": [ @@ -14000,13 +13944,6 @@ ], "type": "similar" }, - { - "dest-uuid": "4166ab63-24b0-4448-92ea-21c8deef978d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "652b5242-b790-4695-ad0e-b79bbf78f351", "tags": [ @@ -14475,13 +14412,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "6e1168e6-7768-4fa2-951f-6d6934531633", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "2ccaccd0-8362-4224-8497-2012e7cc7549", @@ -16075,7 +16005,7 @@ "type": "similar" }, { - "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", + "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -16101,27 +16031,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", @@ -17669,13 +17578,6 @@ "type": [] }, "related": [ - { - "dest-uuid": "96b2b31e-b191-43c4-9929-48ba1cbee62c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "75f53ead-1aee-4f91-8cb9-b4170d747cfc", "tags": [ @@ -19976,5 +19878,5 @@ "value": "Zyklon" } ], - "version": 1650 + "version": 1651 } diff --git a/clusters/mitre-enterprise-attack-intrusion-set.json b/clusters/mitre-enterprise-attack-intrusion-set.json index bfacbdb..b256c4b 100644 --- a/clusters/mitre-enterprise-attack-intrusion-set.json +++ b/clusters/mitre-enterprise-attack-intrusion-set.json @@ -290,6 +290,13 @@ ] }, "related": [ + { + "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "tags": [ @@ -297,6 +304,13 @@ ], "type": "similar" }, + { + "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", "tags": [ @@ -350,6 +364,13 @@ ], "type": "similar" }, + { + "dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0", "tags": [ @@ -659,6 +680,13 @@ ], "type": "similar" }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ @@ -810,6 +838,13 @@ ], "type": "similar" }, + { + "dest-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "519630c5-f03f-4882-825c-3af924935817", "tags": [ @@ -884,6 +919,13 @@ ] }, "related": [ + { + "dest-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", "tags": [ @@ -1179,6 +1221,13 @@ ], "type": "similar" }, + { + "dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "tags": [ @@ -1343,6 +1392,13 @@ ] }, "related": [ + { + "dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", "tags": [ @@ -1468,6 +1524,13 @@ ], "type": "similar" }, + { + "dest-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9", "tags": [ @@ -2059,6 +2122,20 @@ ] }, "related": [ + { + "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "tags": [ @@ -2159,6 +2236,13 @@ ], "type": "similar" }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104", "tags": [ @@ -2257,6 +2341,13 @@ ] }, "related": [ + { + "dest-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", "tags": [ @@ -2460,5 +2551,5 @@ "value": "Gamaredon Group - G0047" } ], - "version": 6 + "version": 7 } diff --git a/clusters/mitre-enterprise-attack-malware.json b/clusters/mitre-enterprise-attack-malware.json index 4130409..1306a7d 100644 --- a/clusters/mitre-enterprise-attack-malware.json +++ b/clusters/mitre-enterprise-attack-malware.json @@ -370,13 +370,6 @@ ], "type": "similar" }, - { - "dest-uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580", "tags": [ @@ -1560,6 +1553,27 @@ ], "type": "similar" }, + { + "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -1869,6 +1883,13 @@ ], "type": "similar" }, + { + "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", "tags": [ @@ -3620,6 +3641,13 @@ ], "type": "similar" }, + { + "dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0", "tags": [ @@ -4007,48 +4035,6 @@ ], "type": "similar" }, - { - "dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a", "tags": [ @@ -4630,6 +4616,13 @@ ], "type": "similar" }, + { + "dest-uuid": "da079741-05e6-458c-b434-011263dc691c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6", "tags": [ @@ -5821,13 +5814,6 @@ ] }, "related": [ - { - "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", "tags": [ @@ -5849,20 +5835,6 @@ ], "type": "similar" }, - { - "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", "tags": [ @@ -5913,5 +5885,5 @@ "value": "ELMER - S0064" } ], - "version": 7 + "version": 8 } diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index 88298f5..c71799d 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -177,6 +177,13 @@ "uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff" }, "related": [ + { + "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "tags": [ @@ -184,6 +191,13 @@ ], "type": "similar" }, + { + "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", "tags": [ @@ -228,6 +242,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "value": "Deep Panda" @@ -418,6 +439,13 @@ ], "type": "similar" }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ @@ -495,6 +523,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "value": "Moafee" @@ -555,6 +590,13 @@ "uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a" }, "related": [ + { + "dest-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "a9b44750-992c-4743-8922-129880d277ea", "tags": [ @@ -663,6 +705,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "value": "Naikon" @@ -728,6 +777,13 @@ "uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd" }, "related": [ + { + "dest-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "2f1fd017-9df6-4759-91fb-e7039609b5ff", "tags": [ @@ -849,6 +905,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "value": "FIN7" @@ -1017,6 +1080,27 @@ ], "type": "similar" }, + { + "dest-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "86724806-7ec9-4a48-a0a7-ecbde3bf4810", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "42be2a84-5a5c-4c6d-9864-3f09d75bb0ba", "tags": [ @@ -1024,12 +1108,54 @@ ], "type": "similar" }, + { + "dest-uuid": "d56c99fa-4710-472c-81a6-41b7a84ea4be", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "a0082cfa-32e2-42b8-92d8-5c7a7409dcf1", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f98bac6b-12fd-4cad-be84-c84666932232", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "47204403-34c9-4d25-a006-296a0939d1a2", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "value": "OilRig" @@ -1295,6 +1421,13 @@ "uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973" }, "related": [ + { + "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", "tags": [ @@ -1302,6 +1435,13 @@ ], "type": "similar" }, + { + "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", "tags": [ @@ -1326,6 +1466,13 @@ "uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c" }, "related": [ + { + "dest-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "00220228-a5a4-4032-a30d-826bb55aa3fb", "tags": [ @@ -1431,5 +1578,5 @@ "value": "Gamaredon Group" } ], - "version": 7 + "version": 8 } diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index 65d5f46..3a5e96e 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -263,13 +263,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "c04fc02e-f35a-44b6-a9b0-732bf2fc551a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "value": "Backdoor.Oldrea" @@ -458,6 +451,27 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "value": "Komplex" @@ -1025,6 +1039,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "value": "PoisonIvy" @@ -1887,48 +1908,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "value": "CORESHELL" @@ -2172,6 +2151,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "da079741-05e6-458c-b434-011263dc691c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "value": "ComRAT" @@ -2781,13 +2767,6 @@ "uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2" }, "related": [ - { - "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", "tags": [ @@ -2809,20 +2788,6 @@ ], "type": "similar" }, - { - "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", "tags": [ @@ -2852,5 +2817,5 @@ "value": "ELMER" } ], - "version": 6 + "version": 7 } diff --git a/clusters/mitre-mobile-attack-intrusion-set.json b/clusters/mitre-mobile-attack-intrusion-set.json index 5ab4d71..2d563f4 100644 --- a/clusters/mitre-mobile-attack-intrusion-set.json +++ b/clusters/mitre-mobile-attack-intrusion-set.json @@ -32,56 +32,14 @@ }, "related": [ { - "dest-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", + "dest-uuid": "5b4ee3ea-eee3-4c8e-8323-85ae32658754", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { - "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "1de47f51-1f20-403b-a2e1-5eaabe275faa", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "3948ce95-468e-4ce1-82b1-57439c6d6afd", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "d26b5518-8d7f-41a6-b539-231e4962853e", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "6bd20349-1231-4aaa-ba2a-f4b09d3b344c", + "dest-uuid": "213cdde9-c11a-4ea9-8ce0-c868e9826fec", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -92,5 +50,5 @@ "value": "APT28 - G0007" } ], - "version": 5 + "version": 6 } diff --git a/clusters/mitre-pre-attack-intrusion-set.json b/clusters/mitre-pre-attack-intrusion-set.json index e75f561..da45a89 100644 --- a/clusters/mitre-pre-attack-intrusion-set.json +++ b/clusters/mitre-pre-attack-intrusion-set.json @@ -131,6 +131,13 @@ ], "type": "similar" }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ @@ -326,5 +333,5 @@ "value": "APT17 - G0025" } ], - "version": 5 + "version": 6 } diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 361537d..d93512c 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -3290,15 +3290,6 @@ "https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/" ] }, - "related": [ - { - "dest-uuid": "15a30d84-4f5f-4b75-a162-e36107d30215", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b", "value": "Dharma Ransomware" }, @@ -5543,15 +5534,6 @@ "crjoker.html" ] }, - "related": [ - { - "dest-uuid": "10f92054-b028-11e8-a51f-2f82236ac72d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "2fb307a2-8752-4521-8973-75b68703030d", "value": "CryptoJoker" }, @@ -9483,15 +9465,6 @@ "CrySiS" ] }, - "related": [ - { - "dest-uuid": "2b365b2c-4a9a-4b66-804d-3b2d2814fe7b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "15a30d84-4f5f-4b75-a162-e36107d30215", "value": "Virus-Encoder" }, @@ -9891,6 +9864,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "00c31914-bc0e-11e8-8241-3ff3b5e4671d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "e8af6388-6575-4812-94a8-9df1567294c5", @@ -10094,15 +10074,6 @@ "https://www.bleepingcomputer.com/news/security/gandcrab-v5-ransomware-utilizing-the-alpc-task-scheduler-exploit/" ] }, - "related": [ - { - "dest-uuid": "1f05f646-5af6-4a95-825b-164f49616aa4", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "dropped-by" - } - ], "uuid": "5920464b-e093-4fa0-a275-438dffef228f", "value": "GandCrab" }, @@ -10947,15 +10918,6 @@ "https://twitter.com/malwrhunterteam/status/1034492151541977088" ] }, - "related": [ - { - "dest-uuid": "2fb307a2-8752-4521-8973-75b68703030d", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "10f92054-b028-11e8-a51f-2f82236ac72d", "value": "CryptoNar" }, @@ -11119,5 +11081,5 @@ "value": "SAVEfiles" } ], - "version": 38 + "version": 39 } diff --git a/clusters/rat.json b/clusters/rat.json index 8645936..469c940 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -105,6 +105,13 @@ ], "type": "similar" }, + { + "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", "tags": [ @@ -1827,6 +1834,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "da079741-05e6-458c-b434-011263dc691c", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "9223bf17-7e32-4833-9574-9ffd8c929765", @@ -3034,6 +3048,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "0a52e73b-d7e9-45ae-9bda-46568f753931", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "e0bea149-2def-484f-b658-f782a4f94815", @@ -3255,5 +3276,5 @@ "value": "NukeSped" } ], - "version": 19 + "version": 20 } diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b14dbfb..08db97f 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -127,6 +127,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "103ebfd8-4280-4027-b61a-69bd9967ad6c", @@ -476,7 +483,14 @@ "type": "similar" }, { - "dest-uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10", + "dest-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -628,13 +642,6 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" - }, - { - "dest-uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" } ], "uuid": "24110866-cb22-4c85-a7d2-0413e126694b", @@ -1111,15 +1118,6 @@ "Royal APT" ] }, - "related": [ - { - "dest-uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", "value": "Mirage" }, @@ -1542,6 +1540,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", @@ -1613,6 +1618,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "11e17436-6ede-4733-8547-4ce0254ea19e", @@ -1718,6 +1730,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "f98bac6b-12fd-4cad-be84-c84666932232", @@ -1815,7 +1834,7 @@ { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ - "estimative-language:likelihood-probability=\"very-likely\"" + "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, @@ -1867,6 +1886,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "f873db71-3d53-41d5-b141-530675ade27a", @@ -1955,6 +1981,13 @@ ], "type": "similar" }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ @@ -3634,6 +3667,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "47204403-34c9-4d25-a006-296a0939d1a2", @@ -4580,6 +4620,13 @@ ], "type": "similar" }, + { + "dest-uuid": "b96e02f1-4037-463f-b158-5a964352f8d9", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "tags": [ @@ -5603,29 +5650,6 @@ "https://www.cfr.org/interactive/cyber-operations/winnti-umbrella" ] }, - "related": [ - { - "dest-uuid": "24110866-cb22-4c85-a7d2-0413e126694b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "99e30d89-9361-4b73-a999-9e5ff9320bcb", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, - { - "dest-uuid": "3501fbf2-098f-47e7-be6a-6b0ff5742ce8", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "9cebfaa8-a797-11e8-99e0-3ffa312b9a10", "value": "Winnti Umbrella" }, @@ -5645,15 +5669,6 @@ "https://www.cfr.org/interactive/cyber-operations/henbox" ] }, - "related": [ - { - "dest-uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "36ee04f4-a9df-11e8-b92b-d7ddfd3a8896", "value": "HenBox" }, @@ -5812,15 +5827,6 @@ "the Rocra" ] }, - "related": [ - { - "dest-uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "same-as" - } - ], "uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0", "value": "Red October" }, @@ -5844,15 +5850,6 @@ "https://www.cfr.org/interactive/cyber-operations/cloud-atlas" ] }, - "related": [ - { - "dest-uuid": "358b8982-bcaa-11e8-8a5b-4b618197c5b0", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "same-as" - } - ], "uuid": "1572f618-bcb3-11e8-841b-1fd7f9cfe126", "value": "Cloud Atlas" }, @@ -5916,18 +5913,9 @@ }, { "description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.", - "related": [ - { - "dest-uuid": "e306fe62-c708-11e8-89f2-073e396e5403", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85", "value": "FASTCash" } ], - "version": 70 + "version": 71 } diff --git a/clusters/tool.json b/clusters/tool.json index e3b5b0e..e094d14 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -160,6 +160,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", @@ -833,6 +840,20 @@ ] }, "related": [ + { + "dest-uuid": "9223bf17-7e32-4833-9574-9ffd8c929765", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "d9cc15f7-0880-4ae4-8df4-87c58338d6b8", "tags": [ @@ -1167,7 +1188,7 @@ "type": "similar" }, { - "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", + "dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -1188,14 +1209,14 @@ "type": "similar" }, { - "dest-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", + "dest-uuid": "75c79f95-4c84-4650-9158-510f0ce4831d", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { - "dest-uuid": "df36267b-7267-4c23-a7a1-cf94ef1b3729", + "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -1259,14 +1280,21 @@ "type": "similar" }, { - "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", + "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { - "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", + "dest-uuid": "75c79f95-4c84-4650-9158-510f0ce4831d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -1358,14 +1386,21 @@ "type": "similar" }, { - "dest-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", + "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" }, { - "dest-uuid": "43cd8a09-9c80-48c8-9568-1992433af60a", + "dest-uuid": "75c79f95-4c84-4650-9158-510f0ce4831d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "f108215f-3487-489d-be8b-80e346d32518", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -2231,6 +2266,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "652b5242-b790-4695-ad0e-b79bbf78f351", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "ff0404a1-465f-4dd5-8b66-ee773628ca64", @@ -2659,6 +2701,13 @@ ], "type": "similar" }, + { + "dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "7ca93488-c357-44c3-b246-3f88391aca5a", "tags": [ @@ -2667,7 +2716,7 @@ "type": "similar" }, { - "dest-uuid": "b4216929-1626-4444-bdd7-bfd4b68a766e", + "dest-uuid": "16794655-c0e2-4510-9169-f862df104045", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], @@ -2692,6 +2741,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "ff0404a1-465f-4dd5-8b66-ee773628ca64", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "652b5242-b790-4695-ad0e-b79bbf78f351", @@ -2890,6 +2946,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "2a16a1d4-a098-4f17-80f3-3cfc6c60b539", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "74167065-90b3-4c29-807a-79b6f098e45b", @@ -2906,12 +2969,26 @@ ] }, "related": [ + { + "dest-uuid": "28c13455-7f95-40a5-9568-1e8732503507", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "a673b4fb-a864-4a5b-94ab-3fc4f5606cc8", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "74167065-90b3-4c29-807a-79b6f098e45b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "2a16a1d4-a098-4f17-80f3-3cfc6c60b539", @@ -2940,20 +3017,6 @@ ], "type": "similar" }, - { - "dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "variant-of" - }, - { - "dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "variant-of" - }, { "dest-uuid": "17e12216-a303-4a00-8283-d3fe92d0934c", "tags": [ @@ -3107,13 +3170,6 @@ ] }, "related": [ - { - "dest-uuid": "e6085ce0-af6d-41f7-8bcb-7f2eed246941", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - }, { "dest-uuid": "6e668c0c-7085-4951-87d4-0334b6a5cdb3", "tags": [ @@ -3132,15 +3188,6 @@ "https://securityintelligence.com/tag/shiz-trojan-malware/" ] }, - "related": [ - { - "dest-uuid": "67d712c8-d254-4820-83fa-9a892b87923b", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e6085ce0-af6d-41f7-8bcb-7f2eed246941", "value": "Shiz" }, @@ -3530,12 +3577,33 @@ ] }, "related": [ + { + "dest-uuid": "4e104fef-8a2c-4679-b497-6e86d7d47db0", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "b42378e0-f147-496f-992a-26a49705395b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "7789fc1b-3cbc-4a1c-8ef0-8b06760f93e7", "tags": [ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "2abe89de-46dd-4dae-ae22-b49a593aff54", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "e336aeba-b61a-44e0-a0df-cd52a5839db5", @@ -5163,6 +5231,20 @@ ], "type": "similar" }, + { + "dest-uuid": "e0bea149-2def-484f-b658-f782a4f94815", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, + { + "dest-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "bbfd4fb4-3e5a-43bf-b4bb-eaf5ef4fb25f", "tags": [ @@ -5693,6 +5775,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "d1482c9e-6af3-11e8-aa8e-279274bd10c7", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "a71ed71f-b8f4-416d-9c57-910a42e59430", @@ -6434,6 +6523,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "a71ed71f-b8f4-416d-9c57-910a42e59430", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "d1482c9e-6af3-11e8-aa8e-279274bd10c7", @@ -6910,6 +7006,13 @@ ] }, "related": [ + { + "dest-uuid": "e8af6388-6575-4812-94a8-9df1567294c5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + }, { "dest-uuid": "6f736038-4f74-435b-8904-6870ee0e23ba", "tags": [ @@ -6963,15 +7066,6 @@ }, { "description": "Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.", - "related": [ - { - "dest-uuid": "e38d32a2-c708-11e8-8785-472c4cfccd85", - "tags": [ - "estimative-language:likelihood-probability=\"likely\"" - ], - "type": "similar" - } - ], "uuid": "e306fe62-c708-11e8-89f2-073e396e5403", "value": "FASTCash" }, @@ -6995,5 +7089,5 @@ "value": "CoalaBot" } ], - "version": 94 + "version": 95 } diff --git a/tools/gen_mapping.py b/tools/gen_mapping.py index 6a50eb7..ce2beac 100755 --- a/tools/gen_mapping.py +++ b/tools/gen_mapping.py @@ -36,7 +36,7 @@ type_mapping = { 'mitre-mobile-attack-tool': 'tool', 'backdoor': 'tool', # 'mitre-pre-attack-attack-pattern': '', - 'mitre-mobile-attack-intrusion-set': 'tool', + 'mitre-mobile-attack-intrusion-set': 'actor', 'mitre-tool': 'tool', # 'mitre-mobile-attack-attack-pattern': '', 'mitre-mobile-attack-malware': 'tool', From 84af053761e4cc5ee73080b36fb6da0f59af2331 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 17 Oct 2018 19:07:01 +0200 Subject: [PATCH 06/17] fix: add missing relations from commit 29beb01dc3ed0067db6ccc33f41456147d38d2d7 --- clusters/botnet.json | 58 ++++++++++++++++++++++++++++++++++++++++++++ clusters/tool.json | 14 +++++++++++ 2 files changed, 72 insertions(+) diff --git a/clusters/botnet.json b/clusters/botnet.json index 47a56be..e7d9206 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -713,6 +713,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" } ], "uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", @@ -855,6 +869,27 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" } ], "uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", @@ -1036,6 +1071,29 @@ "Mirai Sora" ] }, + "related": [ + { + "dest-uuid": "fcdfd4af-da35-49a8-9610-19be8a487185", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + } + ], "uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56", "value": "Sora" }, diff --git a/clusters/tool.json b/clusters/tool.json index 7aaf7a0..9ff6433 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3023,6 +3023,20 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "f24ad5ca-04c5-4cd0-bd72-209ebce4fdbc", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" + }, + { + "dest-uuid": "025ab0ce-bffc-11e8-be19-d70ec22c5d56", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "variant-of" } ], "uuid": "dcbf1aaa-1fdd-4bfc-a35e-145ffdfb5ac5", From 76b1429f10ca30c1a4992d13e64dee4e4c8d30f9 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 17 Oct 2018 19:13:35 +0200 Subject: [PATCH 07/17] fix: add missing relations from commit a81bbe288f91298fad0028e0f3c940c41c8d27fa --- clusters/ransomware.json | 18 ++++++++++++++++++ clusters/tool.json | 16 ++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/clusters/ransomware.json b/clusters/ransomware.json index d93512c..f9fe3b6 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -5534,6 +5534,15 @@ "crjoker.html" ] }, + "related": [ + { + "dest-uuid": "10f92054-b028-11e8-a51f-2f82236ac72d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "2fb307a2-8752-4521-8973-75b68703030d", "value": "CryptoJoker" }, @@ -10918,6 +10927,15 @@ "https://twitter.com/malwrhunterteam/status/1034492151541977088" ] }, + "related": [ + { + "dest-uuid": "2fb307a2-8752-4521-8973-75b68703030d", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "10f92054-b028-11e8-a51f-2f82236ac72d", "value": "CryptoNar" }, diff --git a/clusters/tool.json b/clusters/tool.json index 9ff6433..1465e42 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -3190,6 +3190,13 @@ "estimative-language:likelihood-probability=\"likely\"" ], "type": "similar" + }, + { + "dest-uuid": "e6085ce0-af6d-41f7-8bcb-7f2eed246941", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" } ], "uuid": "67d712c8-d254-4820-83fa-9a892b87923b", @@ -3202,6 +3209,15 @@ "https://securityintelligence.com/tag/shiz-trojan-malware/" ] }, + "related": [ + { + "dest-uuid": "67d712c8-d254-4820-83fa-9a892b87923b", + "tags": [ + "estimative-language:likelihood-probability=\"likely\"" + ], + "type": "similar" + } + ], "uuid": "e6085ce0-af6d-41f7-8bcb-7f2eed246941", "value": "Shiz" }, From 2b24efb14a9aa16cf5fb40e9326f3c243add579f Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 17 Oct 2018 19:15:57 +0200 Subject: [PATCH 08/17] fix: add missing relations from commit b857be9cabb02fb24aa5ef7db8e0c209a630189b --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index b811814..db1a795 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -1834,7 +1834,7 @@ { "dest-uuid": "ba724df5-9aa0-45ca-8e0e-7101c208ae48", "tags": [ - "estimative-language:likelihood-probability=\"likely\"" + "estimative-language:likelihood-probability=\"very-likely\"" ], "type": "similar" }, From ccebd86eed70d4a891dc2632d0775367fcaf84b8 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 17 Oct 2018 19:18:16 +0200 Subject: [PATCH 09/17] fix: add missing relations from commit 78c1f073590c4ae1822c8508f62934ffb215fab2 --- clusters/exploit-kit.json | 9 +++++++++ clusters/ransomware.json | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 43bb6ce..dc5cd8c 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -53,6 +53,15 @@ "Fallout" ] }, + "related": [ + { + "dest-uuid": "5920464b-e093-4fa0-a275-438dffef228f", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "dropped" + } + ], "uuid": "1f05f646-5af6-4a95-825b-164f49616aa4", "value": "Fallout" }, diff --git a/clusters/ransomware.json b/clusters/ransomware.json index f9fe3b6..e30837d 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -10083,6 +10083,15 @@ "https://www.bleepingcomputer.com/news/security/gandcrab-v5-ransomware-utilizing-the-alpc-task-scheduler-exploit/" ] }, + "related": [ + { + "dest-uuid": "1f05f646-5af6-4a95-825b-164f49616aa4", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "dropped-by" + } + ], "uuid": "5920464b-e093-4fa0-a275-438dffef228f", "value": "GandCrab" }, From 66ded6d935cf7aeafc4134498cf5b88ed1a5afa8 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Wed, 17 Oct 2018 20:59:08 +0200 Subject: [PATCH 10/17] Some minor fixes --- clusters/malpedia.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 95aadce..96995cd 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -10,6 +10,7 @@ "source": "Malpedia", "type": "malpedia", "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e", + "version": 2, "values": [ { "description": "", @@ -106,7 +107,8 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites", - "https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", + "https://blog.avast.com/new- + -of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", "https://www.youtube.com/watch?v=1LOy0ZyjEOk" ], "synonyms": [], @@ -16936,7 +16938,7 @@ } ], "uuid": "39f609e3-e6fe-4c2c-af0e-b28bc81b2ecf", - "value": "" + "value": "Spy-Net" }, { "description": "", @@ -18154,7 +18156,7 @@ } ], "uuid": "4db80a62-d318-48e7-b70b-759924ff515e", - "value": "" + "value": "unidentified_005" }, { "description": "", From 83c6e6bef1e6df60567d09a07fe257eb37332392 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 18 Oct 2018 11:17:19 +0200 Subject: [PATCH 11/17] fix: [malpedia] broken reference has been fixed --- clusters/malpedia.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 000dd6b..68b7684 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -107,8 +107,7 @@ "meta": { "refs": [ "https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites", - "https://blog.avast.com/new- - -of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", + "https://blog.avast.com/new-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang", "https://www.youtube.com/watch?v=1LOy0ZyjEOk" ], "synonyms": [], From 0ecf34f06e4c9562b85f7a42384da35b7c6032e4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 18 Oct 2018 11:23:48 +0200 Subject: [PATCH 12/17] fix: [malpedia] version --- clusters/malpedia.json | 1 - 1 file changed, 1 deletion(-) diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 68b7684..7f4d3cd 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -10,7 +10,6 @@ "source": "Malpedia", "type": "malpedia", "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e", - "version": 2, "values": [ { "description": "", From ddccac58c82a4f4e57958a146ee50beec45555df Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Fri, 19 Oct 2018 10:18:14 +0200 Subject: [PATCH 13/17] chg: categorization of galaxies This allows relationships to be created. --- clusters/android.json | 1 + clusters/backdoor.json | 1 + clusters/banker.json | 1 + clusters/botnet.json | 1 + clusters/exploit-kit.json | 1 + clusters/malpedia.json | 1 + clusters/microsoft-activity-group.json | 1 + clusters/mitre-enterprise-attack-intrusion-set.json | 1 + clusters/mitre-enterprise-attack-malware.json | 1 + clusters/mitre-enterprise-attack-tool.json | 1 + clusters/mitre-intrusion-set.json | 1 + clusters/mitre-malware.json | 1 + clusters/mitre-mobile-attack-intrusion-set.json | 1 + clusters/mitre-mobile-attack-malware.json | 1 + clusters/mitre-mobile-attack-tool.json | 1 + clusters/mitre-pre-attack-intrusion-set.json | 1 + clusters/mitre-tool.json | 1 + clusters/ransomware.json | 1 + clusters/rat.json | 1 + clusters/stealer.json | 1 + clusters/tds.json | 1 + clusters/threat-actor.json | 1 + clusters/tool.json | 1 + schema_clusters.json | 3 +++ 24 files changed, 26 insertions(+) diff --git a/clusters/android.json b/clusters/android.json index c84eeae..cf3d24c 100644 --- a/clusters/android.json +++ b/clusters/android.json @@ -6,6 +6,7 @@ "name": "Android", "source": "Open Sources", "type": "android", + "category": "tool", "uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa", "values": [ { diff --git a/clusters/backdoor.json b/clusters/backdoor.json index a50acdd..9ec8af7 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -6,6 +6,7 @@ "name": "Backdoor", "source": "Open Sources", "type": "backdoor", + "category": "tool", "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf", "values": [ { diff --git a/clusters/banker.json b/clusters/banker.json index 0937e4f..d179bfe 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -7,6 +7,7 @@ "name": "Banker", "source": "Open Sources", "type": "banker", + "category": "tool", "uuid": "59f20cce-5420-4084-afd5-0884c0a83832", "values": [ { diff --git a/clusters/botnet.json b/clusters/botnet.json index e7d9206..bef45cf 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -6,6 +6,7 @@ "name": "Botnet", "source": "MISP Project", "type": "botnet", + "category": "tool", "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f", "values": [ { diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index dc5cd8c..948e801 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -8,6 +8,7 @@ "name": "Exploit-Kit", "source": "MISP Project", "type": "exploit-kit", + "category": "tool", "uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01", "values": [ { diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 721cca0..d06dd07 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -9,6 +9,7 @@ "name": "Malpedia", "source": "Malpedia", "type": "malpedia", + "category": "tool", "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e", "values": [ { diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index e8f7c7f..d4f1d1f 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -6,6 +6,7 @@ "name": "Microsoft Activity Group actor", "source": "MISP Project", "type": "microsoft-activity-group", + "category": "actor", "uuid": "28b5e55d-acba-4748-a79d-0afa3512689a", "values": [ { diff --git a/clusters/mitre-enterprise-attack-intrusion-set.json b/clusters/mitre-enterprise-attack-intrusion-set.json index b256c4b..a5b24f0 100644 --- a/clusters/mitre-enterprise-attack-intrusion-set.json +++ b/clusters/mitre-enterprise-attack-intrusion-set.json @@ -6,6 +6,7 @@ "name": "Enterprise Attack -intrusion Set", "source": "https://github.com/mitre/cti", "type": "mitre-enterprise-attack-intrusion-set", + "category": "actor", "uuid": "01f18402-1708-11e8-ac1c-1ffb3c4a7775", "values": [ { diff --git a/clusters/mitre-enterprise-attack-malware.json b/clusters/mitre-enterprise-attack-malware.json index 1306a7d..f79c6b0 100644 --- a/clusters/mitre-enterprise-attack-malware.json +++ b/clusters/mitre-enterprise-attack-malware.json @@ -6,6 +6,7 @@ "name": "Enterprise Attack - Malware", "source": "https://github.com/mitre/cti", "type": "mitre-enterprise-attack-malware", + "category": "tool", "uuid": "fbd79f02-1707-11e8-b1c7-87406102276a", "values": [ { diff --git a/clusters/mitre-enterprise-attack-tool.json b/clusters/mitre-enterprise-attack-tool.json index e14a2d3..3cc3e2c 100644 --- a/clusters/mitre-enterprise-attack-tool.json +++ b/clusters/mitre-enterprise-attack-tool.json @@ -6,6 +6,7 @@ "name": "Enterprise Attack - Tool", "source": "https://github.com/mitre/cti", "type": "mitre-enterprise-attack-tool", + "category": "tool", "uuid": "fc1ea6e0-1707-11e8-ac05-2b70d00c354e", "values": [ { diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index c71799d..a768440 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -6,6 +6,7 @@ "name": "intrusion Set", "source": "https://github.com/mitre/cti", "type": "mitre-intrusion-set", + "category": "actor", "uuid": "10df003c-7831-11e7-bdb9-971cdd1218df", "values": [ { diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index 3a5e96e..10f1bac 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -6,6 +6,7 @@ "name": "Malware", "source": "https://github.com/mitre/cti", "type": "mitre-malware", + "category": "tool", "uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4", "values": [ { diff --git a/clusters/mitre-mobile-attack-intrusion-set.json b/clusters/mitre-mobile-attack-intrusion-set.json index 2d563f4..5a2dee4 100644 --- a/clusters/mitre-mobile-attack-intrusion-set.json +++ b/clusters/mitre-mobile-attack-intrusion-set.json @@ -6,6 +6,7 @@ "name": "Mobile Attack - intrusion Set", "source": "https://github.com/mitre/cti", "type": "mitre-mobile-attack-intrusion-set", + "category": "actor", "uuid": "02ab4018-1708-11e8-8f9d-e735aabdfa53", "values": [ { diff --git a/clusters/mitre-mobile-attack-malware.json b/clusters/mitre-mobile-attack-malware.json index 11befb3..5b3637d 100644 --- a/clusters/mitre-mobile-attack-malware.json +++ b/clusters/mitre-mobile-attack-malware.json @@ -6,6 +6,7 @@ "name": "Mobile Attack - Malware", "source": "https://github.com/mitre/cti", "type": "mitre-mobile-attack-malware", + "category": "tool", "uuid": "04a165aa-1708-11e8-b2da-c7d7625f4a4f", "values": [ { diff --git a/clusters/mitre-mobile-attack-tool.json b/clusters/mitre-mobile-attack-tool.json index 848eaa4..6ba33c6 100644 --- a/clusters/mitre-mobile-attack-tool.json +++ b/clusters/mitre-mobile-attack-tool.json @@ -6,6 +6,7 @@ "name": "Mobile Attack - Tool", "source": "https://github.com/mitre/cti", "type": "mitre-mobile-attack-tool", + "category": "tool", "uuid": "02cee87e-1708-11e8-8f15-8b33e4d6194b", "values": [ { diff --git a/clusters/mitre-pre-attack-intrusion-set.json b/clusters/mitre-pre-attack-intrusion-set.json index da45a89..897c4bf 100644 --- a/clusters/mitre-pre-attack-intrusion-set.json +++ b/clusters/mitre-pre-attack-intrusion-set.json @@ -6,6 +6,7 @@ "name": "Pre Attack - intrusion Set", "source": "https://github.com/mitre/cti", "type": "mitre-pre-attack-intrusion-set", + "category": "actor", "uuid": "1fdc8fa2-1708-11e8-99a3-67b4efc13c4f", "values": [ { diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index aed7bb1..4213cbf 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -6,6 +6,7 @@ "name": "Tool", "source": "https://github.com/mitre/cti", "type": "mitre-tool", + "category": "tool", "uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0", "values": [ { diff --git a/clusters/ransomware.json b/clusters/ransomware.json index e30837d..1ffab00 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -7,6 +7,7 @@ "name": "Ransomware", "source": "Various", "type": "ransomware", + "category": "tool", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "values": [ { diff --git a/clusters/rat.json b/clusters/rat.json index fa74895..8848fe1 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -7,6 +7,7 @@ "name": "RAT", "source": "MISP Project", "type": "rat", + "category": "tool", "uuid": "312f8714-45cb-11e7-b898-135207cdceb9", "values": [ { diff --git a/clusters/stealer.json b/clusters/stealer.json index 7af58a1..95f7394 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -6,6 +6,7 @@ "name": "Stealer", "source": "Open Sources", "type": "stealer", + "category": "tool", "uuid": "f2ef4033-9001-4427-a418-df8c48e6d054", "values": [ { diff --git a/clusters/tds.json b/clusters/tds.json index ec09cf0..57f60b8 100644 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -6,6 +6,7 @@ "name": "TDS", "source": "MISP Project", "type": "tds", + "category": "tool", "uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01", "values": [ { diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index db1a795..56f3069 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -10,6 +10,7 @@ "name": "Threat actor", "source": "MISP Project", "type": "threat-actor", + "category": "actor", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", "values": [ { diff --git a/clusters/tool.json b/clusters/tool.json index 1465e42..15f20f6 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -11,6 +11,7 @@ "name": "Tool", "source": "MISP Project", "type": "tool", + "category": "tool", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "values": [ { diff --git a/schema_clusters.json b/schema_clusters.json index 1968d6b..36f22c3 100644 --- a/schema_clusters.json +++ b/schema_clusters.json @@ -23,6 +23,9 @@ "source": { "type": "string" }, + "category": { + "type": "string" + }, "values": { "type": "array", "uniqueItems": true, From 9dddc4427cd7e9489a55e9b9e4fa6894b200a26e Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Fri, 19 Oct 2018 10:23:09 +0200 Subject: [PATCH 14/17] jq --- clusters/android.json | 2 +- clusters/backdoor.json | 2 +- clusters/banker.json | 2 +- clusters/botnet.json | 2 +- clusters/exploit-kit.json | 2 +- clusters/malpedia.json | 2 +- clusters/microsoft-activity-group.json | 2 +- clusters/mitre-enterprise-attack-intrusion-set.json | 2 +- clusters/mitre-enterprise-attack-malware.json | 2 +- clusters/mitre-enterprise-attack-tool.json | 2 +- clusters/mitre-intrusion-set.json | 2 +- clusters/mitre-malware.json | 2 +- clusters/mitre-mobile-attack-intrusion-set.json | 2 +- clusters/mitre-mobile-attack-malware.json | 2 +- clusters/mitre-mobile-attack-tool.json | 2 +- clusters/mitre-pre-attack-intrusion-set.json | 2 +- clusters/mitre-tool.json | 2 +- clusters/ransomware.json | 2 +- clusters/rat.json | 2 +- clusters/stealer.json | 2 +- clusters/tds.json | 2 +- clusters/threat-actor.json | 2 +- clusters/tool.json | 2 +- schema_clusters.json | 2 +- 24 files changed, 24 insertions(+), 24 deletions(-) diff --git a/clusters/android.json b/clusters/android.json index cf3d24c..22d4903 100644 --- a/clusters/android.json +++ b/clusters/android.json @@ -2,11 +2,11 @@ "authors": [ "Unknown" ], + "category": "tool", "description": "Android malware galaxy based on multiple open sources.", "name": "Android", "source": "Open Sources", "type": "android", - "category": "tool", "uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa", "values": [ { diff --git a/clusters/backdoor.json b/clusters/backdoor.json index 9ec8af7..8518a70 100644 --- a/clusters/backdoor.json +++ b/clusters/backdoor.json @@ -2,11 +2,11 @@ "authors": [ "raw-data" ], + "category": "tool", "description": "A list of backdoor malware.", "name": "Backdoor", "source": "Open Sources", "type": "backdoor", - "category": "tool", "uuid": "75436e27-cb57-4f32-bf1d-9636dd78a2bf", "values": [ { diff --git a/clusters/banker.json b/clusters/banker.json index d179bfe..06dc418 100644 --- a/clusters/banker.json +++ b/clusters/banker.json @@ -3,11 +3,11 @@ "Unknown", "raw-data" ], + "category": "tool", "description": "A list of banker malware.", "name": "Banker", "source": "Open Sources", "type": "banker", - "category": "tool", "uuid": "59f20cce-5420-4084-afd5-0884c0a83832", "values": [ { diff --git a/clusters/botnet.json b/clusters/botnet.json index bef45cf..c3ad3ad 100644 --- a/clusters/botnet.json +++ b/clusters/botnet.json @@ -2,11 +2,11 @@ "authors": [ "Various" ], + "category": "tool", "description": "botnet galaxy", "name": "Botnet", "source": "MISP Project", "type": "botnet", - "category": "tool", "uuid": "a91732f4-164a-11e8-924a-ffd4097eb03f", "values": [ { diff --git a/clusters/exploit-kit.json b/clusters/exploit-kit.json index 948e801..3061344 100644 --- a/clusters/exploit-kit.json +++ b/clusters/exploit-kit.json @@ -4,11 +4,11 @@ "Will Metcalf", "KahuSecurity" ], + "category": "tool", "description": "Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years", "name": "Exploit-Kit", "source": "MISP Project", "type": "exploit-kit", - "category": "tool", "uuid": "454f4e78-bd7c-11e6-a4a6-cec0c932ce01", "values": [ { diff --git a/clusters/malpedia.json b/clusters/malpedia.json index 118944b..d5fda06 100644 --- a/clusters/malpedia.json +++ b/clusters/malpedia.json @@ -5,11 +5,11 @@ "Andrea Garavaglia", "Davide Arcuri" ], + "category": "tool", "description": "Malware galaxy cluster based on Malpedia.", "name": "Malpedia", "source": "Malpedia", "type": "malpedia", - "category": "tool", "uuid": "5fc98d08-90a4-498a-ad2e-0edf50ef374e", "values": [ { diff --git a/clusters/microsoft-activity-group.json b/clusters/microsoft-activity-group.json index d4f1d1f..8538392 100644 --- a/clusters/microsoft-activity-group.json +++ b/clusters/microsoft-activity-group.json @@ -2,11 +2,11 @@ "authors": [ "Various" ], + "category": "actor", "description": "Activity groups as described by Microsoft", "name": "Microsoft Activity Group actor", "source": "MISP Project", "type": "microsoft-activity-group", - "category": "actor", "uuid": "28b5e55d-acba-4748-a79d-0afa3512689a", "values": [ { diff --git a/clusters/mitre-enterprise-attack-intrusion-set.json b/clusters/mitre-enterprise-attack-intrusion-set.json index a5b24f0..5c206c3 100644 --- a/clusters/mitre-enterprise-attack-intrusion-set.json +++ b/clusters/mitre-enterprise-attack-intrusion-set.json @@ -2,11 +2,11 @@ "authors": [ "MITRE" ], + "category": "actor", "description": "Name of ATT&CK Group", "name": "Enterprise Attack -intrusion Set", "source": "https://github.com/mitre/cti", "type": "mitre-enterprise-attack-intrusion-set", - "category": "actor", "uuid": "01f18402-1708-11e8-ac1c-1ffb3c4a7775", "values": [ { diff --git a/clusters/mitre-enterprise-attack-malware.json b/clusters/mitre-enterprise-attack-malware.json index f79c6b0..1158410 100644 --- a/clusters/mitre-enterprise-attack-malware.json +++ b/clusters/mitre-enterprise-attack-malware.json @@ -2,11 +2,11 @@ "authors": [ "MITRE" ], + "category": "tool", "description": "Name of ATT&CK software", "name": "Enterprise Attack - Malware", "source": "https://github.com/mitre/cti", "type": "mitre-enterprise-attack-malware", - "category": "tool", "uuid": "fbd79f02-1707-11e8-b1c7-87406102276a", "values": [ { diff --git a/clusters/mitre-enterprise-attack-tool.json b/clusters/mitre-enterprise-attack-tool.json index 3cc3e2c..7ae49b3 100644 --- a/clusters/mitre-enterprise-attack-tool.json +++ b/clusters/mitre-enterprise-attack-tool.json @@ -2,11 +2,11 @@ "authors": [ "MITRE" ], + "category": "tool", "description": "Name of ATT&CK software", "name": "Enterprise Attack - Tool", "source": "https://github.com/mitre/cti", "type": "mitre-enterprise-attack-tool", - "category": "tool", "uuid": "fc1ea6e0-1707-11e8-ac05-2b70d00c354e", "values": [ { diff --git a/clusters/mitre-intrusion-set.json b/clusters/mitre-intrusion-set.json index a768440..90c558a 100644 --- a/clusters/mitre-intrusion-set.json +++ b/clusters/mitre-intrusion-set.json @@ -2,11 +2,11 @@ "authors": [ "MITRE" ], + "category": "actor", "description": "Name of ATT&CK Group", "name": "intrusion Set", "source": "https://github.com/mitre/cti", "type": "mitre-intrusion-set", - "category": "actor", "uuid": "10df003c-7831-11e7-bdb9-971cdd1218df", "values": [ { diff --git a/clusters/mitre-malware.json b/clusters/mitre-malware.json index 10f1bac..71863f4 100644 --- a/clusters/mitre-malware.json +++ b/clusters/mitre-malware.json @@ -2,11 +2,11 @@ "authors": [ "MITRE" ], + "category": "tool", "description": "Name of ATT&CK software", "name": "Malware", "source": "https://github.com/mitre/cti", "type": "mitre-malware", - "category": "tool", "uuid": "d752161c-78f6-11e7-a0ea-bfa79b407ce4", "values": [ { diff --git a/clusters/mitre-mobile-attack-intrusion-set.json b/clusters/mitre-mobile-attack-intrusion-set.json index 5a2dee4..4f52b18 100644 --- a/clusters/mitre-mobile-attack-intrusion-set.json +++ b/clusters/mitre-mobile-attack-intrusion-set.json @@ -2,11 +2,11 @@ "authors": [ "MITRE" ], + "category": "actor", "description": "Name of ATT&CK Group", "name": "Mobile Attack - intrusion Set", "source": "https://github.com/mitre/cti", "type": "mitre-mobile-attack-intrusion-set", - "category": "actor", "uuid": "02ab4018-1708-11e8-8f9d-e735aabdfa53", "values": [ { diff --git a/clusters/mitre-mobile-attack-malware.json b/clusters/mitre-mobile-attack-malware.json index 5b3637d..d78f394 100644 --- a/clusters/mitre-mobile-attack-malware.json +++ b/clusters/mitre-mobile-attack-malware.json @@ -2,11 +2,11 @@ "authors": [ "MITRE" ], + "category": "tool", "description": "Name of ATT&CK software", "name": "Mobile Attack - Malware", "source": "https://github.com/mitre/cti", "type": "mitre-mobile-attack-malware", - "category": "tool", "uuid": "04a165aa-1708-11e8-b2da-c7d7625f4a4f", "values": [ { diff --git a/clusters/mitre-mobile-attack-tool.json b/clusters/mitre-mobile-attack-tool.json index 6ba33c6..6805907 100644 --- a/clusters/mitre-mobile-attack-tool.json +++ b/clusters/mitre-mobile-attack-tool.json @@ -2,11 +2,11 @@ "authors": [ "MITRE" ], + "category": "tool", "description": "Name of ATT&CK software", "name": "Mobile Attack - Tool", "source": "https://github.com/mitre/cti", "type": "mitre-mobile-attack-tool", - "category": "tool", "uuid": "02cee87e-1708-11e8-8f15-8b33e4d6194b", "values": [ { diff --git a/clusters/mitre-pre-attack-intrusion-set.json b/clusters/mitre-pre-attack-intrusion-set.json index 897c4bf..94ed408 100644 --- a/clusters/mitre-pre-attack-intrusion-set.json +++ b/clusters/mitre-pre-attack-intrusion-set.json @@ -2,11 +2,11 @@ "authors": [ "MITRE" ], + "category": "actor", "description": "Name of ATT&CK Group", "name": "Pre Attack - intrusion Set", "source": "https://github.com/mitre/cti", "type": "mitre-pre-attack-intrusion-set", - "category": "actor", "uuid": "1fdc8fa2-1708-11e8-99a3-67b4efc13c4f", "values": [ { diff --git a/clusters/mitre-tool.json b/clusters/mitre-tool.json index 4213cbf..f428d0d 100644 --- a/clusters/mitre-tool.json +++ b/clusters/mitre-tool.json @@ -2,11 +2,11 @@ "authors": [ "MITRE" ], + "category": "tool", "description": "Name of ATT&CK software", "name": "Tool", "source": "https://github.com/mitre/cti", "type": "mitre-tool", - "category": "tool", "uuid": "d700dc5c-78f6-11e7-a476-5f748c8e4fe0", "values": [ { diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 1ffab00..a44901d 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -3,11 +3,11 @@ "https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml", "http://pastebin.com/raw/GHgpWjar" ], + "category": "tool", "description": "Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar", "name": "Ransomware", "source": "Various", "type": "ransomware", - "category": "tool", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372", "values": [ { diff --git a/clusters/rat.json b/clusters/rat.json index 8848fe1..1612b6e 100644 --- a/clusters/rat.json +++ b/clusters/rat.json @@ -3,11 +3,11 @@ "Various", "raw-data" ], + "category": "tool", "description": "remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote \"operator\" to control a system as if they have physical access to that system.", "name": "RAT", "source": "MISP Project", "type": "rat", - "category": "tool", "uuid": "312f8714-45cb-11e7-b898-135207cdceb9", "values": [ { diff --git a/clusters/stealer.json b/clusters/stealer.json index 95f7394..c54d6c9 100644 --- a/clusters/stealer.json +++ b/clusters/stealer.json @@ -2,11 +2,11 @@ "authors": [ "raw-data" ], + "category": "tool", "description": "A list of malware stealer.", "name": "Stealer", "source": "Open Sources", "type": "stealer", - "category": "tool", "uuid": "f2ef4033-9001-4427-a418-df8c48e6d054", "values": [ { diff --git a/clusters/tds.json b/clusters/tds.json index 57f60b8..5865325 100644 --- a/clusters/tds.json +++ b/clusters/tds.json @@ -2,11 +2,11 @@ "authors": [ "Kafeine" ], + "category": "tool", "description": "TDS is a list of Traffic Direction System used by adversaries", "name": "TDS", "source": "MISP Project", "type": "tds", - "category": "tool", "uuid": "ab5fffaa-c5f6-11e6-9d9d-cec0c932ce01", "values": [ { diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 56f3069..d53e757 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -6,11 +6,11 @@ "Timo Steffens", "Various" ], + "category": "actor", "description": "Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign.", "name": "Threat actor", "source": "MISP Project", "type": "threat-actor", - "category": "actor", "uuid": "7cdff317-a673-4474-84ec-4f1754947823", "values": [ { diff --git a/clusters/tool.json b/clusters/tool.json index 15f20f6..3527545 100644 --- a/clusters/tool.json +++ b/clusters/tool.json @@ -7,11 +7,11 @@ "Dennis Rand", "raw-data" ], + "category": "tool", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "name": "Tool", "source": "MISP Project", "type": "tool", - "category": "tool", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "values": [ { diff --git a/schema_clusters.json b/schema_clusters.json index 36f22c3..4cf095b 100644 --- a/schema_clusters.json +++ b/schema_clusters.json @@ -25,7 +25,7 @@ }, "category": { "type": "string" - }, + }, "values": { "type": "array", "uniqueItems": true, From 4232f0b7371e43501256743f29c9a3a87f317057 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Fri, 19 Oct 2018 14:08:50 +0200 Subject: [PATCH 15/17] chg: further categorization of galaxies --- clusters/branded_vulnerability.json | 1 + clusters/cert-eu-govsector.json | 1 + clusters/mitre-attack-pattern.json | 1 + clusters/mitre-course-of-action.json | 1 + clusters/mitre-enterprise-attack-attack-pattern.json | 1 + clusters/mitre-enterprise-attack-course-of-action.json | 1 + clusters/mitre-mobile-attack-attack-pattern.json | 1 + clusters/mitre-mobile-attack-course-of-action.json | 1 + clusters/mitre-pre-attack-attack-pattern.json | 1 + clusters/preventive-measure.json | 1 + clusters/sector.json | 1 + schema_clusters.json | 3 ++- 12 files changed, 13 insertions(+), 1 deletion(-) diff --git a/clusters/branded_vulnerability.json b/clusters/branded_vulnerability.json index 72786cb..ab15a1f 100644 --- a/clusters/branded_vulnerability.json +++ b/clusters/branded_vulnerability.json @@ -2,6 +2,7 @@ "authors": [ "Unknown" ], + "category": "vulnerability", "description": "List of known vulnerabilities and attacks with a branding", "name": "Branded Vulnerability", "source": "Open Sources", diff --git a/clusters/cert-eu-govsector.json b/clusters/cert-eu-govsector.json index 9673709..1405c13 100644 --- a/clusters/cert-eu-govsector.json +++ b/clusters/cert-eu-govsector.json @@ -2,6 +2,7 @@ "authors": [ "Various" ], + "category": "sector", "description": "Cert EU GovSector", "name": "Cert EU GovSector", "source": "CERT-EU", diff --git a/clusters/mitre-attack-pattern.json b/clusters/mitre-attack-pattern.json index 00209ab..4b6dddf 100644 --- a/clusters/mitre-attack-pattern.json +++ b/clusters/mitre-attack-pattern.json @@ -2,6 +2,7 @@ "authors": [ "MITRE" ], + "category": "attack-pattern", "description": "ATT&CK tactic", "name": "Attack Pattern", "source": "https://github.com/mitre/cti", diff --git a/clusters/mitre-course-of-action.json b/clusters/mitre-course-of-action.json index c8f9767..b3bcaf0 100644 --- a/clusters/mitre-course-of-action.json +++ b/clusters/mitre-course-of-action.json @@ -2,6 +2,7 @@ "authors": [ "MITRE" ], + "category": "course-of-action", "description": "ATT&CK Mitigation", "name": "Course of Action", "source": "https://github.com/mitre/cti", diff --git a/clusters/mitre-enterprise-attack-attack-pattern.json b/clusters/mitre-enterprise-attack-attack-pattern.json index 8e79664..06907aa 100644 --- a/clusters/mitre-enterprise-attack-attack-pattern.json +++ b/clusters/mitre-enterprise-attack-attack-pattern.json @@ -2,6 +2,7 @@ "authors": [ "MITRE" ], + "category": "attack-pattern", "description": "ATT&CK tactic", "name": "Enterprise Attack - Attack Pattern", "source": "https://github.com/mitre/cti", diff --git a/clusters/mitre-enterprise-attack-course-of-action.json b/clusters/mitre-enterprise-attack-course-of-action.json index 584f5d0..1057876 100644 --- a/clusters/mitre-enterprise-attack-course-of-action.json +++ b/clusters/mitre-enterprise-attack-course-of-action.json @@ -2,6 +2,7 @@ "authors": [ "MITRE" ], + "category": "course-of-action", "description": "ATT&CK Mitigation", "name": "Enterprise Attack - Course of Action", "source": "https://github.com/mitre/cti", diff --git a/clusters/mitre-mobile-attack-attack-pattern.json b/clusters/mitre-mobile-attack-attack-pattern.json index 9f2b465..a7fbc97 100644 --- a/clusters/mitre-mobile-attack-attack-pattern.json +++ b/clusters/mitre-mobile-attack-attack-pattern.json @@ -2,6 +2,7 @@ "authors": [ "MITRE" ], + "category": "attack-pattern", "description": "ATT&CK tactic", "name": "Mobile Attack - Attack Pattern", "source": "https://github.com/mitre/cti", diff --git a/clusters/mitre-mobile-attack-course-of-action.json b/clusters/mitre-mobile-attack-course-of-action.json index c0b32e7..acccfb5 100644 --- a/clusters/mitre-mobile-attack-course-of-action.json +++ b/clusters/mitre-mobile-attack-course-of-action.json @@ -2,6 +2,7 @@ "authors": [ "MITRE" ], + "category": "course-of-action", "description": "ATT&CK Mitigation", "name": "Mobile Attack - Course of Action", "source": "https://github.com/mitre/cti", diff --git a/clusters/mitre-pre-attack-attack-pattern.json b/clusters/mitre-pre-attack-attack-pattern.json index db225d9..f293b24 100644 --- a/clusters/mitre-pre-attack-attack-pattern.json +++ b/clusters/mitre-pre-attack-attack-pattern.json @@ -2,6 +2,7 @@ "authors": [ "MITRE" ], + "category": "attack-pattern", "description": "ATT&CK tactic", "name": "Pre Attack - Attack Pattern", "source": "https://github.com/mitre/cti", diff --git a/clusters/preventive-measure.json b/clusters/preventive-measure.json index 4dd6ba1..4e6592b 100644 --- a/clusters/preventive-measure.json +++ b/clusters/preventive-measure.json @@ -2,6 +2,7 @@ "authors": [ "Various" ], + "category": "measure", "description": "Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures.", "name": "Preventive Measure", "source": "MISP Project", diff --git a/clusters/sector.json b/clusters/sector.json index daf48a3..fb1ae99 100644 --- a/clusters/sector.json +++ b/clusters/sector.json @@ -2,6 +2,7 @@ "authors": [ "Various" ], + "category": "sector", "description": "Activity sectors", "name": "Sector", "source": "CERT-EU", diff --git a/schema_clusters.json b/schema_clusters.json index 4cf095b..7f78501 100644 --- a/schema_clusters.json +++ b/schema_clusters.json @@ -157,6 +157,7 @@ "uuid", "values", "authors", - "source" + "source", + "category" ] } From bceee0f03d932245ac3caaff33aca327d6be2722 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Fri, 19 Oct 2018 14:30:05 +0200 Subject: [PATCH 16/17] tool: experimental graphing tool --- tools/graph.py | 195 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 195 insertions(+) create mode 100755 tools/graph.py diff --git a/tools/graph.py b/tools/graph.py new file mode 100755 index 0000000..079a764 --- /dev/null +++ b/tools/graph.py @@ -0,0 +1,195 @@ +#!/usr/bin/env python3 +# TODO +# - define strength between relations based on 'type' - similar should be closer than the others +# - use different colors / shapes + +import json +import os +import argparse +from graphviz import Digraph + + +parser = argparse.ArgumentParser(description='Generate a DOT file to graph a Galaxy cluster and its relations.') +parser.add_argument("-u", "--uuid", help="Start UUID of a cluster.") +parser.add_argument("-a", "--all", action='store_true', help='generate all graphs as PNGs') +args = parser.parse_args() + + +def gen_galaxy_tag(galaxy_name, cluster_name): + # return 'misp-galaxy:{}="{}"'.format(galaxy_name, cluster_name) + return '{}={}'.format(galaxy_name, cluster_name) + +files_to_ignore = ['mitre-attack-pattern.json', 'mitre-course-of-action.json', 'mitre-intrusion-set.json', + 'mitre-malware.json', 'mitre-tool.json'] + +galaxies_fnames = [] +pathClusters = '../clusters' +for f in os.listdir(pathClusters): + if '.json' in f and f not in files_to_ignore: + galaxies_fnames.append(f) +galaxies_fnames.sort() + +cluster_uuids = {} +galaxies = [] +for galaxy_fname in galaxies_fnames: + fullPathClusters = os.path.join(pathClusters, galaxy_fname) + with open(fullPathClusters) as fp: + json_data = json.load(fp) + galaxies.append(json_data) + for cluster in json_data['values']: + if 'uuid' not in cluster: + continue + cluster_uuids[cluster['uuid']] = { + 'tag': gen_galaxy_tag(json_data['type'], cluster['value']), + 'galaxy': json_data['type'], + 'value': cluster['value'], + 'synonyms': cluster.get('synonyms') + } + + + +# for k, v in cluster_uuids.items(): +# print("{}\t{}".format(k, v)) + + +type_mapping = { + 'ransomware': 'tool', + # 'mitre-pre-attack-relationship': '', + # 'mitre-enterprise-attack-course-of-action': '', + 'mitre-enterprise-attack-intrusion-set': 'actor', + 'mitre-intrusion-set': 'actor', + 'rat': 'tool', + 'stealer': 'tool', + 'mitre-enterprise-attack-malware': 'tool', + # 'mitre-attack-pattern': '', + # 'mitre-mobile-attack-relationship': '', + # 'mitre-enterprise-attack-attack-pattern': '', + 'microsoft-activity-group': 'actor', + # 'mitre-course-of-action': '', + 'exploit-kit': 'tool', + 'mitre-mobile-attack-tool': 'tool', + 'backdoor': 'tool', + # 'mitre-pre-attack-attack-pattern': '', + 'mitre-mobile-attack-intrusion-set': 'actor', + 'mitre-tool': 'tool', + # 'mitre-mobile-attack-attack-pattern': '', + 'mitre-mobile-attack-malware': 'tool', + 'tool': 'tool', + # 'preventive-measure': '', + # 'sector': '', + 'mitre-malware': 'tool', + 'banker': 'tool', + # 'branded-vulnerability': '', + 'botnet': 'tool', + # 'cert-eu-govsector': '', + 'threat-actor': 'actor', + 'mitre-enterprise-attack-tool': 'tool', + 'android': 'tool', + # 'mitre-mobile-attack-course-of-action': '', + 'mitre-pre-attack-intrusion-set': 'actor', + # 'mitre-enterprise-attack-relationship': '', + 'tds': 'tool', + 'malpedia': 'tool' +} + + +def gen_dot(uuid): + things_to_keep = [uuid] # '5b4ee3ea-eee3-4c8e-8323-85ae32658754' = threat-actor=Sofacy + # ' 5e0a7cf2-6107-4d5f-9dd0-9df38b1fcba8' = APT30 + things_seen = things_to_keep.copy() + + dot = [] + while len(things_to_keep) > 0: + new_things_to_keep = [] + for galaxy in galaxies: + for cluster in galaxy['values']: + if 'related' not in cluster: + continue + src_tag = gen_galaxy_tag(galaxy['type'], cluster['value']) + if cluster['uuid'] not in things_to_keep: + continue + node_params = [] + node_params.append('label="{}\n{}"'.format(galaxy['type'], cluster['value'])) + if type_mapping.get(galaxy['type']) == 'actor': + node_params.append('shape=octagon') + node_params.append('style=filled,color=indianred1') + elif type_mapping.get(galaxy['type']) == 'tool': + node_params.append('shape=box') + node_params.append('style=filled,color=deepskyblue') + else: + node_params.append('shape=ellipse') + dot.append('"{src}" [{params}];'.format( + src=src_tag, + params=','.join(node_params) + )) + for relation in cluster['related']: + try: + dest_tag = cluster_uuids[relation['dest-uuid']]['tag'] + extra = [] + if relation['type'] == 'similar': + # make arrow bidirectional + extra.append('dir="both"') + # prevent double links for 'similar' types + if relation['dest-uuid'] in things_seen: + continue + dot.append('"{src}" -> "{dst}" [label="{lbl}",{extra}];'.format( + # dot.append('"{src}" -> "{dst}" [{extra}];'.format( + src=src_tag, + dst=dest_tag, + lbl=relation['type'], + extra=','.join(extra) + )) + # FIXME - add a separate node with the color, type, format of the source-node + + # prevent something to be processed twice + if relation['dest-uuid'] not in things_seen: + new_things_to_keep.append(relation['dest-uuid']) + things_seen.append(relation['dest-uuid']) + except KeyError: + # skip uuids not found + pass + # print(new_things_to_keep) + things_to_keep = new_things_to_keep.copy() + + + return dot + +if args.uuid: + uuid = args.uuid + dot = [] + # dot.append('digraph G {') + dot.append('concentrate=true;') + dot.append('overlap=scale;') + generated_dot = gen_dot(uuid) + if len(generated_dot) == 0: + print("Empty graph for uuid: {}".format(uuid)) + exit() + print("Generating graph for uuid: {}".format(uuid)) + dot += generated_dot + # dot.append('}') + # dg.source = '\n'.join(dot) + dg = Digraph(engine='neato', format='png', body=dot) + # print(dg.source) + dg.render(filename='graphs/{}'.format(uuid), cleanup=False) + +elif args.all: + for uuid in cluster_uuids.keys(): + dot = [] + # dot.append('digraph G {') + dot.append('concentrate=true;') + dot.append('overlap=scale;') + generated_dot = gen_dot(uuid) + if len(generated_dot) == 0: + print("Empty graph for uuid: {}".format(uuid)) + continue + + print("Generating graph for uuid: {}".format(uuid)) + dot += generated_dot + # dot.append('}') + # dg.source = '\n'.join(dot) + + dg = Digraph(format='png', body=dot) + # print(dg.source) + dg.render(engine='dot', filename='graphs/{}'.format(uuid), cleanup=False) +else: + exit("No parameters given, use --help for more info.") From ca1bc24f653e25c36ce858d379d7133f8fe913d9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 19 Oct 2018 14:59:09 +0200 Subject: [PATCH 17/17] fix: [graph.py] small fix to make it work --- tools/graph.py | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tools/graph.py b/tools/graph.py index 079a764..dc41201 100755 --- a/tools/graph.py +++ b/tools/graph.py @@ -117,7 +117,7 @@ def gen_dot(uuid): node_params.append('shape=box') node_params.append('style=filled,color=deepskyblue') else: - node_params.append('shape=ellipse') + node_params.append('shape=ellipse') dot.append('"{src}" [{params}];'.format( src=src_tag, params=','.join(node_params) @@ -151,7 +151,7 @@ def gen_dot(uuid): # print(new_things_to_keep) things_to_keep = new_things_to_keep.copy() - + return dot if args.uuid: @@ -162,8 +162,8 @@ if args.uuid: dot.append('overlap=scale;') generated_dot = gen_dot(uuid) if len(generated_dot) == 0: - print("Empty graph for uuid: {}".format(uuid)) - exit() + print("Empty graph for uuid: {}".format(uuid)) + exit() print("Generating graph for uuid: {}".format(uuid)) dot += generated_dot # dot.append('}') @@ -182,14 +182,14 @@ elif args.all: if len(generated_dot) == 0: print("Empty graph for uuid: {}".format(uuid)) continue - + print("Generating graph for uuid: {}".format(uuid)) dot += generated_dot # dot.append('}') # dg.source = '\n'.join(dot) dg = Digraph(format='png', body=dot) - # print(dg.source) - dg.render(engine='dot', filename='graphs/{}'.format(uuid), cleanup=False) + #print(dg.source) + dg.render(filename='graphs/{}'.format(uuid)) else: exit("No parameters given, use --help for more info.")