{ "name": "Entreprise Attack - Relationship", "type": "mitre-entreprise-attack-relationship", "description": "MITRE Relationship", "version": 1, "source": "https://github.com/mitre/cti", "uuid": "fc605f90-1707-11e8-9d6a-9f165ac2ab5c", "authors": [ "MITRE" ], "values": [ { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78" }, "uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633", "value": "menuPass uses EvilGrab" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "ea61c268-d0d1-4cbe-8b26-16f70f515a04", "value": "Remsec uses Security Software Discovery" }, { "meta": { "source-uuid": "0998045d-f96e-4284-95ce-3c8219707486", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "04ecc705-0027-4dda-85fe-d6ce028ef05e", "value": "SEASHARPEE uses Remote File Copy" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "41d61146-4a42-4897-b4a1-a706130a322d", "value": "APT3 uses Command-Line Interface" }, { "meta": { "source-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" }, "uuid": "ed2c177c-18fc-4bfd-9169-48af1557a542", "value": "Cherry Picker uses Exfiltration Over Alternative Protocol" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "ab3ac76f-5ddc-44dc-bb2f-670d6bf08e0b", "value": "Shamoon uses File and Directory Discovery" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c" }, "uuid": "eb91c7d8-2cfb-4d8b-905a-d146bc8178e2", "value": "BRONZE BUTLER uses Pass the Ticket" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" }, "uuid": "bd83109f-198a-43b0-a4c9-c13dd671c2da", "value": "OilRig uses Remote Services" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "644b6c21-90f0-43b7-8da4-7f6f24ddabb6", "value": "APT28 uses Remote File Copy" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "d7e57ff2-f14b-44fa-97e3-8bc976cb9bd5", "value": "Remsec uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "ee5e40d0-f72e-4e0b-8b10-cd5c2057cdc0", "value": "ISMInjector uses Scheduled Task" }, { "meta": { "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" }, "uuid": "5599906d-5be3-420c-9f84-e762d85c2511", "value": "EvilGrab uses Audio Capture" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "47f521b8-37e4-489d-b6eb-25f35de80aae", "value": "Magic Hound uses Remote File Copy" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" }, "uuid": "a317b097-b819-441b-b344-9f129ba6cb40", "value": "FIN6 uses Remote Desktop Protocol" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" }, "uuid": "e76b1b21-17c1-4e3b-ac3a-92fb8afc4130", "value": "APT34 uses Net" }, { "meta": { "source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "62c8913c-c193-4feb-ab58-88343838336d", "value": "MiniDuke uses Fallback Channels" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" }, "uuid": "f879eea1-2a05-484d-adbb-c3504813fc5d", "value": "Ke3chang uses ipconfig" }, { "meta": { "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "8447c89e-a743-430e-8ef5-41abfcde1a01", "value": "Group5 uses Input Capture" }, { "meta": { "source-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192", "target-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4" }, "uuid": "b349ef5f-4a05-4eef-afe4-1543b8c832fa", "value": "Sandworm Team uses BlackEnergy" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "b6fc7740-4e5f-4f4c-8b1e-d0e3368eee03", "value": "ADVSTORESHELL uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2" }, "uuid": "55f58d30-b633-4094-97bb-6ab872c0f480", "value": "APT32 uses SOUNDBITE" }, { "meta": { "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "70a93fc8-83c0-4407-8224-ae447af1235a", "value": "WinMM uses Fallback Channels" }, { "meta": { "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "521146dd-185d-4a8c-a3b4-b3caedbc7a14", "value": "DownPaper uses Query Registry" }, { "meta": { "source-uuid": "160af6af-e733-4b6a-a04a-71c620ac0930", "target-uuid": "92a78814-b191-47ca-909c-1ccfe3777414" }, "uuid": "b0d10c67-94bf-4bb3-8122-6f4d9e8106c1", "value": "Third-party Software Mitigation mitigates Third-party Software" }, { "meta": { "source-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "0d9114a6-6452-4668-95eb-f91bcb300d2d", "value": "TEXTMATE uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" }, "uuid": "4d68b3eb-9689-4a6d-b6ab-367fbc5ddade", "value": "Deep Panda uses Indicator Removal from Tools" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "0a507d28-ef6b-417b-a968-e82608e8b6a8", "value": "Magic Hound uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf", "target-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65" }, "uuid": "ef2b823b-2fb1-442a-9d91-cf088242f6a6", "value": "Execution through Module Load Mitigation mitigates Execution through Module Load" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" }, "uuid": "c327c333-46c4-4e23-81e0-2f0e07c24c11", "value": "BACKSPACE uses Shortcut Modification" }, { "meta": { "source-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "fb6a804a-1929-4c13-a78d-1cf724c09e77", "value": "RIPTIDE uses Commonly Used Port" }, { "meta": { "source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", "target-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5" }, "uuid": "a4106a52-b3e7-4aa9-b2ca-125f206dbf91", "value": "Scarlet Mimic uses CallMe" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "da395019-238a-4c4e-b4cd-43947e8aa019", "value": "FIN6 uses Valid Accounts" }, { "meta": { "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "af883d09-3f26-4267-9081-4783447e3283", "value": "gh0st uses File Deletion" }, { "meta": { "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "d0b2e189-e764-44ec-9373-2f23212f6a45", "value": "RawPOS uses New Service" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "115562b8-9d7c-435e-af6e-0be6249742d0", "value": "Lazarus Group uses Remote File Copy" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" }, "uuid": "22ccfcb8-cb4a-4b9e-bc2d-c0bd2701e2e9", "value": "APT28 uses Pass the Hash" }, { "meta": { "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" }, "uuid": "78b504a4-2bdd-44dd-b954-a7fa120f1efd", "value": "Flame uses Exploitation of Vulnerability" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "510c2f8c-4570-4c19-8c36-7004f8bbf561", "value": "Stealth Falcon uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", "target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c" }, "uuid": "27b05a62-5310-40d9-9e49-b4dce3afad55", "value": "Darkhotel uses Taint Shared Content" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "a8b248fe-a27c-40fd-83d5-f4382035d656", "value": "APT3 uses File and Directory Discovery" }, { "meta": { "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "c8b0afbb-12eb-4b45-a1e1-b11755de2976", "value": "StreamEx uses File and Directory Discovery" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "78364654-f94c-4b7b-b5ec-19bedb58ec4f", "value": "APT34 uses Valid Accounts" }, { "meta": { "source-uuid": "28adf6fd-ab6c-4553-9aa7-cef18a191f33", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "ea46cbd0-7134-4ede-a117-47380ddd9b5c", "value": "Data Compressed Mitigation mitigates Data Compressed" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "70bc1a16-3c57-4198-b2f9-c7f27bec271c", "value": "APT32 uses Valid Accounts" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "6ab291a5-8061-4ad4-a6a7-07a6142e4c27", "value": "Lazarus Group uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "3a9abcd5-52ba-44f1-96a5-1593f816b9f0", "value": "CHOPSTICK uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "21717b6b-1fc6-4619-9877-bb36237a8efd", "value": "Lurid uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "5bb90849-cdfe-4cc0-9ca3-128f17b2a1d1", "value": "Helminth uses Process Discovery" }, { "meta": { "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "2025480a-6d91-4ef5-a6ea-cc025c8aecfb", "value": "ZLib uses Remote File Copy" }, { "meta": { "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" }, "uuid": "57e6eba5-cb21-4a0d-b524-4981f49037b1", "value": "Flame uses Create Account" }, { "meta": { "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "a29d9514-3284-4ac2-a93a-e17750519534", "value": "PlugX uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" }, "uuid": "1e2baacb-9033-49a9-890a-f48c87ab1531", "value": "HAMMERTOSS uses Exfiltration Over Alternative Protocol" }, { "meta": { "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" }, "uuid": "11de35bf-195d-4097-a27a-d2e2b7c433b3", "value": "Volgmer uses Uncommonly Used Port" }, { "meta": { "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "fdc4c379-e6e6-4454-933d-2a9a4a78cf98", "value": "TinyZBot uses Command-Line Interface" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e" }, "uuid": "70dc6b5c-c524-429e-a6ab-0dd40f0482c1", "value": "Deep Panda uses Sakula" }, { "meta": { "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "93812c9c-39f1-4bf6-adda-601d0ffd88bf", "value": "BBSRAT uses File Deletion" }, { "meta": { "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" }, "uuid": "d07f2da6-6497-414f-96c1-9dd60155b169", "value": "OSInfo uses Network Share Discovery" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "dd9c1644-259d-4980-8058-fdc3c72fac7b", "value": "JHUHUGIT uses Rundll32" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" }, "uuid": "6b0b404e-7e1b-4f8f-8b78-85016f36f8e9", "value": "RTM uses Code Signing" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "c0e78590-0266-43e0-8fb5-efd95556c20c", "value": "ADVSTORESHELL uses Data Compressed" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "d5166d3e-246b-473c-9ff0-c5cc97dd91de", "value": "BlackEnergy uses File Deletion" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "e0bc7e9b-aec8-4e78-baed-f635ee7bd196", "value": "FIN6 uses Credential Dumping" }, { "meta": { "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" }, "uuid": "6a58662b-4eb1-4172-b387-13e9b574368a", "value": "DustySky uses Windows Management Instrumentation" }, { "meta": { "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "c39e878e-a496-4271-9998-2d5c9511e0a4", "value": "Kasidet uses Remote File Copy" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" }, "uuid": "9a286577-ccfc-4793-96ce-02c17dc0f4ae", "value": "Cobalt Strike uses Pass the Hash" }, { "meta": { "source-uuid": "7a6e5ca3-562f-4185-a323-f3b62b5b2e6b", "target-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352" }, "uuid": "bdd223c2-8d3a-4c99-b261-402b7daaace5", "value": "LSASS Driver Mitigation mitigates LSASS Driver" }, { "meta": { "source-uuid": "96150c35-466f-4f0a-97a9-ae87ee27f751", "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" }, "uuid": "49dd2ac1-cd3a-46db-89d7-307c65971a3d", "value": "Bootkit Mitigation mitigates Bootkit" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "38ea7367-26e7-4a6a-b735-e98e3a35450a", "value": "Shamoon uses Windows Admin Shares" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "147e009d-48db-40bc-999c-70aa1e770a0c", "value": "Remsec uses File and Directory Discovery" }, { "meta": { "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", "target-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a" }, "uuid": "08d91d3c-b7c7-4cbc-a4eb-29edd3be3e3a", "value": "APT30 uses SHIPSHAPE" }, { "meta": { "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "a49ed7b1-8160-48ae-a65f-feeb4747c522", "value": "Volgmer uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" }, "uuid": "570c8981-9a08-4c4f-8927-a22148bb880e", "value": "Dragonfly uses Create Account" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "43edea0b-efb8-41ab-bdda-f5aa62de439f", "value": "Remsec uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "707d131d-39ff-4ea0-a8ef-63dd7ca2a854", "value": "Komplex uses System Owner/User Discovery" }, { "meta": { "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "4de4a09b-5727-4462-b288-23278e74634e", "value": "FIN10 uses Scripting" }, { "meta": { "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "0d8aa058-426a-45c9-af5b-898746ae5862", "value": "Crimson uses File and Directory Discovery" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "0d3e115b-ff08-4bff-8802-be3d21cec68f", "value": "Prikormka uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "2843ccc2-4869-48a0-8967-b9856a778a2c", "value": "Felismus uses Masquerading" }, { "meta": { "source-uuid": "5c167af7-c2cb-42c8-ae67-3fb275bf8488", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "4fa2cbf0-9721-4bbe-86b4-334848cd3dd6", "value": "Timestomp Mitigation mitigates Timestomp" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" }, "uuid": "c9dca829-6417-4121-9462-650ac852b8c2", "value": "BlackEnergy uses Indicator Removal on Host" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "4923be5e-dd24-4289-adca-e9dbf545b9c2", "value": "OilRig uses System Service Discovery" }, { "meta": { "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "2d659138-90e5-4b67-8956-02120d99506f", "value": "3PARA RAT uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "61047751-c353-4190-bc37-19ad959bc35e", "value": "Gazer uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "a88332d2-d03f-4139-b11c-19e82459189b", "value": "POWRUNER uses System Information Discovery" }, { "meta": { "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "ae9befd5-d8b7-4492-9b47-422a40d610cc", "value": "GeminiDuke uses System Service Discovery" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" }, "uuid": "13984eec-6c33-4bab-a22c-5c061ddd6e44", "value": "APT1 uses ipconfig" }, { "meta": { "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "6586cae6-bf7a-4b1d-ab5c-53106d1db5c4", "value": "ChChes uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "a9727d1b-777a-4c3e-8bcc-e0cbff7431d8", "value": "CosmicDuke uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "a58ad2d1-7200-4ba8-9c24-fc640306ea2f", "value": "RTM uses Web Service" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd" }, "uuid": "27e7f34e-9750-4cf0-8260-33f2996ee38c", "value": "APT29 uses Domain Fronting" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" }, "uuid": "45a89f5b-a7de-46c9-93d6-15f2170128e4", "value": "APT34 uses PsExec" }, { "meta": { "source-uuid": "d2dce10b-3562-4d61-b2f5-7c6384b038e2", "target-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec" }, "uuid": "2e3b8b06-5148-4313-8b1b-d75789838c84", "value": "Mshta Mitigation mitigates Mshta" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "1b51b49a-1f3a-4b5d-aea3-989e9ccb72ad", "value": "Cobalt Strike uses PowerShell" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" }, "uuid": "3f8a74a9-55fe-4f9c-bddb-00b715ca3668", "value": "RedLeaves uses DLL Search Order Hijacking" }, { "meta": { "source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "2121683c-ab01-4212-b2d2-af290dd8ed17", "value": "SNUGRIDE uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", "target-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a" }, "uuid": "3b3435a2-6a24-4527-be6f-03d09ef2b917", "value": "Putter Panda uses 3PARA RAT" }, { "meta": { "source-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "90e64a7a-42e6-4b95-ae85-5ac324d7f6e2", "value": "Starloader uses Masquerading" }, { "meta": { "source-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "982d9af7-45bb-4cc0-9819-aaadb3304783", "value": "Lurid uses Data Compressed" }, { "meta": { "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "fb866766-d3a5-46f6-9d0e-afc6bd1c7962", "value": "cmd uses Remote File Copy" }, { "meta": { "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "f19234f6-5b59-4229-aae1-70df380a076a", "value": "Backdoor.Oldrea uses System Information Discovery" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "21caad94-1568-4e40-8e38-c0f7e854aede", "value": "Patchwork uses Data Encoding" }, { "meta": { "source-uuid": "b8d57b16-d8e2-428c-a645-1083795b3445", "target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef" }, "uuid": "cf699238-7091-4d79-9741-d792152f37c1", "value": "Communication Through Removable Media Mitigation mitigates Communication Through Removable Media" }, { "meta": { "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "bbf116bf-6f8a-44f4-9d98-db6ccbbff333", "value": "Carbanak uses Masquerading" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "284ffb1b-ad42-468e-9897-94c25024f0d4", "value": "ADVSTORESHELL uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "8e69c855-db70-4b5e-866b-f9ce0b786156", "value": "Group5 uses Screen Capture" }, { "meta": { "source-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "ae370b88-fd93-4803-a154-aa3debf2327b", "value": "httpclient uses Command-Line Interface" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "ed522c9c-038b-43c0-af66-e81b954104f2", "value": "POWRUNER uses Screen Capture" }, { "meta": { "source-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "d4d35e55-6a09-47ef-8de5-160468276025", "value": "at uses Scheduled Task" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "3094a14f-ccd2-4ba4-a3f6-c6d2721f02db", "value": "APT28 uses File and Directory Discovery" }, { "meta": { "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", "target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4" }, "uuid": "f758836e-91b2-4651-ba72-d827553b668c", "value": "POSHSPY uses Windows Management Instrumentation Event Subscription" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" }, "uuid": "fe9c9381-99d7-4798-ab41-3e5cdbda5e21", "value": "Turla uses Indicator Removal from Tools" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "6d2d4146-bf9e-4b75-9a23-052c09e99eeb", "value": "CosmicDuke uses Input Capture" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e" }, "uuid": "99800503-d535-4fae-a318-dfa034dca663", "value": "menuPass uses cmd" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "f661bda3-d524-44b3-aeb0-d8dd8879a569", "value": "APT3 uses Remote File Copy" }, { "meta": { "source-uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c", "target-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad" }, "uuid": "34ebfdf4-ef2c-4a6c-8bfa-69704d8f7694", "value": "PROMETHIUM uses Truvasys" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "1ec53623-4050-498b-ba9e-f149d203036c", "value": "Emissary uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "b7930db8-2cb9-4ecf-b3d3-7425f99140d8", "value": "Mimikatz uses Credential Dumping" }, { "meta": { "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" }, "uuid": "a423dc5c-c506-4cc5-b65c-0c9269d18fb6", "value": "XTunnel uses Network Service Scanning" }, { "meta": { "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "57e1f6b0-7fbd-49b4-8f5d-876b759437ac", "value": "Trojan.Karagany uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "7b5919ce-efab-45d1-855b-f827d7489b2b", "value": "Nidiran uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" }, "uuid": "8797579b-e3be-4209-a71b-255a4d08243d", "value": "DragonOK uses PoisonIvy" }, { "meta": { "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "50271beb-48b1-411e-86b5-990b4cbb1fb5", "value": "ZLib uses File and Directory Discovery" }, { "meta": { "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" }, "uuid": "6a0f3ebb-c805-402f-bb2e-aac2f8d174fa", "value": "Downdelph uses Bypass User Account Control" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "53cc6b0b-66ec-4f7d-a725-f65b076b5428", "value": "ADVSTORESHELL uses File Deletion" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "837af41c-0553-4d1d-a38e-e43e2aad5c35", "value": "SeaDuke uses Scripting" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "8baf3f0d-0ab4-4691-8ef7-8b9af8a8069c", "value": "Remsec uses Disabling Security Tools" }, { "meta": { "source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "c3d3bb7d-65cc-4915-bc28-492d341e6dbd", "value": "CallMe uses Command-Line Interface" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565" }, "uuid": "fd518b7a-b35d-4689-89f6-525efbeee18f", "value": "OilRig uses FTP" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" }, "uuid": "87b74ba7-99c4-464c-86d2-1dd8c8b578b1", "value": "Turla uses System Time Discovery" }, { "meta": { "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" }, "uuid": "e79c65f4-f9d2-4568-96a4-b6e00d3bad71", "value": "Daserf uses Indicator Removal from Tools" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "6fdc3210-9754-4157-b386-8fcd680e732c", "value": "Deep Panda uses PowerShell" }, { "meta": { "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "a564f3da-349a-4e65-826c-8ca60bc920bf", "value": "gh0st uses Process Discovery" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" }, "uuid": "4ce5e752-97d6-4803-a49c-0f905729a133", "value": "Threat Group-3390 uses Mimikatz" }, { "meta": { "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "a23ab6bc-e5cc-46a9-b77f-747ae6fc6a9b", "value": "Mis-Type uses Commonly Used Port" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "dea36846-b8ad-4926-a242-9fa2d12069c8", "value": "menuPass uses Command-Line Interface" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" }, "uuid": "137e1ddc-403b-49b5-a214-20b82bab446e", "value": "Remsec uses Exfiltration Over Physical Medium" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" }, "uuid": "46f853ea-3f45-4570-a155-826bec98456d", "value": "APT28 uses Credentials in Files" }, { "meta": { "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "abee00d3-8417-468b-84a4-40c7d0ac4f7d", "value": "S-Type uses System Service Discovery" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" }, "uuid": "067814b5-aa57-45e0-9bdf-5536b077c224", "value": "APT29 uses Mimikatz" }, { "meta": { "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "c80250a5-79c0-4a46-a0e3-49d6bcd574c6", "value": "Sys10 uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" }, "uuid": "7a783e7e-a735-42d7-874d-633b37e21033", "value": "APT34 uses Mimikatz" }, { "meta": { "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "49af09c8-1460-485d-9f09-dacea47fa016", "value": "Kasidet uses System Information Discovery" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be" }, "uuid": "bceada36-e6ba-49b9-b9f8-99e37e6cbf9e", "value": "APT28 uses OLDBAIT" }, { "meta": { "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "7fbb56bf-cadd-4663-8067-f233d4c9c751", "value": "S-Type uses System Information Discovery" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" }, "uuid": "757bed64-558b-4ea7-84b9-b82d8b23f9b2", "value": "APT1 uses Email Collection" }, { "meta": { "source-uuid": "dd9a85ad-6a92-4986-a215-b01d0ce7b987", "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" }, "uuid": "4d6def4b-69cf-4dca-848b-53de73536ad6", "value": "Permission Groups Discovery Mitigation mitigates Permission Groups Discovery" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "b8e50d79-c024-4dc1-aad2-d7181fbbf1bb", "value": "MoonWind uses Command-Line Interface" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "7b529102-f95c-4ca1-a5c4-5a3497ab3674", "value": "Ke3chang uses System Service Discovery" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "5e6e745f-d756-4b6e-90e1-3adcf848570b", "value": "Shamoon uses Valid Accounts" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "4a6248d4-4fa1-404a-abed-84e9b7c32dbe", "value": "Turla uses Windows Admin Shares" }, { "meta": { "source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", "target-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b" }, "uuid": "79934567-99e6-4184-8b04-717a1b401006", "value": "Scarlet Mimic uses Psylo" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "ab687dca-2741-4920-a71e-e0e0444809c5", "value": "Lazarus Group uses Fallback Channels" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "9b36e877-e637-46b8-bdf1-def74c977472", "value": "Remsec uses System Information Discovery" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "110690db-fd9b-425a-9269-ec082f0af3f9", "value": "Magic Hound uses PowerShell" }, { "meta": { "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "5077f774-95a4-459e-b88c-cb3a4dd5c8c6", "value": "Reaver uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "62ae52c9-7197-4f5b-be1d-10d2e1df2c96", "target-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd" }, "uuid": "b41c70df-0955-408c-90ee-7acad8b080e1", "value": "Domain Fronting Mitigation mitigates Domain Fronting" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73" }, "uuid": "5e9bee3d-ea86-4715-9fdc-199e10ef2161", "value": "APT28 uses ADVSTORESHELL" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" }, "uuid": "c354d751-4688-49c5-9f9a-0d2bc705f645", "value": "Threat Group-3390 uses ipconfig" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "9ef645ab-afd1-41d6-ad60-d207fd134748", "value": "SeaDuke uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "2c09a27c-2eea-4287-9908-964533234e71", "value": "cmd uses File and Directory Discovery" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" }, "uuid": "3643f451-322d-4f38-91a4-00a55a42c7f5", "value": "Turla uses netstat" }, { "meta": { "source-uuid": "b42378e0-f147-496f-992a-26a49705395b", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "3ef89472-470c-42c9-be01-155efe607b78", "value": "PoisonIvy uses Input Capture" }, { "meta": { "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "797131cf-fef9-4ece-823f-e931393e72f8", "value": "Reaver uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "c8ce3bcd-b74f-497d-8f76-cc8c7333ab49", "value": "SHOTPUT uses Process Discovery" }, { "meta": { "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "ac72c3da-6b58-4f66-8476-8d3cc9ccf6bd", "value": "Mivast uses Credential Dumping" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "cdbfa147-52be-411d-bcbd-f6dcbf91d7b5", "value": "OilRig uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "253b56a5-232f-44bc-af4d-85ccc12a0577", "value": "Gamaredon Group uses Remote File Copy" }, { "meta": { "source-uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "a805a8d5-632c-48df-909d-c3d745652475", "value": "BS2005 uses Data Encoding" }, { "meta": { "source-uuid": "ba06d68a-4891-4eb5-b634-152e05ec60ee", "target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd" }, "uuid": "cff2088f-c003-4d03-aa8a-cca36753b930", "value": "Data Transfer Size Limits Mitigation mitigates Data Transfer Size Limits" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" }, "uuid": "520f5440-740f-4efe-850e-ea4db340aef1", "value": "Lazarus Group uses Exfiltration Over Command and Control Channel" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "fa6292a2-c184-4bc9-a37f-0c1ac61e1135", "value": "Turla uses File and Directory Discovery" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "32864e94-8581-4f77-bf7d-53aaf3710f60", "value": "SeaDuke uses Valid Accounts" }, { "meta": { "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "3ba2b8bc-1c5b-4cb3-8234-a7dc7b7552d0", "value": "Matroyshka uses Command-Line Interface" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "0c870326-6b8a-4279-bbd3-2c1ae23ba54a", "value": "BADNEWS uses Web Service" }, { "meta": { "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "b6970925-a435-4942-b244-60e4f57acf86", "value": "WINDSHIELD uses File Deletion" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4" }, "uuid": "df9beafa-be6b-4e61-9a27-dfb9ec7d6aa3", "value": "APT29 uses HAMMERTOSS" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "023ff141-8ed7-4132-85a0-494fe075236b", "value": "Magic Hound uses Input Capture" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "51f1d23c-1ccd-4cc4-918c-39e9a66e510b", "value": "OilRig uses File Deletion" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" }, "uuid": "5cceffd9-5818-4481-bce6-4e326548d6b4", "value": "MoonWind uses Peripheral Device Discovery" }, { "meta": { "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "6db82410-1fcf-483a-be5b-cf09c361b4eb", "value": "Daserf uses Screen Capture" }, { "meta": { "source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae", "target-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43" }, "uuid": "a33388b7-3803-442f-8e31-511eef055470", "value": "APT17 uses BLACKCOFFEE" }, { "meta": { "source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70", "target-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c" }, "uuid": "bcd1d261-0228-468f-b02b-52e6784e2491", "value": "APT16 uses ELMER" }, { "meta": { "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" }, "uuid": "fe3c4134-ddef-45f8-b83a-6865a01b9764", "value": "Regin uses Modify Registry" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "bae7f2fb-99d8-4acf-b61e-f37a215aa82e", "value": "Emissary uses System Service Discovery" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "b0099b28-bcb8-4214-8166-d9caed1b6491", "value": "JHUHUGIT uses New Service" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a" }, "uuid": "f52f1b34-a96a-45a0-8cc0-2f138a3f1257", "value": "BRONZE BUTLER uses Daserf" }, { "meta": { "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "df69c29c-01c4-4541-988e-8a5765439d56", "value": "Poseidon Group uses Masquerading" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "2a8f0313-4059-42b9-b487-6c8f860588c0", "value": "ADVSTORESHELL uses Data Encrypted" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "2c79282f-5e60-48b9-962a-d61c3d73b334", "value": "OilRig uses Command-Line Interface" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "340d4ef7-816b-4758-994f-b913df78afd7", "value": "Elise uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" }, "uuid": "b9083516-7dd3-4ef2-808a-1df48894122b", "value": "Group5 uses Software Packing" }, { "meta": { "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "d3b787ec-795c-481b-94e5-ff42dc56d79d", "value": "FIN10 uses Valid Accounts" }, { "meta": { "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" }, "uuid": "bad90106-a150-4d76-b39f-f35aab4ac766", "value": "Rover uses Modify Registry" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "5b686a7c-4fcd-44c2-9f57-1d88d6633ef4", "value": "USBStealer uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" }, "uuid": "07d16181-ba82-42c8-a67b-8d7d5adef52d", "value": "Flame uses Audio Capture" }, { "meta": { "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" }, "uuid": "59b39f06-a71c-42f7-92f2-244a183113d6", "value": "BBSRAT uses Service Execution" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "e8068ad2-97b3-4693-a6ad-a8ee9a272890", "value": "Patchwork uses System Information Discovery" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" }, "uuid": "e8048bf8-3931-4d6b-b4a6-475ff717cbae", "value": "Cobalt Strike uses Network Share Discovery" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "f39d9e4d-b4f9-4c12-aa8e-a44f8550b57f", "value": "JHUHUGIT uses Remote File Copy" }, { "meta": { "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "b2ab26e2-eb90-4f19-b35a-b8a0a5438961", "value": "DustySky uses Fallback Channels" }, { "meta": { "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "0fec9b91-cd45-493b-b23e-abb3ed2513a0", "value": "EvilGrab uses Input Capture" }, { "meta": { "source-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "target-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1" }, "uuid": "542bb806-3e73-42f5-8a3e-86b498093f4b", "value": "certutil uses Install Root Certificate" }, { "meta": { "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "5e53b45b-ca14-4e8b-8c76-0cf9cb572a92", "value": "Misdat uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "699ddfef-6e95-42cf-b212-dc661f790adc", "value": "Lazarus Group uses Process Discovery" }, { "meta": { "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "92711ee1-041b-4e35-a322-3e16790fcce2", "value": "Crimson uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" }, "uuid": "5cfcbf60-454a-4673-aa93-9020d04efab7", "value": "APT28 uses Mimikatz" }, { "meta": { "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "ade60661-8dfb-473a-8d12-014ba0273934", "value": "Kasidet uses Screen Capture" }, { "meta": { "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "cd1e409b-e981-4c83-a9ea-86705a45f92c", "value": "EvilGrab uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "58fdc63b-05b4-4db9-90fe-c80f7956292f", "value": "BRONZE BUTLER uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" }, "uuid": "6863078f-fe93-4b84-ad7f-dffe494d9265", "value": "Cobalt Strike uses Access Token Manipulation" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" }, "uuid": "8ca14a24-b8b3-4669-ae56-e7102b543dc6", "value": "Emissary uses Permission Groups Discovery" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" }, "uuid": "5b9fbec2-0e72-44ef-94a5-a9f702469c93", "value": "Cobalt Strike uses Execution through API" }, { "meta": { "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "0e27ebb3-2d48-48f6-ab99-968c0a992c61", "value": "Downdelph uses Data Obfuscation" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "8e28cc53-3fd4-42ed-8516-71fd9ee57641", "value": "Patchwork uses Data from Local System" }, { "meta": { "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" }, "uuid": "0fee8bfd-aec2-44a7-8182-530a648006f3", "value": "Reaver uses Shortcut Modification" }, { "meta": { "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "41747c46-1dd1-418b-84e9-75710f17a10c", "value": "BLACKCOFFEE uses Command-Line Interface" }, { "meta": { "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "7c0995ef-ab5d-48f9-8884-7d953c4c3247", "value": "3PARA RAT uses File and Directory Discovery" }, { "meta": { "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "a442fcac-55d7-49ff-8ecf-ca61885c27e2", "value": "Putter Panda uses Process Injection" }, { "meta": { "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "target-uuid": "519630c5-f03f-4882-825c-3af924935817" }, "uuid": "9b88372d-4f3f-4442-906d-9ab07e22e781", "value": "CORESHELL uses Binary Padding" }, { "meta": { "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091" }, "uuid": "2c48f039-61f7-4af4-974b-f0e0fcf95f58", "value": "PlugX uses Multiband Communication" }, { "meta": { "source-uuid": "9da16278-c6c5-4410-8a6b-9c16ce8005b3", "target-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae" }, "uuid": "701a2767-70f3-44f1-a397-9c04517ece67", "value": "Screensaver Mitigation mitigates Screensaver" }, { "meta": { "source-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "55df3b40-b130-4313-9064-6b0fc56564d0", "value": "Truvasys uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "23e2dc58-4b8d-48d8-82fd-d051892a7d58", "value": "RTM uses Input Capture" }, { "meta": { "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "4b23ac99-3761-46f0-ad5d-2cf63a95036a", "value": "S-Type uses Fallback Channels" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "39fdd17c-5f59-4daf-bf14-95841b5ec248", "value": "Lazarus Group uses Connection Proxy" }, { "meta": { "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" }, "uuid": "f1af286d-9367-45de-aced-a762838e58bd", "value": "Threat Group-1314 uses PsExec" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "bc60180b-2db6-4e0d-8b98-d349db637777", "value": "Elise uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" }, "uuid": "9e90e4a5-844c-4516-9044-6f35bbf27806", "value": "APT28 uses Bootkit" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" }, "uuid": "55ffbd77-ec97-4dca-9399-b9e4b62fbbf8", "value": "FIN5 uses Automated Collection" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "c585ae70-1bda-4751-ad34-536a78b7daad", "value": "MoonWind uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "6c71a59f-05e6-44cc-ace5-33200e1f0846", "value": "Agent.btz uses System Owner/User Discovery" }, { "meta": { "source-uuid": "025bdaa9-897d-4bad-afa6-013ba5734653", "target-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654" }, "uuid": "877a67b0-5dea-467c-9da1-8eee3bcc19a6", "value": "NEODYMIUM uses Wingbird" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966" }, "uuid": "fc79f30d-94c8-400e-ab10-21d2a2527788", "value": "BRONZE BUTLER uses Windows Credential Editor" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "7df747e6-81a1-4bb0-b47f-96136694f2d0", "value": "APT34 uses PowerShell" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "2db406cf-667d-4ad6-b768-7645f6663ac9", "value": "Duqu uses Account Discovery" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "1fda6ff7-a344-4bc3-b545-4083cc15290d", "value": "PowerDuke uses System Information Discovery" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "021c3289-43bb-4787-9d7e-6ad17b3ce84f", "value": "Emissary uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "52cf8793-2f13-45c2-8274-1a9bf5d6224a", "value": "Regin uses Connection Proxy" }, { "meta": { "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "030fb5ef-3900-4f60-a1d2-0f1d67940aed", "value": "HTTPBrowser uses Commonly Used Port" }, { "meta": { "source-uuid": "ff5d862a-ae6b-4833-8c15-e235d654d28e", "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" }, "uuid": "a65de154-e0dd-445f-9f26-8459a287c790", "value": "Component Object Model Hijacking Mitigation mitigates Component Object Model Hijacking" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" }, "uuid": "8cdfc8e4-b657-4ae9-b9ee-9b6107fae796", "value": "Turla uses Systeminfo" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "48fb8267-5d68-467b-a2c0-8302cc15ebed", "value": "RedLeaves uses Screen Capture" }, { "meta": { "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "385f57f4-87b6-4126-ab67-531e482ec9bc", "value": "Regin uses Input Capture" }, { "meta": { "source-uuid": "02f0f92a-0a51-4c94-9bda-6437b9a93f22", "target-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00" }, "uuid": "c5747927-2d3d-4d3b-a4d7-56a2b37b039e", "value": "Space after Filename Mitigation mitigates Space after Filename" }, { "meta": { "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "3dcf441c-b987-4c6a-93e7-e24ae1e16475", "value": "Reaver uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "512e16e9-634c-45d3-b569-c25a3072bbdc", "value": "FLASHFLOOD uses File and Directory Discovery" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" }, "uuid": "630dedba-136b-4ea3-956e-f8f38e96653d", "value": "APT1 uses Mimikatz" }, { "meta": { "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" }, "uuid": "fc4811c4-103b-48b7-9e52-20d574cfc4bf", "value": "XAgentOSX uses Execution through API" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" }, "uuid": "96e928af-dbfc-4743-a1dc-353904e21fd3", "value": "Prikormka uses Data from Removable Media" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "1aa10371-6473-416a-8b8b-17c36f700233", "value": "JHUHUGIT uses Scheduled Task" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" }, "uuid": "59a6700b-3ae5-4039-a07c-cbbf6eb7a78e", "value": "Threat Group-3390 uses Redundant Access" }, { "meta": { "source-uuid": "9e57c770-5a39-49a2-bb91-253ba629e3ac", "target-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446" }, "uuid": "142800a5-62e9-48e9-97ef-186cfb68ffa1", "value": "Security Support Provider Mitigation mitigates Security Support Provider" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "2dd15583-34cd-4b49-a6ba-4bd647b7ff27", "value": "Magic Hound uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "85a92b0f-f8c3-41a9-a1b3-cfbf8b442b39", "value": "ADVSTORESHELL uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "a7e5ffbc-d123-4f62-88eb-36b32656cd35", "value": "H1N1 uses Remote File Copy" }, { "meta": { "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "4696a49d-caa1-4746-b106-45faf327270b", "value": "Matroyshka uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "aad8c4dc-db11-48b4-b294-f63ccde5e798", "value": "Carbanak uses New Service" }, { "meta": { "source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "67b49860-e1e4-4b56-bf83-108c4ac25e5c", "value": "MiniDuke uses Remote File Copy" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "e7714693-e792-44f0-a224-9899df75fced", "value": "APT3 uses Remote System Discovery" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "dac7355a-9d13-4155-a053-d0c18fe92f53", "value": "Cobalt Strike uses Windows Admin Shares" }, { "meta": { "source-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "0a65c303-52a6-4624-a8fb-fc7448429139", "value": "Winnti uses New Service" }, { "meta": { "source-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "19be6ce1-8eea-47ff-b87c-3358d390454d", "value": "China Chopper uses Command-Line Interface" }, { "meta": { "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" }, "uuid": "c4bea2b7-e8a2-45d0-bac2-4d82576c1521", "value": "Carbanak uses Mimikatz" }, { "meta": { "source-uuid": "8c918d8a-11c5-4ffd-af10-e74bc06bdfae", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "98c18956-03d7-49e5-93b2-44351682331d", "value": "Rundll32 Mitigation mitigates Rundll32" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "84e0c62b-b1a6-4ecd-8607-f0b516cb48f6", "value": "RTM uses Scheduled Task" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" }, "uuid": "af9347a3-00a9-4ece-b075-8c55bd4f4b9b", "value": "Shamoon uses Modify Registry" }, { "meta": { "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "31cd4eb1-f7b3-4030-b087-388d55faba03", "value": "XAgentOSX uses System Owner/User Discovery" }, { "meta": { "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", "target-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d" }, "uuid": "1ee44004-6aaa-4b22-934d-4f4ef82cbbd4", "value": "Regin uses NTFS Extended Attributes" }, { "meta": { "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "af6e3f9e-7c71-484d-ab8e-5adaaaedea36", "value": "WinMM uses System Owner/User Discovery" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "1ba38510-0489-4305-944f-451e6869b30f", "value": "BADNEWS uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "5d46a519-1ef9-4cdb-b737-8c7b3ffb4f0e", "value": "Pteranodon uses File and Directory Discovery" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" }, "uuid": "b9e624b0-47d1-4463-970b-fbb6ddcd7171", "value": "Cobalt Strike uses Windows Management Instrumentation" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334" }, "uuid": "70d5a73c-cc14-410a-a430-5948cd21532f", "value": "JHUHUGIT uses Logon Scripts" }, { "meta": { "source-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "8cbb1567-70c5-4daf-b163-cbc6cc40a794", "value": "Strider uses Credential Dumping" }, { "meta": { "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "36112f24-7814-4c75-b5b7-a1205bb28b68", "value": "Gamaredon Group uses System Information Discovery" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" }, "uuid": "04b44241-3ff4-4d46-9847-7cb2feaba84e", "value": "APT34 uses Brute Force" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "c9703cd3-141c-43a0-a926-380082be5d04" }, "uuid": "1c812537-dfaf-40da-a71b-a49c18870b77", "value": "APT3 uses schtasks" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "2e77d363-e38f-40ad-a6ef-9222dc12793d", "value": "Naikon uses Security Software Discovery" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" }, "uuid": "4176d195-5740-47c2-874d-51704e7d293e", "value": "RedLeaves uses Custom Command and Control Protocol" }, { "meta": { "source-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" }, "uuid": "69b9edd8-c1a8-4cbd-bd94-9af0fdefe013", "value": "HIDEDRV uses Rootkit" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" }, "uuid": "c7017855-dc52-4e9d-977f-3af701e094c8", "value": "APT32 uses Web Shell" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "37ab6b56-033c-4cb6-8d1b-e7ff5dcf668d", "value": "Elise uses Rundll32" }, { "meta": { "source-uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "d3b810ed-0be4-448b-b1ac-aa3a7dd16c91", "value": "MimiPenguin uses Credential Dumping" }, { "meta": { "source-uuid": "94e95eeb-7cdb-4bd7-afba-f32fda303dbb", "target-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a" }, "uuid": "4c2b4c0f-0ded-4f0f-ad5a-a95241ba927e", "value": "Network Share Connection Removal Mitigation mitigates Network Share Connection Removal" }, { "meta": { "source-uuid": "8b880b41-5139-4807-baa9-309690218719", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "689c51b8-7e41-474e-abf6-ffdde0acc40b", "value": "SPACESHIP uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "953134ab-5816-43b8-b2b1-8f4c9305f57a", "value": "Sowbug uses Data Compressed" }, { "meta": { "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", "target-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24" }, "uuid": "80c071f7-123e-468f-800d-726a1d3e4144", "value": "APT18 uses gh0st" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "36b9f594-9a27-4281-a18e-9a5e7df70ad9", "value": "Threat Group-3390 uses Credential Dumping" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" }, "uuid": "2dbed740-1b50-4d59-a729-a1d9e6a839df", "value": "OilRig uses Web Shell" }, { "meta": { "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "37ba7858-8765-4445-a65e-d2765b673b34", "value": "FIN7 uses Masquerading" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "b0db4b00-8716-430f-a9d8-29a878a12eac", "value": "Dragonfly uses File Deletion" }, { "meta": { "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "fa035513-59b6-4f54-8b85-13ec08849453", "value": "Felismus uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "327a64df-b405-453b-83d2-528d17e8df51", "value": "CozyCar uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "3fe559f9-9bee-48ea-8a7c-7d65b63419ee", "value": "APT34 uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" }, "uuid": "fc2ffb01-2c4e-429d-b4fd-e0d20678504a", "value": "APT1 uses Remote Desktop Protocol" }, { "meta": { "source-uuid": "24478001-2eb3-4b06-a02e-96b3d61d27ec", "target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e" }, "uuid": "a1f198ef-af69-4c0f-b3ed-0b47ad6167fe", "value": "Multilayer Encryption Mitigation mitigates Multilayer Encryption" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "3e09a5ce-a6a0-4f03-8c23-a7ebb4dfd74c", "value": "BADNEWS uses Input Capture" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "aea8401e-774e-47b1-86ac-220cacd11a3c", "value": "FIN6 uses Scheduled Task" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" }, "uuid": "865a5b25-6908-4ad9-a81d-33f3cf48e357", "value": "RTM uses Custom Command and Control Protocol" }, { "meta": { "source-uuid": "0998045d-f96e-4284-95ce-3c8219707486", "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" }, "uuid": "bbe37d7e-ad35-4c74-a57c-9a398ef6b1be", "value": "SEASHARPEE uses Web Shell" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "6b5c6fc2-615a-46fc-80a4-9ab332159722", "value": "Threat Group-3390 uses Input Capture" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "4e9c5234-65e9-4b4a-bc13-891e7aed84b2", "value": "Shamoon uses New Service" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "98852860-145c-40f0-86af-b32dd61fa008", "value": "APT34 uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "56e40368-38a7-4415-9ebc-8c84694bc7d6", "value": "Lslsass uses Credential Dumping" }, { "meta": { "source-uuid": "c95c8b5c-b431-43c9-9557-f494805e2502", "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" }, "uuid": "35572bdc-c7a2-442b-8d9a-7691317b6982", "value": "Software Packing Mitigation mitigates Software Packing" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" }, "uuid": "496e66ff-2c9f-454c-af36-49c7dc098493", "value": "Dragonfly uses Remote Desktop Protocol" }, { "meta": { "source-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2", "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" }, "uuid": "660d09ce-8722-42b3-8503-911dff37bf22", "value": "ASPXSpy uses Web Shell" }, { "meta": { "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "df5bee66-b840-405e-b9d5-2e0ced2e6808", "value": "Sykipot uses Process Injection" }, { "meta": { "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" }, "uuid": "8793b289-4b74-4119-8561-a9ad27dacdff", "value": "BBSRAT uses Component Object Model Hijacking" }, { "meta": { "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "0efa0a7a-545d-49e2-b0c4-0e251226404a", "value": "Sowbug uses File and Directory Discovery" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "c9703cd3-141c-43a0-a926-380082be5d04" }, "uuid": "d691e305-8ce5-40cd-a648-b0dcab329e69", "value": "BRONZE BUTLER uses schtasks" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "da734f6c-de0d-44f1-9521-6607b800ad43", "value": "Patchwork uses Remote File Copy" }, { "meta": { "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "bfdffca9-6418-486d-833f-84f3920fcb71", "value": "HALFBAKED uses PowerShell" }, { "meta": { "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "b9fe8dd4-a3c9-4e58-9a74-937e4de677a8", "value": "Derusbi uses File and Directory Discovery" }, { "meta": { "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", "target-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24" }, "uuid": "3f780c76-b5d5-43f9-b4f2-048106f00894", "value": "PittyTiger uses gh0st" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "699ac754-3f3e-46de-9b2a-5ea450ef47fd", "value": "Helminth uses Input Capture" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" }, "uuid": "59b95288-b954-4118-9a88-8e2ad85a1265", "value": "Dragonfly uses Email Collection" }, { "meta": { "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "be31bf6d-ce4f-4620-8940-445f35ff90a7", "value": "POSHSPY uses Remote File Copy" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "9eefeafd-aca1-4e4c-8d29-ea6f9154808a", "value": "Turla uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" }, "uuid": "bcb8ac03-4f58-4cd8-af58-c3df991c8af5", "value": "CosmicDuke uses Email Collection" }, { "meta": { "source-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "27102940-8ec1-42ad-98e5-57dc24b572eb", "value": "PsExec uses Windows Admin Shares" }, { "meta": { "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "82826722-4278-438e-a8d0-5bd9fd117b2b", "value": "DownPaper uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "2174c465-8855-4c92-a683-97eb0eba9f7c", "value": "BRONZE BUTLER uses Masquerading" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "216ab163-818b-4303-beb6-a743b90c98bf", "value": "Prikormka uses Rundll32" }, { "meta": { "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "a732c265-07f0-4e9b-a42c-0df6277e5b27", "value": "Carbanak uses Web Service" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "f696324d-7fb4-44ca-82dd-3385b55fbb80", "value": "Elise uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "a3eca9d0-bc4b-48a8-801d-9aaa757bfe72", "value": "HAMMERTOSS uses PowerShell" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b" }, "uuid": "0a6ec458-f9f7-4e51-b0eb-4fd915a48a6b", "value": "admin@338 uses LOWBALL" }, { "meta": { "source-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830", "target-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd" }, "uuid": "b1334535-019a-4d6a-88c1-8bb6741f152b", "value": "meek uses Domain Fronting" }, { "meta": { "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "3b31b258-d3e0-4acc-9c20-de870baa64a0", "value": "Komplex uses File Deletion" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3" }, "uuid": "235fe6f1-66d1-4cf4-adb9-3bc7f081144a", "value": "Deep Panda uses Mivast" }, { "meta": { "source-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" }, "uuid": "baabf444-1748-472f-b991-7a5b25e4e1bb", "value": "Reg uses Modify Registry" }, { "meta": { "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" }, "uuid": "3a6c13d3-6589-4d33-9848-88e3409be0cc", "value": "Volgmer uses Custom Command and Control Protocol" }, { "meta": { "source-uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e", "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" }, "uuid": "0aac9510-f48a-4b28-ae0e-c6facc1635ae", "value": "Replication Through Removable Media Mitigation mitigates Replication Through Removable Media" }, { "meta": { "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "d7bb00a0-fbe6-4622-84ed-be32ff5d8561", "value": "DownPaper uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "6b1c1b38-0448-4114-99eb-23aae85ada52", "value": "APT28 uses System Information Discovery" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466" }, "uuid": "033d168d-8348-47ad-af48-d297dc0d1dbb", "value": "Cobalt Strike uses Scheduled Transfer" }, { "meta": { "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "3126c7fa-02eb-475f-a474-26d4d6af7a67", "value": "ZLib uses System Information Discovery" }, { "meta": { "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "4527c528-8377-4349-ae5c-95c04cabd3d4", "value": "H1N1 uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "2d704e56-e689-4011-b989-bf4e025a8727", "target-uuid": "06780952-177c-4247-b978-79c357fb311f" }, "uuid": "352d3d80-3a5f-454b-8190-fbac20979fc7", "value": "Plist Modification Mitigation mitigates Plist Modification" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" }, "uuid": "7e46e7c8-e48a-4860-bbcd-224a2d12284a", "value": "FIN5 uses PsExec" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "1d808f62-cf63-4063-9727-ff6132514c22" }, "uuid": "4a687e50-e6b7-41df-93b1-6fed7db10f60", "value": "APT1 uses WEBC2" }, { "meta": { "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "a08dadbf-6f68-415f-9daa-f84571af83a2", "value": "ChChes uses System Information Discovery" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "938a71e3-a9dc-4ad9-b1c4-b15d75967b8d", "value": "Duqu uses System Network Connections Discovery" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "95b21e05-610e-47bf-a4b1-9d4b398e6c13", "value": "Helminth uses Scripting" }, { "meta": { "source-uuid": "514e7371-a344-4de7-8ec3-3aa42b801d52", "target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91" }, "uuid": "389854e8-32d1-406c-ab58-2ee2918bf7ed", "value": "Multi-Stage Channels Mitigation mitigates Multi-Stage Channels" }, { "meta": { "source-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "96076f66-3ad6-4e54-b816-c9c3f90fa43a", "value": "Ixeshe uses Data Obfuscation" }, { "meta": { "source-uuid": "ac008435-af58-4f77-988a-c9b96c5920f5", "target-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d" }, "uuid": "06a8b931-7881-4e8b-a970-c430379279ca", "value": "NTFS Extended Attributes Mitigation mitigates NTFS Extended Attributes" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" }, "uuid": "00ae99d1-db02-4007-8669-04d7fc4c1390", "value": "USBStealer uses Data from Removable Media" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "56c927c5-f64e-4b31-9a14-7ce78fd1c8a1", "value": "APT3 uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" }, "uuid": "43d85ed6-223e-4402-bd29-be10a872359d", "value": "PowerDuke uses Application Window Discovery" }, { "meta": { "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "32ee78b3-58de-4de5-bc3d-34ea8dc90ca3", "value": "SHOTPUT uses File and Directory Discovery" }, { "meta": { "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" }, "uuid": "ad696f42-0631-43fb-893b-a5616f14f93f", "value": "gh0st uses Indicator Removal on Host" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "2d4d634d-ed13-462a-916b-94798546ec6c", "value": "Elise uses New Service" }, { "meta": { "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "fa2c0697-0d47-4ee9-b5bf-845ac3453c3a", "value": "Nidiran uses New Service" }, { "meta": { "source-uuid": "da8a87d2-946d-4c34-9a30-709058b98996", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "403863dd-5b73-4987-9397-e8c5b25041cc", "value": "Input Capture Mitigation mitigates Input Capture" }, { "meta": { "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "4c94f67d-6662-44ea-be75-ded8b2dbfa00", "value": "Net uses System Network Connections Discovery" }, { "meta": { "source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "801f139f-1361-4d79-965e-078787f8ec36", "value": "AutoIt backdoor uses Data Encoding" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "162a051d-a551-4b8c-875a-75264768e541", "value": "MoonWind uses New Service" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" }, "uuid": "ba1a4084-a74f-44d6-bafe-7a09ee959270", "value": "APT29 uses PsExec" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" }, "uuid": "c5a7cf46-a3ab-4d33-a43f-012c0c5fdf63", "value": "Shamoon uses Bypass User Account Control" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "1451c4a3-5dc6-4744-8120-197f3a3134c1", "value": "Duqu uses Connection Proxy" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" }, "uuid": "e0033e57-8839-42b9-8515-46e9c7dca966", "value": "APT32 uses Exploitation of Vulnerability" }, { "meta": { "source-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" }, "uuid": "97ff5931-f27f-4774-b595-312f5771f91a", "value": "SHIPSHAPE uses Shortcut Modification" }, { "meta": { "source-uuid": "dc43c2fe-355e-4a79-9570-3267b0992784", "target-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda" }, "uuid": "c24f1b29-ee7b-4fe6-89be-6b733888a4e6", "value": "Dylib Hijacking Mitigation mitigates Dylib Hijacking" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "85ca1e00-24c4-403e-8aff-9890f91e9b78", "value": "Emissary uses Remote File Copy" }, { "meta": { "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "ea964313-8f60-4cff-800c-2ea49e2c19d7", "value": "Misdat uses Timestomp" }, { "meta": { "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "aeda6707-50e2-47e2-833a-18e4a5d73e88", "value": "Mis-Type uses System Information Discovery" }, { "meta": { "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "6e24d8d1-7376-493f-a85c-75448c80efed", "value": "CozyCar uses Rundll32" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "fe229513-0cd9-4e9a-a333-2748ef03dfbc", "value": "USBStealer uses Data Staged" }, { "meta": { "source-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "e7b5511a-3528-48d1-9224-6c5ff88b3825", "value": "Winnti uses Masquerading" }, { "meta": { "source-uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "f1000a93-e87d-4acf-b71d-73c3bb05fd75", "value": "System Owner/User Discovery Mitigation mitigates System Owner/User Discovery" }, { "meta": { "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", "target-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0" }, "uuid": "c6ceeb68-5d8e-4105-a20a-cce2b3ef48f0", "value": "Putter Panda uses httpclient" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "7e7d5aa9-6860-44fe-88b9-22a6b36162e2", "value": "APT32 uses Masquerading" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" }, "uuid": "ff4e1b0e-eea2-4329-aecc-e5353be8c1f4", "value": "APT29 uses Software Packing" }, { "meta": { "source-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "5e840479-61c1-44f5-8cb8-0e61ffe12b89", "value": "Taidoor uses Process Injection" }, { "meta": { "source-uuid": "c3cf2312-3aab-4aaf-86e6-ab3505430482", "target-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f" }, "uuid": "f388c949-b692-4863-8e3b-7c1fc21a5fbd", "value": "Rc.common Mitigation mitigates Rc.common" }, { "meta": { "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "c0223316-4b0b-461e-8947-01c0f5baeef2", "value": "XAgentOSX uses Screen Capture" }, { "meta": { "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "760be456-6b72-4b86-b5aa-3297aa89bc4d", "value": "FALLCHILL uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" }, "uuid": "77f9936d-1ba7-42a8-879d-1a6e90156366", "value": "Ke3chang uses Net" }, { "meta": { "source-uuid": "c61fee9f-16fb-4f8c-bbf0-869093fcd4a6", "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" }, "uuid": "dd315296-ffee-4f1b-aef7-2d914c458fd2", "value": "Access Token Manipulation Mitigation mitigates Access Token Manipulation" }, { "meta": { "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "315aab88-9b01-4a70-8f8c-173a3f29e79c", "value": "SHOTPUT uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" }, "uuid": "63f0007e-833e-4d6a-b79e-873525979f40", "value": "CosmicDuke uses Exploitation of Vulnerability" }, { "meta": { "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "70edcba2-e777-4ced-a52d-5dfc3965211c", "value": "POSHSPY uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "0040fdbd-ec7e-49b3-b715-c8c91e08666b", "value": "Emissary uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "6fdaef62-c4da-488a-a07d-c8fca2c98d85", "value": "MobileOrder uses Process Discovery" }, { "meta": { "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "target-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4" }, "uuid": "8ab176f0-009f-49e9-ba4b-f476c33697f4", "value": "Carbanak uses Carbanak" }, { "meta": { "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "a3251b26-7012-4f26-9c5d-1fb9d69b8569", "value": "HTTPBrowser uses File and Directory Discovery" }, { "meta": { "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "5c4e0ddb-57a1-440f-82ab-146847c99be8", "value": "SOUNDBITE uses System Information Discovery" }, { "meta": { "source-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "6b39985b-2e2f-4d54-9211-aef4d94b318f", "value": "OnionDuke uses Web Service" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "544b0346-29ad-41e1-a808-501bb4193f47" }, "uuid": "c1fd6ce6-26e7-49a7-abff-a64fd0fc8a35", "value": "Cobalt Strike uses Man in the Browser" }, { "meta": { "source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "e8cb4430-db05-4029-b011-926a2ba17a4c", "value": "Winnti Group uses Process Discovery" }, { "meta": { "source-uuid": "fcbe8424-eb3e-4794-b76d-e743f5a49b8b", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "b274a57d-9d27-4e33-b6dc-15e007805838", "value": "Data Encoding Mitigation mitigates Data Encoding" }, { "meta": { "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "090813dc-b370-42e1-a211-4d9e3247968a", "value": "FakeM uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" }, "uuid": "f6d23c6b-01c8-4bea-9bc6-2c66fbbbd3ae", "value": "BRONZE BUTLER uses Net" }, { "meta": { "source-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "27afb647-85a1-4e89-8762-c6c7d04bc1c5", "value": "pngdowner uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "12904c83-67ad-430f-96ae-20e9081c2b5d", "value": "ADVSTORESHELL uses Rundll32" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "2c417522-9fa6-4f95-b9d6-062c9c2401b5", "value": "Cobalt Strike uses Process Discovery" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324" }, "uuid": "00c88cab-5cb9-492a-8dce-8eab92213bc3", "value": "OilRig uses ISMInjector" }, { "meta": { "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "28f655e0-ac0b-41bc-baaf-9a9987469fe9", "value": "MobileOrder uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" }, "uuid": "ec99ea0b-1020-4ccc-bdc8-d545a4d3ccf6", "value": "APT34 uses Deobfuscate/Decode Files or Information" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a" }, "uuid": "da1a5240-bbd7-4e91-9dee-9b14df6cffe2", "value": "BlackEnergy uses File System Permissions Weakness" }, { "meta": { "source-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "37ad61e7-6520-47d0-81ae-f3d129b49ac1", "value": "OnionDuke uses Credential Dumping" }, { "meta": { "source-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", "target-uuid": "7d751199-05fa-4a72-920f-85df4506c76c" }, "uuid": "92e4cc06-5708-4486-92cc-0d25d9a755d4", "value": "Tor uses Multi-hop Proxy" }, { "meta": { "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" }, "uuid": "9ab576ed-2ba0-4fc5-87fc-2011a7cd183d", "value": "Crimson uses Data from Removable Media" }, { "meta": { "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "bb2ba4b6-d96a-4d66-ac13-aa657108b363", "value": "Sys10 uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "ab109b93-76a9-46da-8934-58751125fd1e", "value": "OSInfo uses Account Discovery" }, { "meta": { "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "8336111f-565e-4294-8b18-182c26da2421", "value": "OSInfo uses System Network Connections Discovery" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "5d0263d9-ddd3-4195-96ae-e340caef9e0e", "value": "JHUHUGIT uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "9fef204f-163a-4c9d-b9b1-8a168074063a", "value": "admin@338 uses System Network Connections Discovery" }, { "meta": { "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "32218bd0-d598-4560-9a70-ab7d5c92f986", "value": "WINDSHIELD uses System Owner/User Discovery" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "e7a0b7a4-b49b-46b9-9bfa-5db0a87dd09e", "value": "SeaDuke uses PowerShell" }, { "meta": { "source-uuid": "ba2ec548-fb75-4b8c-88d6-d91a77a943cf", "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" }, "uuid": "a2ee3987-f7c9-41ce-8aca-fae8e8c2ef9a", "value": "Windows Management Instrumentation Mitigation mitigates Windows Management Instrumentation" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" }, "uuid": "df6bc111-0e49-4e61-b38a-ee79cf682d09", "value": "Cobalt Strike uses Network Service Scanning" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" }, "uuid": "d329d311-422b-4144-9212-aa7da4dc273a", "value": "OilRig uses Redundant Access" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "e8ce10b4-3b00-40c1-983a-1d87ff9a68ee", "value": "OilRig uses Scripting" }, { "meta": { "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" }, "uuid": "dbccbeab-26c9-476e-b529-c193f9796cbc", "value": "Wingbird uses Exploitation of Vulnerability" }, { "meta": { "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "a2faf818-d21d-40a5-ad02-a3b1b2ee5d58", "value": "Derusbi uses File Deletion" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "ec6a8fde-702a-4e38-a37b-428a8ca10b18", "value": "APT28 uses Data Staged" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b" }, "uuid": "a2c9bae6-15aa-4ce0-8f4d-01b8fc32a36d", "value": "FIN5 uses FLIPSIDE" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "6f8cef32-d057-40f8-be52-62d86b1049e6", "value": "SeaDuke uses File Deletion" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "70f713e8-f4f6-483c-9ec1-524a3aee2d8e", "value": "APT34 uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "b4795040-fe94-429a-9853-f30c09ba05aa", "value": "HALFBAKED uses Screen Capture" }, { "meta": { "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "a1dc7c15-bd44-43b3-a32b-8e4ea9856758", "value": "Backdoor.Oldrea uses Data Encrypted" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "6e6828ca-7567-4302-8ed7-fa5821dc5bbc", "value": "Threat Group-3390 uses PowerShell" }, { "meta": { "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "4caf9f0d-dfe9-48ce-9b6e-812577e09711", "value": "Crimson uses System Information Discovery" }, { "meta": { "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "a02da835-676d-47df-86c6-547a7d29dbae", "value": "MobileOrder uses System Information Discovery" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "930175b1-0f2f-4f0b-99ad-13a4b304cc29", "value": "Dragonfly uses Credential Dumping" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "4189f5b4-4c57-452a-a3fb-da5988804feb", "value": "Lazarus Group uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529" }, "uuid": "cb69217e-f063-4093-bcf0-f051ecd42e25", "value": "APT28 uses Network Sniffing" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "7ac10827-9bf6-4d60-aa16-9f2d2930b373", "value": "Magic Hound uses System Owner/User Discovery" }, { "meta": { "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "765e3b13-60f4-4b34-b03f-0d8e738b0add", "value": "CHOPSTICK uses Security Software Discovery" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "8ef27cd6-3909-4174-b57c-3dbe3061a6dd", "value": "PowerDuke uses Remote File Copy" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" }, "uuid": "e873321b-0d76-4cd6-bc46-8231cfcdeba0", "value": "Cobalt Strike uses Custom Command and Control Protocol" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "2c586158-d02b-468a-bee8-04e1bde320e1", "value": "BlackEnergy uses Process Discovery" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090" }, "uuid": "dff84383-c4c5-4974-a33d-9e43526abf49", "value": "FIN5 uses RawPOS" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "0ca1948b-476c-4ff5-a792-f3790250bdc1", "value": "APT3 uses Scheduled Task" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54" }, "uuid": "fda1acb3-8e87-4fff-ae19-7e6a2ff9d6c3", "value": "BRONZE BUTLER uses gsecdump" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "d1222ff7-b93c-40a7-99bd-217d795d8d58", "value": "Remsec uses System Owner/User Discovery" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" }, "uuid": "b6f70ba6-bff1-4b40-a418-356e7b6efa27", "value": "APT1 uses Net" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "f146a331-3595-46be-abef-518708e34def", "value": "Lazarus Group uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" }, "uuid": "35ac37f9-7484-4fe4-8b5e-9381600ee01b", "value": "APT34 uses Systeminfo" }, { "meta": { "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "2e367a09-1d94-4ea4-984c-a592b769fffa", "value": "WinMM uses System Information Discovery" }, { "meta": { "source-uuid": "53b3b027-bed3-480c-9101-1247047d0fe6", "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" }, "uuid": "1d0bbeb7-5477-4321-81cd-ef66607d7972", "value": "Remote Desktop Protocol Mitigation mitigates Remote Desktop Protocol" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "7adaf2f3-52f2-40aa-b1ae-2fd2f05d9d56", "value": "Prikormka uses System Information Discovery" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1" }, "uuid": "af74c0ec-0bbe-4538-a3a3-1e967afd3d51", "value": "RTM uses Install Root Certificate" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "820c50f3-65e8-4a3a-a71a-e079ae8badad", "value": "Remsec uses Remote File Copy" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb" }, "uuid": "d924c061-9ee2-45c2-9ea4-491a2d3f50a5", "value": "APT3 uses SHOTPUT" }, { "meta": { "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" }, "uuid": "5b2682dc-f64d-482b-8fc4-132dad2727d9", "value": "H1N1 uses Replication Through Removable Media" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "a1684fef-eca9-418a-ab48-b9aad4101c6c", "value": "BRONZE BUTLER uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" }, "uuid": "cfc64939-1c2c-4bc0-bfac-3492667b1bcd", "value": "SeaDuke uses Shortcut Modification" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "1ca68d88-a287-4c48-a4f8-68611eceb445", "value": "RTM uses Command-Line Interface" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" }, "uuid": "a71256aa-a2e3-447c-ba4e-004ba4f062b2", "value": "ADVSTORESHELL uses Modify Registry" }, { "meta": { "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "target-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47" }, "uuid": "e232f720-ab39-43f4-b419-ae8de115c5e6", "value": "FIN7 uses TEXTMATE" }, { "meta": { "source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "512879fe-8433-4c78-9345-009ed5168078", "value": "netsh uses Disabling Security Tools" }, { "meta": { "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" }, "uuid": "d0f797ce-9176-4b74-8d64-fad4e1bdef4f", "value": "Carbanak uses PsExec" }, { "meta": { "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "target-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0" }, "uuid": "51afbe4e-c5cd-4acd-b4e1-ff7877b78b9e", "value": "FIN7 uses Dynamic Data Exchange" }, { "meta": { "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "a61cf8cf-87f1-4061-ae9d-31e8162bdfef", "value": "Mis-Type uses Fallback Channels" }, { "meta": { "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "289e01df-60e6-4eee-830e-9d742ac10c86", "value": "Threat Group-1314 uses Command-Line Interface" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "97ea3b82-58ba-4a3e-8e6d-367755f83fa6", "value": "FIN6 uses PowerShell" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "86b2980a-dd9f-4553-8f65-69f75f0f4332", "value": "Helminth uses Remote File Copy" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "a901eaf4-7cbe-43c2-9c03-7d716357edc9", "value": "menuPass uses Scheduled Task" }, { "meta": { "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" }, "uuid": "2cfa6113-1995-494a-b767-61d3f371e0ea", "value": "Sys10 uses Permission Groups Discovery" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" }, "uuid": "0c0b4142-96e7-440b-a01f-f2bda05649b1", "value": "BlackEnergy uses Windows Management Instrumentation" }, { "meta": { "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "7fe49f05-8f96-4fc2-bc5b-b2eea59efca3", "value": "Sykipot uses Remote System Discovery" }, { "meta": { "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "453914ae-8d76-4796-b507-dafc33adf005", "value": "4H RAT uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "e9011839-ca57-434d-a0cc-007594247110", "value": "Felismus uses Remote File Copy" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "8f6701a2-91cc-449e-98e1-e83bd2f7317c", "value": "APT3 uses Data from Local System" }, { "meta": { "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "0d4e8cb8-c265-449a-b010-f4614135572f", "value": "H1N1 uses Credential Dumping" }, { "meta": { "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "fe786b29-e621-48e2-84b5-aed35e6930fe", "value": "Wingbird uses System Information Discovery" }, { "meta": { "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" }, "uuid": "40a8f80d-5497-4218-849c-3c0b63796641", "value": "CHOPSTICK uses Modify Registry" }, { "meta": { "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "b149adfe-547f-4cd4-af4a-ea7018a203c1", "value": "Trojan.Karagany uses Credential Dumping" }, { "meta": { "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "487d67d7-b697-4de4-abde-decee8b17c44", "value": "T9000 uses System Information Discovery" }, { "meta": { "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "7a1e7afa-7052-4e47-8725-66e485efda43", "value": "Unknown Logger uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" }, "uuid": "5033a0a2-ef95-4ec6-b5ac-d7cfbd7be9f0", "value": "Prikormka uses Credentials in Files" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "e39b5b63-b29a-4322-9dca-8bca7dedf474", "value": "Dragonfly uses Remote File Copy" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "e025dccd-ead3-44d8-af26-f2c3b27667f5", "value": "Cobalt Strike uses Timestomp" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "f4188b9b-c2fe-41b7-96e0-e28d99671b9d", "value": "BRONZE BUTLER uses Data Encrypted" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" }, "uuid": "d26a9de1-0ec7-41dd-94fe-21a51bedf37f", "value": "Cobalt Strike uses Service Execution" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "39076217-a5bf-4b1b-b085-8dbf7ba92265", "value": "Dragonfly uses Scripting" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "80aab758-d3fc-4380-b114-e552bdace832", "value": "BACKSPACE uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "target-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4" }, "uuid": "7577e14c-ceba-4646-98ce-41e7fa9ae851", "value": "FIN7 uses Carbanak" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "14135aaa-6080-48c1-8a08-d6ee9bb15c3d", "value": "Elise uses System Information Discovery" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "10cc3288-d06c-456c-bc0e-b10a8c5abeaa", "value": "APT28 uses Connection Proxy" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e" }, "uuid": "42897880-fe55-4f54-a42c-f85ba19fb39a", "value": "BRONZE BUTLER uses cmd" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" }, "uuid": "7ca1b40d-d1de-48ab-b8ad-023ad9877def", "value": "Lazarus Group uses Bootkit" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "5c8fba10-9d8a-4257-a458-8f58efc8d912", "value": "Ke3chang uses File and Directory Discovery" }, { "meta": { "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "fdf9f632-03ce-4e8c-88bf-3798bb7f5ef4", "value": "Felismus uses Command-Line Interface" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "79f0712b-2cb1-47df-8ea1-26fb1502a831", "value": "BADNEWS uses Data Encoding" }, { "meta": { "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "c952f284-e529-481f-97fb-7a6e14c25ccf", "value": "Putter Panda uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e" }, "uuid": "1593ae11-0bb5-4e16-804a-1383eb0cced5", "value": "APT29 uses OnionDuke" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" }, "uuid": "b990e235-dcf4-48c7-800d-b8a10a62eda4", "value": "Threat Group-3390 uses Automated Collection" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "98908617-068d-4b6e-bcba-ad213c137b1e", "value": "APT32 uses Scheduled Task" }, { "meta": { "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", "target-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54" }, "uuid": "3cdc74fc-a291-4253-98b4-ca33e021914a", "value": "Molerats uses DustySky" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "59543467-938a-4528-961d-a539f0a5618b", "value": "Gazer uses Connection Proxy" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" }, "uuid": "7193ed4c-7169-46fa-9294-d74d912510d0", "value": "menuPass uses Net" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" }, "uuid": "f0b3c919-bf39-4bc9-9488-5f30d5407c54", "value": "APT3 uses Create Account" }, { "meta": { "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "d72da887-5684-47ac-958a-84b3e8b59c0b", "value": "Nidiran uses Commonly Used Port" }, { "meta": { "source-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "73f5c564-53b1-48bc-8cab-32fa4a608672", "value": "certutil uses Remote File Copy" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "bc9cfe76-2d64-4901-8e9e-c69d046cdfaa", "value": "APT3 uses New Service" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "9a05a8cc-8d3c-46a5-947e-bebed2ab1c5a", "value": "ADVSTORESHELL uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "a0d8db1d-a731-4428-8209-c07175f4b1fe", "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" }, "uuid": "bde4d54d-16d7-4a07-a35a-9f0cc6956be2", "value": "Uncommonly Used Port Mitigation mitigates Uncommonly Used Port" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "ec4d07a2-8c8b-4df8-bb9e-b8c3e23d8dc5", "value": "BRONZE BUTLER uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" }, "uuid": "7185fe1c-1565-4175-bc7e-539ff704f4cb", "value": "Net uses Create Account" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "897dec92-49a8-4edd-8ed2-8082f134e42b", "value": "APT3 uses Scripting" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "ae1ee1dc-6017-4177-b34c-70db166a939e", "value": "JHUHUGIT uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" }, "uuid": "595be2e7-9f2a-4d5a-b23d-8e4822ae6199", "value": "BRONZE BUTLER uses Data from Network Shared Drive" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "2d8cdbf3-1be2-4e64-ba18-f8b65fcbae8f", "value": "Helminth uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "target-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d" }, "uuid": "3e5cf341-4707-4de3-bb06-43530ee3e90f", "value": "Mimikatz uses SID-History Injection" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" }, "uuid": "6b38f460-e309-4ab1-bbc9-bd0bb30f4af9", "value": "PowerDuke uses System Time Discovery" }, { "meta": { "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "101867a2-149c-4088-a90f-7af4b86e5013", "value": "CHOPSTICK uses Fallback Channels" }, { "meta": { "source-uuid": "d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d", "target-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf" }, "uuid": "e24bd0ff-bc9e-4d26-84ea-008acb4975a1", "value": "Video Capture Mitigation mitigates Video Capture" }, { "meta": { "source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", "target-uuid": "bb3c1098-d654-4620-bf40-694386d28921" }, "uuid": "e577372f-c3c9-4e12-9bc6-3f6a1faec0ac", "value": "Scarlet Mimic uses FakeM" }, { "meta": { "source-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "fce7fac2-91da-4903-95dc-fb54650c0859", "value": "PHOREAL uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" }, "uuid": "93d83b03-8367-4655-84a5-9abaee885700", "value": "SslMM uses Access Token Manipulation" }, { "meta": { "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "b3973baa-0185-45a1-934d-2b29f742a2df", "value": "XTunnel uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "a802d52a-01f4-44c8-b80d-d2c746e1e31d", "value": "ChChes uses File and Directory Discovery" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421" }, "uuid": "af0b0bfb-1a1e-4a06-b9e9-adeda7b6ad81", "value": "Naikon uses SslMM" }, { "meta": { "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "31ec568c-53c7-4dfb-8bfb-bfb7addca7ee", "value": "Net uses Remote System Discovery" }, { "meta": { "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" }, "uuid": "05604d66-735a-4369-bc31-c7915bb3f2e0", "value": "Group5 uses Uncommonly Used Port" }, { "meta": { "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "c79d7110-46bb-4b6d-a256-87bd1b6379a3", "value": "H1N1 uses Data Obfuscation" }, { "meta": { "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "61827309-9071-416b-aedf-7f82f224db2e", "value": "NETEAGLE uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "1923a47b-5a48-44e6-883f-ca23a96fea46", "value": "JHUHUGIT uses Process Discovery" }, { "meta": { "source-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "2b2cdb6b-c23c-4792-8cfb-8c4d9279a186", "value": "BUBBLEWRAP uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700" }, "uuid": "ab83d817-57b8-4970-afc6-fbd70c6e3760", "value": "FIN5 uses pwdump" }, { "meta": { "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "d93265a6-1f92-472b-9e47-48b7863d8171", "value": "Sowbug uses Credential Dumping" }, { "meta": { "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "932fa199-f4c0-4c39-bb30-a412607ee299", "value": "CozyCar uses Credential Dumping" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "2dfbcf5d-8563-440c-bd9c-0cfc15059bd5", "value": "Shamoon uses Query Registry" }, { "meta": { "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" }, "uuid": "3efe41c1-48be-48fc-90d8-5ae70df3cd97", "value": "Sakula uses Bypass User Account Control" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "0d43f3a7-70ed-4d04-857e-3a9fbce86cfb", "value": "JHUHUGIT uses Fallback Channels" }, { "meta": { "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "f33725f4-cce5-4868-b494-d73419c76bdf", "value": "DustySky uses Process Discovery" }, { "meta": { "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", "target-uuid": "92a78814-b191-47ca-909c-1ccfe3777414" }, "uuid": "b38cfcfd-b8e3-4a9c-ade9-8a8bfeb04694", "value": "Threat Group-1314 uses Third-party Software" }, { "meta": { "source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "4afcb9c9-e490-446b-97b1-1c151974242f", "value": "TINYTYPHON uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" }, "uuid": "cfccba1b-5aa0-46ef-b668-d9f7e25b53ae", "value": "MobileOrder uses Uncommonly Used Port" }, { "meta": { "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", "target-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc" }, "uuid": "47835d17-73e1-427f-85b0-b55b610fa9ad", "value": "Putter Panda uses 4H RAT" }, { "meta": { "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "ecca0af0-1549-4068-b01d-bab711c491c5", "value": "Reaver uses New Service" }, { "meta": { "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "8278fc85-24af-4f8a-9b82-3f233f18f5a6", "value": "Mivast uses Commonly Used Port" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "c2bd7b04-b090-478a-8e83-6b4656c14bb0", "value": "Dragonfly uses Disabling Security Tools" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" }, "uuid": "170e2f76-5b6a-4eee-8ea4-d1171368b4a9", "value": "Lazarus Group uses Application Window Discovery" }, { "meta": { "source-uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2", "target-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334" }, "uuid": "87f4c47d-b94d-4a1e-9c4b-be671a99e6f0", "value": "Logon Scripts Mitigation mitigates Logon Scripts" }, { "meta": { "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "66bec558-ff92-42ff-a8c1-5b47d071d606", "value": "Hi-Zor uses File Deletion" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "96797ece-5783-4d34-a399-32496c8705ac", "value": "APT3 uses Windows Admin Shares" }, { "meta": { "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "fad2a504-6e00-4892-bf88-b49d6d18788c", "value": "Axiom uses Credential Dumping" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "acca43ee-1e88-4d39-a953-7626173a89b2", "value": "Helminth uses Command-Line Interface" }, { "meta": { "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" }, "uuid": "5c34be50-c7be-40c2-80bb-f3bc7db5cdd7", "value": "Sakula uses DLL Side-Loading" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "fcfb3ce0-01a0-4f92-8e18-b323202d095d", "value": "APT3 uses System Owner/User Discovery" }, { "meta": { "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "380db9ad-f6ad-4988-8a28-b773313f07b7", "value": "HTTPBrowser uses Command-Line Interface" }, { "meta": { "source-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69", "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" }, "uuid": "1dc42b4c-4a93-4fc6-bad3-b5498ad500b1", "value": "Pass-The-Hash Toolkit uses Pass the Hash" }, { "meta": { "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "d6d66a6f-dbc8-4d7b-b3fc-634f2765429a", "value": "Sowbug uses Masquerading" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" }, "uuid": "7ec988a7-712a-45ae-b6b3-db26a6515b80", "value": "Gazer uses Shortcut Modification" }, { "meta": { "source-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "57a1f1a8-f1c0-4b7c-b5b4-f283a278833c", "value": "pwdump uses Credential Dumping" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "ce212487-1291-4fe6-9f0b-f697516a7824", "value": "APT32 uses File Deletion" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "44273d72-b0d9-42ee-9e8e-53d1b39f0651", "value": "menuPass uses Valid Accounts" }, { "meta": { "source-uuid": "5391ece4-8866-415d-9b5e-8dc5944f612a", "target-uuid": "45d84c8b-c1e2-474d-a14d-69b5de0a2bc0" }, "uuid": "fb5e24e6-58f1-4ef0-9094-147319487f15", "value": "Source Mitigation mitigates Source" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "a5a63d5c-acf7-4720-866d-fcf6e576a58f", "value": "Ke3chang uses Command-Line Interface" }, { "meta": { "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "c6358f18-fc64-46f5-8939-66e5258dd83d", "value": "Threat Group-1314 uses Valid Accounts" }, { "meta": { "source-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "1b27cec5-241a-4c2e-a3db-e9cea241496c", "value": "HTRAN uses Connection Proxy" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" }, "uuid": "9c8fa95a-cbbe-4ef6-999d-21b4080b54f6", "value": "FIN6 uses PsExec" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" }, "uuid": "04203d88-5fe1-4e63-be65-51a17705716b", "value": "menuPass uses Windows Management Instrumentation" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "d36e83a0-5370-4d78-862d-4dbe8921709d", "value": "BRONZE BUTLER uses PowerShell" }, { "meta": { "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "target-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b" }, "uuid": "14b393f2-6d67-4d4f-8f88-75c8b421c4e2", "value": "PlugX uses Trusted Developer Utilities" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "6dc0543b-1a60-4e9a-9527-595220854f53", "value": "Cobalt Strike uses Credential Dumping" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "aa243e70-fba4-4f8a-8b5e-1ac826eac593", "value": "Cobalt Strike uses Process Injection" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "aabb13d6-a73b-42aa-8014-696b94ff2416", "value": "POWRUNER uses Command-Line Interface" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "e6cafa6a-22ce-49f7-8136-dc5a51c3aaeb", "value": "Lazarus Group uses Windows Admin Shares" }, { "meta": { "source-uuid": "073cc04d-ac46-4f5a-85d7-83a91ecd6a19", "target-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2" }, "uuid": "daca6956-64b8-468f-aa64-0ce4a4f7ad28", "value": "Setuid and Setgid Mitigation mitigates Setuid and Setgid" }, { "meta": { "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" }, "uuid": "e30a790b-8f09-4bdc-8116-275d00880333", "value": "FLASHFLOOD uses Data from Removable Media" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e" }, "uuid": "bb8fd9d4-4362-40c6-ab09-f05f843c2cef", "value": "APT32 uses PHOREAL" }, { "meta": { "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "98a9bef7-8aff-4cbb-958b-14cb72954b8a", "value": "ZLib uses Command-Line Interface" }, { "meta": { "source-uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9", "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" }, "uuid": "062ebca3-abf7-449a-ad84-f04a3cada4dd", "value": "Equation uses Peripheral Device Discovery" }, { "meta": { "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "6cf42ee6-a064-4d8a-99d4-8aa0f878ae2a", "value": "DownPaper uses System Owner/User Discovery" }, { "meta": { "source-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "41edf1d6-15a7-4da5-9bfd-ebee9d53f71e", "value": "CloudDuke uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", "target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529" }, "uuid": "9c012fcf-876b-4101-aa28-6af8b00a51d2", "value": "Responder uses Network Sniffing" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" }, "uuid": "2b97e16e-8c39-4e5e-ad90-15c10f15d923", "value": "USBStealer uses Exfiltration Over Physical Medium" }, { "meta": { "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "c8bceb4a-0cf2-43c9-9729-20ed706c4c72", "value": "Pteranodon uses File Deletion" }, { "meta": { "source-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "8d976244-6d4e-443a-98c0-52fe1d94c388", "value": "hcdLoader uses New Service" }, { "meta": { "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" }, "uuid": "acc40539-13a0-4577-a862-e348962bf0fc", "value": "Pteranodon uses Exfiltration Over Command and Control Channel" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "500130c0-d049-4e67-9bcc-d60a5f6dfd4c", "value": "Lazarus Group uses System Owner/User Discovery" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" }, "uuid": "aec49e52-c54e-45be-a476-70aa0dc42cfb", "value": "BlackEnergy uses Credentials in Files" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "6a1693a7-1e85-48b6-9097-11339a987099", "value": "Threat Group-3390 uses Remote File Copy" }, { "meta": { "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "654d9e83-9501-4de8-8828-1a1ebf36bc8f", "value": "HTTPBrowser uses Masquerading" }, { "meta": { "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "22301618-a676-4d94-975a-2a56e5a7f919", "value": "CozyCar uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "af66e48f-3232-4f78-ad3e-5a404f7ae3a1", "value": "Derusbi uses System Owner/User Discovery" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4" }, "uuid": "720c211e-2219-496d-8a34-c3f37dfbe5bf", "value": "APT28 uses HIDEDRV" }, { "meta": { "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "3a66ff23-3dcc-45b9-821a-8d6527b6e242", "value": "POWERSOURCE uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" }, "uuid": "6d87588e-2202-4616-a536-e43a2606721b", "value": "Rover uses Data from Removable Media" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" }, "uuid": "0a8ee649-e907-4a73-8513-3019b2d771a0", "value": "Lazarus Group uses Exfiltration Over Alternative Protocol" }, { "meta": { "source-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "a9bd68ed-2602-4225-838e-2d9b7f8761b4", "value": "Carbanak uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "b42378e0-f147-496f-992a-26a49705395b", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "b41c9b77-536b-49bc-8cb9-a873aa121002", "value": "PoisonIvy uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" }, "uuid": "76333b56-47b1-40c6-9223-c4cf6673362f", "value": "SeaDuke uses Email Collection" }, { "meta": { "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "e6f69552-fe0e-4b40-ad20-4410048277e6", "value": "ChChes uses Process Discovery" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" }, "uuid": "4477e350-645d-40de-8de7-7a6e1680c2e0", "value": "APT32 uses Custom Command and Control Protocol" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "290a1ceb-68e1-42ae-be81-f474038aaa05", "value": "Prikormka uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f" }, "uuid": "49404706-aa42-4914-a273-2eeb217e6477", "value": "OilRig uses Reg" }, { "meta": { "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "f5fee3da-a3ef-4a81-a70c-9660ab1fb3d6", "value": "XAgentOSX uses File Deletion" }, { "meta": { "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "ab7faed6-3c50-4b04-a31b-ac2c933a51ef", "value": "HTTPBrowser uses Input Capture" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "dad229e7-fcc6-4c1d-99c3-47d54fbc6892", "value": "CosmicDuke uses Data from Local System" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "2b4a8be2-8403-43d4-addd-79c504e3dec8", "value": "Remsec uses File Deletion" }, { "meta": { "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "aaca7907-7a43-4ebb-bd2b-bf7f497d9134", "value": "Hi-Zor uses Command-Line Interface" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "ab7eb363-c775-4065-a80d-1b324f22d0b8", "value": "Ke3chang uses Data Compressed" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" }, "uuid": "d39e3775-9221-4020-b826-edc111e36c7c", "value": "OilRig uses Permission Groups Discovery" }, { "meta": { "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", "target-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a" }, "uuid": "dc4e54ed-ca71-4dd1-a61e-714222c0c76d", "value": "CopyKittens uses TDTESS" }, { "meta": { "source-uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3", "target-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0" }, "uuid": "c56de8bc-ad9e-415a-8840-ae294ed4f88a", "value": "Power Loader uses Extra Window Memory Injection" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "88896f55-5606-4b21-8616-e7965a863dd8", "value": "Lazarus Group uses Commonly Used Port" }, { "meta": { "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91" }, "uuid": "25ad5783-c7fe-4715-b4ce-c03b36ccdfa8", "value": "BLACKCOFFEE uses Multi-Stage Channels" }, { "meta": { "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" }, "uuid": "cb2d2f2d-face-430b-995d-c9bd35db5b90", "value": "Suckfly uses Code Signing" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" }, "uuid": "54d3eadf-0363-47d1-b51d-a16d6a99c42e", "value": "APT28 uses Component Object Model Hijacking" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "0c03f2b4-a752-4d74-9c26-5306132a3329", "value": "OilRig uses System Information Discovery" }, { "meta": { "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "b03aafb3-dc03-4e12-9354-69a579b60aaf", "value": "Dust Storm uses File and Directory Discovery" }, { "meta": { "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "f73df541-6b55-42d1-aec3-53660fda1508", "value": "Gamaredon Group uses Scripting" }, { "meta": { "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "8765dd7e-33cc-4040-927d-bf0aa16d3d79", "value": "OSInfo uses Remote System Discovery" }, { "meta": { "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "d6204645-83ff-4b26-a011-9b58bab2d597", "value": "Daserf uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "684feec3-f9ba-4049-9d8f-52d52f3e0e40", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "98bdcea2-1c8d-4a65-b75d-075a00d6e87c", "value": "System Network Configuration Discovery Mitigation mitigates System Network Configuration Discovery" }, { "meta": { "source-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" }, "uuid": "a6e4853a-78a6-4c88-a7c5-58793d3e4dcd", "value": "pngdowner uses Credentials in Files" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" }, "uuid": "9267fe42-6290-4342-8024-38d703db4376", "value": "BACKSPACE uses Exfiltration Over Command and Control Channel" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "a67d4b9b-0c8f-41d8-a7f2-6d4c61fcb1ea", "value": "USBStealer uses Masquerading" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "eaa06586-e33e-4e4c-91ca-76935c22e012", "value": "Ke3chang uses System Network Connections Discovery" }, { "meta": { "source-uuid": "8c553311-0baa-4146-997a-f79acef3d831", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "35ec37ba-44aa-49b1-9379-3f6070554c62", "value": "RARSTONE uses File and Directory Discovery" }, { "meta": { "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "81b183bc-de6a-457c-a3f3-a1168e8456f1", "value": "Misdat uses Commonly Used Port" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "6d51e34d-d2ee-41aa-9ec7-dc74c84ebe9f", "value": "RedLeaves uses File Deletion" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "d219ed2b-2877-450f-9a69-a30f36497d14", "value": "Gazer uses System Owner/User Discovery" }, { "meta": { "source-uuid": "0640214c-95af-4c04-a574-2a1ba6dda00b", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "b003a96b-81f7-436c-99a6-a25323f759ac", "value": "Query Registry Mitigation mitigates Query Registry" }, { "meta": { "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "0cbc1f3f-7a32-4056-bfa6-25186ac5e6a4", "value": "StreamEx uses Process Discovery" }, { "meta": { "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "b98c506f-3dd3-45c1-b81a-3e23bcfe6198", "value": "Regin uses Windows Admin Shares" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "6f884bda-0c39-4d3b-97e3-29ae9099fa45", "value": "Threat Group-3390 uses Disabling Security Tools" }, { "meta": { "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "cb0ebed2-4cac-437b-b5b2-37ee716af3f0", "value": "CozyCar uses New Service" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "8c553311-0baa-4146-997a-f79acef3d831" }, "uuid": "7dba7706-128e-43a7-a240-6d456c9003a2", "value": "Naikon uses RARSTONE" }, { "meta": { "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "b25f5d90-f6cc-47e9-89f1-5527886bf536", "value": "RawPOS uses Data Staged" }, { "meta": { "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", "target-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131" }, "uuid": "0ec4a49c-0adc-41fb-afc2-e99f1e7c5200", "value": "Dust Storm uses S-Type" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "6610332d-86a5-46dc-a0a1-31c2fe31f164", "value": "RedLeaves uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "242f3da3-4425-4d11-8f5c-b842886da966", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "935971d6-0af2-4683-971a-9acb523733fe", "value": "Windows Credential Editor uses Credential Dumping" }, { "meta": { "source-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "bb8149a2-fdda-4c3a-9e02-f530c4ee7962", "value": "GLOOXMAIL uses Web Service" }, { "meta": { "source-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" }, "uuid": "e8e4b87c-3d30-4627-8060-5b5116d057fc", "value": "KOMPROGO uses Windows Management Instrumentation" }, { "meta": { "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "1082a68e-549b-47d5-9eb3-e719f01ce42b", "value": "H1N1 uses Disabling Security Tools" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" }, "uuid": "301de16e-3829-4fb0-b217-dcdfca7398c9", "value": "Ke3chang uses Systeminfo" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091" }, "uuid": "7e221899-d90a-4c9a-8ea4-77110c45f0f9", "value": "Lazarus Group uses Multiband Communication" }, { "meta": { "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "6613ed52-5c6c-43f2-bd0c-9809769cb022", "value": "4H RAT uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "35697909-4c19-4799-a5ac-3153750619f8", "value": "Volgmer uses System Information Discovery" }, { "meta": { "source-uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", "target-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913" }, "uuid": "8859897c-66f5-4754-8cb8-2c6e6b8b8e2e", "value": "Lotus Blossom uses Elise" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "4ee54acd-fc04-43c2-8cf6-2200a802d0b9", "value": "Remsec uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "809b79cd-be78-4597-88d1-5496d1d9993a", "target-uuid": "b53dbcc6-147d-48bb-9df4-bcb8bb808ff6" }, "uuid": "d17c02f0-bd1f-4c16-8fe7-28d347407f2e", "value": "Trap Mitigation mitigates Trap" }, { "meta": { "source-uuid": "0472af99-f25c-4abe-9fce-010fa3450e72", "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" }, "uuid": "5a491b91-739f-498b-b8f2-b14aaea07893", "value": "Credentials in Files Mitigation mitigates Credentials in Files" }, { "meta": { "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "b3bc844c-bebf-4756-8d33-6e16ca4ee6a1", "value": "BBSRAT uses Commonly Used Port" }, { "meta": { "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" }, "uuid": "b9e2fac9-fc1a-4e13-ac68-1a5796b04d72", "value": "XAgentOSX uses Credentials in Files" }, { "meta": { "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" }, "uuid": "cc495391-9abd-4df1-8ad7-ec8d84feaeb9", "value": "Sowbug uses Network Share Discovery" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" }, "uuid": "e590aaaa-40fd-4f61-93f3-f2d6daee65a4", "value": "APT3 uses Permission Groups Discovery" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" }, "uuid": "d295beee-439c-44f9-9908-4cb194331de9", "value": "Deep Panda uses Windows Management Instrumentation" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "03fc71a1-c589-4396-b5c7-70dfde49c55c", "value": "Duqu uses Data Encrypted" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" }, "uuid": "bd78bfa6-f30e-4429-ac06-0039d553a69d", "value": "menuPass uses Remote Desktop Protocol" }, { "meta": { "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "f9773935-853e-4d5e-9345-9587fd77340d", "value": "DustySky uses File and Directory Discovery" }, { "meta": { "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "74859e2a-7a8f-4b87-b75c-7286b3de685c", "value": "FIN7 uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "f43ab4db-5dea-4a1f-977a-f5d779330193", "value": "Deep Panda uses Windows Admin Shares" }, { "meta": { "source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" }, "uuid": "8b5d4742-35a6-4ab7-993c-e20831ab0020", "value": "Janicab uses Audio Capture" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "edaa004e-8239-40d8-a4f0-8849c4f0e87f", "value": "JHUHUGIT uses File Deletion" }, { "meta": { "source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "753f9861-f0b8-4467-ac5e-4457bd350095", "value": "TINYTYPHON uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "5a6942dc-eab7-4f45-b5fa-6149774e2acc", "value": "menuPass uses Account Discovery" }, { "meta": { "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" }, "uuid": "6b19a5ae-3f6a-4950-94da-22d94477d5d2", "value": "BBSRAT uses DLL Side-Loading" }, { "meta": { "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" }, "uuid": "f4f5b6a4-26d5-4352-a25d-001a51a0a121", "value": "Downdelph uses DLL Search Order Hijacking" }, { "meta": { "source-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "e3b79cfa-6ea8-4e7a-85f8-9862702d466a", "value": "FLIPSIDE uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "fe0aeb41-1a51-4152-8467-628256ea6adf", "target-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b" }, "uuid": "812b36a3-ed93-4b45-95c3-39a9ac9c36f5", "value": "Modify Existing Service Mitigation mitigates Modify Existing Service" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" }, "uuid": "e38e741c-a7ef-420a-911a-1d2cf6abf49d", "value": "admin@338 uses ipconfig" }, { "meta": { "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "47a95ac1-e37a-40ea-bf1e-e99ff4483998", "value": "Matroyshka uses Credential Dumping" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "fbae4191-679a-45b2-8ebb-8adb5348f4d0", "value": "CosmicDuke uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "68852bf2-c3cf-4d59-b1c1-f6af8fb61be6", "value": "gh0st uses Command-Line Interface" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb" }, "uuid": "d26b3aeb-972f-471e-ab59-dc1ee2aa532e", "value": "APT28 uses USBStealer" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "609d3d8c-1995-43ef-a102-a39d668a774d", "value": "MoonWind uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "bd8aaa70-710d-45a7-bb43-6b2e37f7c797", "value": "RedLeaves uses System Owner/User Discovery" }, { "meta": { "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "9c7a9bd0-4f52-4c10-8e79-3b6e72d431d1", "value": "Downdelph uses Remote File Copy" }, { "meta": { "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" }, "uuid": "8d65162b-650d-4a38-9c19-cc6c8e85a2e9", "value": "PittyTiger uses PoisonIvy" }, { "meta": { "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "3ebad12d-fd33-4289-93dc-1f5af5e90b66", "value": "FLASHFLOOD uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "84d633a4-dd93-40ca-8510-40238c021931", "target-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93" }, "uuid": "36adf5c8-2426-41e1-807d-f4d7958b9d54", "value": "Hidden Files and Directories Mitigation mitigates Hidden Files and Directories" }, { "meta": { "source-uuid": "54246e2e-683f-4bf2-be4c-d7d5a60e7d22", "target-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0" }, "uuid": "126bfb52-654a-4056-be93-37a06f8d6a32", "value": "LLMNR/NBT-NS Poisoning Mitigation mitigates LLMNR/NBT-NS Poisoning" }, { "meta": { "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "731710ae-a6b9-47b7-b8b2-8526ce60be2f", "value": "CHOPSTICK uses Remote File Copy" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" }, "uuid": "7b355dcf-9a9f-43b3-9989-128f5171b5c3", "value": "admin@338 uses PoisonIvy" }, { "meta": { "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "a4a49b56-e220-4a81-a0da-43b63c012cfe", "value": "CozyCar uses Masquerading" }, { "meta": { "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" }, "uuid": "028c3adf-4182-4250-9642-2ce5c448f710", "value": "Mimikatz uses Credentials in Files" }, { "meta": { "source-uuid": "8b880b41-5139-4807-baa9-309690218719", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "23df6015-0167-481c-84aa-3d15d3e38a85", "value": "SPACESHIP uses Data Encrypted" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "4d3e4232-1330-45a9-9e90-9914eed276a5", "value": "Stealth Falcon uses Credential Dumping" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "789cf81d-bfc9-4c1a-a34a-57e41981894a", "value": "PowerDuke uses File Deletion" }, { "meta": { "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "c476a0da-44fd-4492-86ae-407aabab3735", "value": "Matroyshka uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "c48f6a1b-1599-4e82-a7b6-1f7b5186e99e", "value": "BlackEnergy uses New Service" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "e0cf8a56-e8e1-43b0-9efc-f167d1cf21de", "value": "POWRUNER uses System Network Connections Discovery" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" }, "uuid": "bd2a23f7-88cd-47d2-b30e-9356d0204a8e", "value": "Turla uses Tasklist" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "9e587add-08b7-4ecb-a40a-664b9cff1d0f", "value": "Remsec uses Account Discovery" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "68bbad6c-1685-4275-bd36-b885a64caf6d", "value": "Elise uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47" }, "uuid": "2a220ca3-88f4-40eb-8041-184c412950d4", "value": "Naikon uses Ping" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "147d2e66-25de-42ea-8592-eb51333f595c", "value": "BlackEnergy uses Screen Capture" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "24ea53e3-a51f-4c4a-b3de-2e1d09ed69e8", "value": "PowerDuke uses File and Directory Discovery" }, { "meta": { "source-uuid": "aaa92b37-f96c-4a0a-859c-b1cb6faeb13d", "target-uuid": "a6525aec-acc4-47fe-92f9-b9b4de4b9228" }, "uuid": "0bc1693e-d481-46d7-bd62-3ed6884986d2", "value": "Graphical User Interface Mitigation mitigates Graphical User Interface" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd" }, "uuid": "0b36c1d0-d016-4c12-bf61-6dc14b29c7e0", "value": "Threat Group-3390 uses Data Transfer Size Limits" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966" }, "uuid": "6ed5961a-224a-419b-b696-8962813158f2", "value": "FIN6 uses Windows Credential Editor" }, { "meta": { "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "4f08676f-51c1-4cb5-94a7-08922e4886c6", "value": "Hi-Zor uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" }, "uuid": "c74f0442-88c6-4f2b-abb1-c2f269a93d69", "value": "Dragonfly uses Brute Force" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "5c84d301-b6d1-4af8-9c25-1260e05fa924", "value": "MoonWind uses File and Directory Discovery" }, { "meta": { "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "43a63e7a-d673-47c0-9af5-76dcd5a5d9b8", "value": "4H RAT uses Command-Line Interface" }, { "meta": { "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "9f1c680d-042e-4291-bf9c-85c51120aa8b", "value": "Volgmer uses Command-Line Interface" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" }, "uuid": "d4d07662-749c-4116-a83c-e4045eddad43", "value": "menuPass uses DLL Side-Loading" }, { "meta": { "source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "3a241a6c-11ee-4abc-a551-b5d4e594aad4", "value": "OLDBAIT uses Masquerading" }, { "meta": { "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "291b7fbf-5b5f-460a-8009-cadb383b3262", "value": "HTTPBrowser uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" }, "uuid": "d30d8fa0-7f24-41e5-ae8d-e4449e88d2f0", "value": "Gamaredon Group uses Peripheral Device Discovery" }, { "meta": { "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "fcc12c1f-1a46-49f4-a872-99cb97968bf0", "value": "Agent.btz uses Remote File Copy" }, { "meta": { "source-uuid": "4f170666-7edb-4489-85c2-9affa28a72e0", "target-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8" }, "uuid": "a48d44d2-a84c-45dc-9a59-2bc21f2f2301", "value": ".bash_profile and .bashrc Mitigation mitigates .bash_profile and .bashrc" }, { "meta": { "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "4887f5b0-45ed-4848-a984-4e72263e33d8", "value": "Felismus uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" }, "uuid": "f7740e3c-c143-40b7-a8da-e797f5d74b50", "value": "USBStealer uses Peripheral Device Discovery" }, { "meta": { "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "4af1ec66-5007-49df-8a10-df2c8ed7edc8", "value": "BBSRAT uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "48042284-2fde-43f0-a3dc-f64e9f16bd77", "value": "APT3 uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "e27e75c2-5734-4602-8a32-c56bb50f890b", "value": "SNUGRIDE uses Command-Line Interface" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "0f3af4de-b1cc-4cc2-9eb7-9aa46cdebfcd", "value": "Duqu uses Data Compressed" }, { "meta": { "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "305ecc72-e820-44cb-ab52-593ccca814ff", "value": "Kasidet uses Command-Line Interface" }, { "meta": { "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", "target-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a" }, "uuid": "a18071ad-fe4f-4014-ad9a-1b0a66df3eab", "value": "APT30 uses FLASHFLOOD" }, { "meta": { "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "98d3455f-49cc-4539-ba35-4b11bec0ddcd", "value": "Reaver uses Data Encrypted" }, { "meta": { "source-uuid": "9a5b7194-88e0-4579-b82f-e3c27b8cca80", "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" }, "uuid": "7b88fc6b-32c0-4c3d-9ea3-505543c7f374", "value": "Create Account Mitigation mitigates Create Account" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "3f954be4-205c-4cec-92f9-36715e204a49", "value": "Patchwork uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0", "target-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148" }, "uuid": "e9b0af76-f6b1-43b0-ac0e-ea23582f575b", "value": "Charming Kitten uses DownPaper" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" }, "uuid": "7cac6ccb-d070-47da-8ebf-4034b0fddb7c", "value": "BlackEnergy uses Peripheral Device Discovery" }, { "meta": { "source-uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec", "target-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3" }, "uuid": "d92b5b68-4c3e-436f-a922-997467831409", "value": "Trojan.Mebromi uses System Firmware" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "cc705bf0-ba29-443e-9cd5-aef247505210", "value": "APT3 uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "4d7add6f-ebd5-477f-9958-a5176835da2e", "value": "CosmicDuke uses Credential Dumping" }, { "meta": { "source-uuid": "308855d1-078b-47ad-8d2a-8f9b2713ffb5", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "243bf0fe-68eb-4d82-bbbf-d551611a0cd8", "value": "Windows Admin Shares Mitigation mitigates Windows Admin Shares" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "d8e375a3-f455-4c66-bc63-251f320ec8b1", "value": "OilRig uses Process Discovery" }, { "meta": { "source-uuid": "8b36d944-f274-4d46-9acd-dbba6927ce7a", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "9213f7ac-c548-4139-950b-5481a94570f9", "value": "Registry Run Keys / Start Folder Mitigation mitigates Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "3d97f57c-2a7c-4626-8b05-9d345047d3ad", "value": "PlugX uses Web Service" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "8ac07a3f-9468-47a3-8ecc-c432f80e03f4", "value": "APT3 uses Valid Accounts" }, { "meta": { "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "8b3f374c-9f56-4493-8b85-72d0750d0c59", "value": "FIN10 uses Scheduled Task" }, { "meta": { "source-uuid": "8b880b41-5139-4807-baa9-309690218719", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "9e214d5b-7d46-4135-bc42-4caab16b39d8", "value": "SPACESHIP uses Data Staged" }, { "meta": { "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "3acdd018-80a0-4005-bab9-0cf89acfa43a", "value": "PinchDuke uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" }, "uuid": "f6915cfa-4c11-4830-bcd8-aa648596b895", "value": "CopyKittens uses Code Signing" }, { "meta": { "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" }, "uuid": "3f327394-55be-4dac-8e79-93c49be0426a", "value": "3PARA RAT uses Redundant Access" }, { "meta": { "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "c63c7dc5-e374-4bf0-9839-0f940ac6d46c", "value": "Gamaredon Group uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966" }, "uuid": "432f40d2-5309-4cc1-9544-2943233c3c2c", "value": "FIN5 uses Windows Credential Editor" }, { "meta": { "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "4e5dff55-c686-4fa6-bad1-caa8507083d9", "value": "Sakula uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "e71903c4-a7af-4317-adf0-10f76d3d4e15", "value": "APT28 uses Credential Dumping" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283" }, "uuid": "7909f5a6-3924-4259-aedd-2e48123f563a", "value": "APT1 uses CALENDAR" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "2af3c673-c0c6-4246-aacc-984eb370e7b9", "value": "FIN5 uses Data Staged" }, { "meta": { "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "target-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf" }, "uuid": "e5a2a20c-1ef7-49a9-a9fa-2b89231793b8", "value": "T9000 uses Video Capture" }, { "meta": { "source-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", "target-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41" }, "uuid": "cb4af413-9bd7-4f1a-a693-57d11ffccbf5", "value": "Cherry Picker uses AppInit DLLs" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" }, "uuid": "cc2099fb-4785-4884-b274-4f3e8a3b8d99", "value": "ADVSTORESHELL uses Execution through API" }, { "meta": { "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" }, "uuid": "2f507d82-1df4-4c9c-804a-2e6060944142", "value": "Daserf uses Software Packing" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "4eec017c-8bf2-4eda-8c92-15926fc7e5aa", "value": "Lazarus Group uses System Information Discovery" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" }, "uuid": "ff61ebde-befe-488a-89d0-dc4c49e60d59", "value": "CosmicDuke uses Data from Removable Media" }, { "meta": { "source-uuid": "cfc2d2fc-14ff-495f-bd99-585be47b804f", "target-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566" }, "uuid": "a38d4ac5-1d3d-4a2f-9493-ff3e2a4669b8", "value": "Application Shimming Mitigation mitigates Application Shimming" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "675f24e0-c445-4eb3-a191-16fb181f6e30", "value": "Magic Hound uses Scripting" }, { "meta": { "source-uuid": "f3d0c735-330f-43c2-8e8e-51bcfa51e8c3", "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" }, "uuid": "647032ac-0432-4785-9d50-06b9970bcbcb", "value": "Custom Command and Control Protocol Mitigation mitigates Custom Command and Control Protocol" }, { "meta": { "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "63a7bbf6-bb2e-41e7-8893-c3f7f207a7a7", "value": "XAgentOSX uses File and Directory Discovery" }, { "meta": { "source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "a8e6ca7b-5d75-429a-b8f8-de97d5c277b3", "value": "Net Crawler uses Credential Dumping" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91" }, "uuid": "a6962782-1942-42f5-a627-f205376e2ec2", "value": "BACKSPACE uses Multi-Stage Channels" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "c7823efd-005f-49ad-94cf-ebc44a87abed", "value": "APT1 uses Masquerading" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" }, "uuid": "f16c18f0-c5ac-4ea2-bfd0-222e63c09018", "value": "menuPass uses Remote Services" }, { "meta": { "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" }, "uuid": "ac3b6751-e615-44f6-a086-0c236742d8fd", "value": "Psylo uses Exfiltration Over Command and Control Channel" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" }, "uuid": "d2858dfa-504f-416d-8801-41a1a9561f22", "value": "APT3 uses Remote Desktop Protocol" }, { "meta": { "source-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "abb4a85a-d98a-46f7-965b-48d9f88fe9b6", "value": "RemoteCMD uses Scheduled Task" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "a4c59c09-2abd-4c49-8156-0ccc9214b66e", "value": "Magic Hound uses Process Discovery" }, { "meta": { "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "9f653750-2ee6-4d00-906b-c71f1d217288", "value": "Felismus uses System Information Discovery" }, { "meta": { "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "target-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f" }, "uuid": "49d09bc3-cdc0-479b-8516-f64bff9b6757", "value": "FIN7 uses HALFBAKED" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "6fb6c639-cefa-4c7f-af89-26cb5fcd4030", "value": "Ke3chang uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b" }, "uuid": "8119ee71-e017-4ba0-9aeb-a14c46f64f1a", "value": "Naikon uses HDoor" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "73da57b5-e64f-44ee-85f7-d294c21fb534", "value": "Stealth Falcon uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "1b141c9e-a679-40c7-ad7b-ac40ac586471", "value": "admin@338 uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "9cef6fec-e4eb-49eb-85db-880138f335bd", "value": "Rover uses Data Staged" }, { "meta": { "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "d8a5e73d-fe56-42d7-a53d-09a90c21308b", "value": "OSInfo uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6" }, "uuid": "3ae8d262-d2f8-4fa5-adb4-e379d43b9c37", "value": "APT29 uses GeminiDuke" }, { "meta": { "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "198d7156-eff4-4a6e-8e59-ab8a656f77a8", "value": "Crimson uses Security Software Discovery" }, { "meta": { "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "2e5039ef-913f-4808-9685-32f64f4dbf49", "value": "Wingbird uses File Deletion" }, { "meta": { "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "4b6bee9b-469e-48ce-84fa-5322de03470a", "value": "FakeM uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "target-uuid": "519630c5-f03f-4882-825c-3af924935817" }, "uuid": "0c143634-89e1-47a0-9044-4ca39ccff76a", "value": "XTunnel uses Binary Padding" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "5b69fc3c-1bf7-4092-be94-755790ccf41f", "value": "Helminth uses PowerShell" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" }, "uuid": "3537c31f-bd6f-4cad-97ac-4ec3d8a9478b", "value": "Helminth uses Shortcut Modification" }, { "meta": { "source-uuid": "4664b683-f578-434f-919b-1c1aad2a1111", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "28189361-4cd2-4925-a095-d7ebd07ebd57", "value": "netstat uses System Network Connections Discovery" }, { "meta": { "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "084ac639-2502-4020-8938-65352349acbb", "value": "Volgmer uses File and Directory Discovery" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "03ab3120-4c6e-4de2-982a-fe22d466f748", "value": "USBStealer uses File and Directory Discovery" }, { "meta": { "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" }, "uuid": "361cbd71-b178-44d0-9802-78a310938bad", "value": "Molerats uses Code Signing" }, { "meta": { "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "329678a6-eb6b-499b-90a8-059d1cf1a35f", "value": "SslMM uses Fallback Channels" }, { "meta": { "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "d77a4123-3d46-4317-8921-f6eb8c34c585", "value": "PinchDuke uses Data from Local System" }, { "meta": { "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "b6ae274b-f0b3-4694-ab8d-37e0c62cff35", "value": "Backdoor.Oldrea uses Process Discovery" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "1c677f35-b73b-47bc-b162-1fd036a38def", "value": "PowerDuke uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "78f237da-f58b-4849-b2ee-cf1f3f7a1a42", "value": "Threat Group-3390 uses Valid Accounts" }, { "meta": { "source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" }, "uuid": "05e05236-1635-48d7-8ee3-33319c01c815", "value": "Winnti Group uses Rootkit" }, { "meta": { "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "ce9dbe5b-1b16-41d6-a7af-a2a1b33c4552", "value": "Daserf uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "1c7b9a1b-e874-4881-884a-e3c3d1fd8aed", "value": "Cleaver uses Credential Dumping" }, { "meta": { "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "37c94531-1e56-4640-93fd-e9fd65da4f80", "value": "Darkhotel uses Input Capture" }, { "meta": { "source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" }, "uuid": "566d783a-2d86-4b9a-8ca0-5013de5f7fb4", "value": "ISMInjector uses Deobfuscate/Decode Files or Information" }, { "meta": { "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" }, "uuid": "79ecf1f6-a17d-4374-a84c-811669e39261", "value": "SslMM uses Shortcut Modification" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef" }, "uuid": "c612eb88-d7e0-46cc-a9bc-d0da2977ff00", "value": "USBStealer uses Communication Through Removable Media" }, { "meta": { "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "b2b873cd-8618-426e-9cae-9e6755acafad", "value": "EvilGrab uses Screen Capture" }, { "meta": { "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "a403648d-4c23-46bd-9688-1face1407b42", "value": "SOUNDBITE uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "fa155ccc-b9db-48f6-bb1a-a367596668ad", "value": "BRONZE BUTLER uses Account Discovery" }, { "meta": { "source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "69c1806d-e6ae-4c11-bce6-8fbebd8bbee5", "value": "netsh uses Connection Proxy" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" }, "uuid": "e7379230-882e-4b5c-bee1-629e9028e97f", "value": "APT3 uses Uncommonly Used Port" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "b4c7e12f-6921-4007-ab15-595969bf9eca", "value": "POWRUNER uses PowerShell" }, { "meta": { "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "2892eada-7633-4428-80e0-0e965d5faf5c", "value": "DustySky uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "target-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9" }, "uuid": "49957d89-7449-476a-b542-d7811a86c230", "value": "Cleaver uses TinyZBot" }, { "meta": { "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "1b3cc0cb-de43-405b-bfa5-f0bececabf8c", "value": "GeminiDuke uses File and Directory Discovery" }, { "meta": { "source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "f02f0a58-a76b-4966-8717-8a9b40b07e81", "value": "SNUGRIDE uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "c7e6d4a6-8d99-4134-848a-f4f712eb4316", "value": "Ke3chang uses Process Discovery" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "3076f49e-0db2-4652-a07d-653027aeef1e", "value": "Remsec uses Process Discovery" }, { "meta": { "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "3d602fec-cf94-4aa4-a4d9-cad286e6881f", "value": "FIN10 uses System Owner/User Discovery" }, { "meta": { "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "f81df2c8-1edd-4734-a1c9-cca6e4c56607", "value": "Kasidet uses Disabling Security Tools" }, { "meta": { "source-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "2244e21e-b7f6-476f-8f58-67db772f9736", "value": "CALENDAR uses Web Service" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "73171e71-b769-41ff-874a-ff76da43541f", "value": "Emissary uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "51d06864-d5de-4286-b2bb-561a8d2c4d49", "value": "APT28 uses Process Discovery" }, { "meta": { "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" }, "uuid": "b9f4c6ef-d0bd-4651-9445-4705e1fd85f2", "value": "Axiom uses Accessibility Features" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "4de2ac9b-4e51-4d73-8fe3-d7d1659778b8", "value": "Stealth Falcon uses Process Discovery" }, { "meta": { "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "e90717f3-fad2-4978-be15-7dfb647d034d", "value": "Rover uses File and Directory Discovery" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "5f00edf9-fcfc-4514-8d06-bc69f91f9260", "value": "APT32 uses PowerShell" }, { "meta": { "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" }, "uuid": "8b96fb11-8b54-4bed-9e6c-cd93b29c5c20", "value": "Agent.btz uses Exfiltration Over Physical Medium" }, { "meta": { "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "b077d81d-0449-493f-9b93-23dc0fb0b62d", "value": "FIN7 uses Remote File Copy" }, { "meta": { "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "af4d45e1-1aa4-444c-b176-31df7aaf9374", "value": "TDTESS uses Remote File Copy" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "dc10e96f-1d3c-4ab9-8df6-acdc8238ec6c", "value": "APT28 uses Data Obfuscation" }, { "meta": { "source-uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9", "target-uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44" }, "uuid": "51006a56-a1fa-4467-b930-6488de0d32bd", "value": "Equation uses Component Firmware" }, { "meta": { "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "d7d3cf5c-e541-4639-95c6-8cdea60b084d", "value": "cmd uses File Deletion" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df" }, "uuid": "a7180b8e-c580-49ab-bbfb-e56e8ab48823", "value": "APT29 uses CloudDuke" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" }, "uuid": "c79796c1-88d6-4cd8-95d3-4f81d3755859", "value": "Lazarus Group uses Remote Desktop Protocol" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" }, "uuid": "51372934-2c81-4db7-aa38-cbb173698cc2", "value": "menuPass uses Mimikatz" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "5909e6e9-c620-4278-9bdc-113f09e5799b", "value": "Cobalt Strike uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "58882b0d-0f4a-4e12-b8c1-f43c53fd96f4", "value": "Carbanak uses Valid Accounts" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "53d7b242-3ed6-4281-9829-e25d425e28fe", "value": "BlackEnergy uses Windows Admin Shares" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" }, "uuid": "35b912d8-bf46-4dec-b2eb-c48c0056af6e", "value": "Magic Hound uses Uncommonly Used Port" }, { "meta": { "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "c008b7f3-0507-4987-a7e4-8c4d57cb4ca5", "value": "DustySky uses System Information Discovery" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "b60dcc78-83b0-4fe2-b874-6f22f99b6087", "value": "Magic Hound uses System Information Discovery" }, { "meta": { "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "5301c007-7c00-4b4d-b355-864db8de052f", "value": "CORESHELL uses System Information Discovery" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" }, "uuid": "5bda4ebe-cd21-469e-9495-952df7254f17", "value": "APT29 uses Indicator Removal on Host" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a" }, "uuid": "da3a85c7-7590-48b1-8a22-2f8b00060f83", "value": "APT29 uses PowerDuke" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" }, "uuid": "ef1cdbe7-29c9-4be9-a3f7-96e5b7bae031", "value": "APT3 uses Software Packing" }, { "meta": { "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "09e8b282-61ee-4107-94f5-d03e28199fe9", "value": "S-Type uses Commonly Used Port" }, { "meta": { "source-uuid": "d5dce4b9-f1fa-4c03-aff9-ce177246cb64", "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" }, "uuid": "87131e3c-9d73-4910-a56d-f917d6660a7d", "value": "Service Execution Mitigation mitigates Service Execution" }, { "meta": { "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "a79ff150-e765-4303-9668-ff553d6000cd", "value": "Sakula uses Rundll32" }, { "meta": { "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "8beb37e3-5cf0-4229-ae27-186a37133521", "value": "BBSRAT uses File and Directory Discovery" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "290c4e3b-00be-411f-b0c8-919e85e08a49", "value": "Prikormka uses Screen Capture" }, { "meta": { "source-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70", "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" }, "uuid": "bea7bd3c-1251-4858-8957-a6dc3bb840d2", "value": "China Chopper uses Web Shell" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "e465e173-04d8-4a2b-8953-a2fa3b44aec0", "value": "PowerDuke uses Command-Line Interface" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "95805281-96b1-49ea-95ee-9d654178c5c3", "value": "BRONZE BUTLER uses Remote System Discovery" }, { "meta": { "source-uuid": "ace4daee-f914-4707-be75-843f16da2edf", "target-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8" }, "uuid": "9952a93f-d009-48e5-a618-8e8f97a55685", "value": "Bash History Mitigation mitigates Bash History" }, { "meta": { "source-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "cf859589-38ac-4152-b206-08740ccf503b", "value": "Taidoor uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824", "target-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466" }, "uuid": "130275cb-368e-4168-a4bf-60b39566bc50", "value": "Scheduled Transfer Mitigation mitigates Scheduled Transfer" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" }, "uuid": "259a5116-2492-4d7b-b300-1cf9b8c79f00", "value": "Helminth uses Code Signing" }, { "meta": { "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "0649f7fd-3aa1-4646-a7a4-2334088c6c74", "value": "T9000 uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "745106bb-3641-488e-ae1c-547cd6ea9b7a", "value": "cmd uses System Information Discovery" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5" }, "uuid": "614c18a5-2cee-48ac-898d-e1b85a91e44d", "value": "Threat Group-3390 uses OwaAuth" }, { "meta": { "source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "fb60b027-facd-4be2-b8b2-0fb9351ea235", "value": "cmd uses Command-Line Interface" }, { "meta": { "source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "1f972385-7f1c-4cbd-a071-951973e6d229", "value": "MiniDuke uses Web Service" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" }, "uuid": "73a53379-746e-46db-b101-1fc45df5e458", "value": "Shamoon uses Service Execution" }, { "meta": { "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" }, "uuid": "00b0af92-df59-4d56-ac3e-18f6f1f72957", "value": "Flame uses Replication Through Removable Media" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d" }, "uuid": "fa9a8640-75e5-458c-99c0-e5e85aa32a77", "value": "Dragonfly uses Trojan.Karagany" }, { "meta": { "source-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" }, "uuid": "ac3ee298-bef0-4a52-9050-3dcef1701408", "value": "FTP uses Exfiltration Over Alternative Protocol" }, { "meta": { "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "2fa20fad-4ede-42f4-8ce5-7f5a6ce83ed8", "value": "CHOPSTICK uses Command-Line Interface" }, { "meta": { "source-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "82384148-90fd-4bfa-a734-e9c8b37b584f", "value": "Carbanak uses Input Capture" }, { "meta": { "source-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "171380bf-41ff-43da-86fe-c131f5f7b97b", "value": "Cherry Picker uses File Deletion" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" }, "uuid": "f64acb43-91b8-431a-ad0a-ad22afe5851a", "value": "Duqu uses Process Hollowing" }, { "meta": { "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "e45cdf20-e182-4346-8c98-a48575282ae6", "value": "Kasidet uses Input Capture" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "1f764874-0e08-4799-9487-a9e12c499c13", "value": "FIN6 uses Scripting" }, { "meta": { "source-uuid": "ec418d1b-4963-439f-b055-f914737ef362", "target-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b" }, "uuid": "0ac55ad4-0f16-416e-bf88-67ee1aad85ab", "value": "InstallUtil Mitigation mitigates InstallUtil" }, { "meta": { "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "7fd4fe68-0f2a-485c-9b10-6847428ef5da", "value": "Derusbi uses Process Injection" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" }, "uuid": "988cb889-b385-4e8f-be06-7d41c4da0dd7", "value": "JHUHUGIT uses Component Object Model Hijacking" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "12ea66f1-566a-404f-a948-f76b9047710e", "value": "menuPass uses System Network Connections Discovery" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "d078f862-c090-4e79-808b-ff69887a920c", "value": "POWRUNER uses Query Registry" }, { "meta": { "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "target-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446" }, "uuid": "41f04732-8fdc-4b2f-9e22-7b78ff650e5d", "value": "Mimikatz uses Security Support Provider" }, { "meta": { "source-uuid": "402e92cd-5608-4f4b-9a34-a2c962e4bcd7", "target-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4" }, "uuid": "a6a8e3e4-faa7-4c9f-9460-fabbbc8c844c", "value": "Launch Daemon Mitigation mitigates Launch Daemon" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "e25b4146-2f52-4c5b-a1f8-3e868e767f84", "value": "FIN5 uses Valid Accounts" }, { "meta": { "source-uuid": "56db6ccc-433d-4411-8383-c3fd7053e2c8", "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" }, "uuid": "678be242-66fd-40b8-bbf1-24c3dda77895", "value": "Execution through API Mitigation mitigates Execution through API" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68" }, "uuid": "bd5b6f31-2248-4af8-8e8e-e3273aaa57e4", "value": "APT29 uses Tor" }, { "meta": { "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "35f02c40-d46f-44fa-8ba2-5106357494b4", "value": "FALLCHILL uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "9b2356e1-6544-40a7-a694-8ac36a1da1b7", "value": "Ping uses Remote System Discovery" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719" }, "uuid": "89363ca8-1cf3-4c40-972c-6e2787a05b43", "value": "APT28 uses Responder" }, { "meta": { "source-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "5365d764-76fa-49ce-b76b-d0344322b037", "value": "Reg uses Query Registry" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "c33c2a0f-eb88-43ef-be7b-6311bef2da3d", "value": "RedLeaves uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "0d63f3cf-bace-4210-9b76-199c5cdb8764", "value": "Stealth Falcon uses Scripting" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae" }, "uuid": "b4f8c479-aab5-481d-aa04-922677da108a", "value": "Gazer uses Screensaver" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "4d82bac6-ec9d-4f4b-a471-169728a830a4", "value": "APT3 uses System Network Connections Discovery" }, { "meta": { "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "d3234cf8-0ef7-4447-ae3a-9624f3229265", "value": "XTunnel uses Connection Proxy" }, { "meta": { "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "26968975-5f01-4b4b-9cdc-ef3b76710304", "value": "4H RAT uses File and Directory Discovery" }, { "meta": { "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "86461465-cb29-4fc9-8fa8-8956c0f94536", "value": "Dust Storm uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71" }, "uuid": "9f62c4e4-02d4-497b-8039-cc4e816386a5", "value": "Lazarus Group uses netsh" }, { "meta": { "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "60137eb6-ed8c-41ce-bf75-6b45cdafe751", "value": "Derusbi uses Timestomp" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "106aae81-fab1-42b3-97b0-4f0c1d67c896", "value": "Emissary uses Process Injection" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "e5efa7ca-3e2a-4f08-ac2c-f5f317c9caf7", "value": "USBStealer uses File Deletion" }, { "meta": { "source-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", "target-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8" }, "uuid": "edea5971-fc27-4637-8de9-aabcd50784a7", "value": "Strider uses Remsec" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "1a028242-1896-4867-a691-c97867f1663d", "value": "Elise uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "5d2ca571-9e66-4949-b3a1-978c47398b18", "value": "Derusbi uses System Information Discovery" }, { "meta": { "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "0061f7aa-fe4e-41e5-8ebf-e9f526bda08f", "value": "TDTESS uses File Deletion" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "dbf13cc5-f61b-41fd-96fa-d0bac20549bc", "value": "Duqu uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "target-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b" }, "uuid": "96a09c57-4848-464e-8649-142152c91db9", "value": "Volgmer uses Modify Existing Service" }, { "meta": { "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" }, "uuid": "0d2a66c5-fb8e-4cbb-9526-579b5c9c881c", "value": "T9000 uses System Time Discovery" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" }, "uuid": "0d889b2d-eda4-45dc-99bf-c530b7d4b05f", "value": "menuPass uses Network Service Scanning" }, { "meta": { "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "target-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49" }, "uuid": "2b6da092-7380-4bd3-bd4c-f136a5b9b4cc", "value": "Sykipot uses Two-Factor Authentication Interception" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "16cb7ede-b431-4711-bcb1-91bc925663e5", "value": "BACKSPACE uses System Information Discovery" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79" }, "uuid": "07f83a39-8bb0-44f1-9c81-7291ba10dd03", "value": "Gazer uses Winlogon Helper DLL" }, { "meta": { "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "fea6e347-95f5-4d97-8781-4cc15d6b5b0c", "value": "Sys10 uses System Owner/User Discovery" }, { "meta": { "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "2e44b66a-0f81-4f60-94aa-c450556bc243", "value": "ChChes uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "09266cb7-26b3-4959-bcff-a91e309b5588", "value": "Helminth uses Scheduled Task" }, { "meta": { "source-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "b3831788-f18f-4315-997e-275e425c0d31", "value": "RemoteCMD uses Remote File Copy" }, { "meta": { "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "11874e26-e692-43da-bb54-760e51a4714f", "value": "S-Type uses Masquerading" }, { "meta": { "source-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "40c5a024-37db-478b-b90f-27f184bf8f60", "value": "Tasklist uses System Service Discovery" }, { "meta": { "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "74e84133-f84a-469a-bfd7-1a514af2f15e", "value": "T9000 uses Security Software Discovery" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "bb784f1f-fb42-4587-9fe2-9dd5c8dffa5c", "value": "Magic Hound uses Commonly Used Port" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e" }, "uuid": "845482a1-a062-407d-a83e-90d883d1d91b", "value": "menuPass uses ChChes" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565" }, "uuid": "35a9c64c-c305-46bf-a216-c8bb1b051614", "value": "Turla uses ComRAT" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "b2dbbb46-9659-4277-8753-c469c4bfe409", "value": "Threat Group-3390 uses Account Discovery" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2" }, "uuid": "75d04175-c43d-46cd-be08-5f4c91f767ed", "value": "APT28 uses JHUHUGIT" }, { "meta": { "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "53ad6525-7888-4651-bd43-c010b489ccc0", "value": "RawPOS uses Data Encrypted" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "c5da001c-2c17-4e83-8e5c-21863ead4bd9", "value": "Patchwork uses Command-Line Interface" }, { "meta": { "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" }, "uuid": "788e8246-d835-42c6-b8b4-7efad31e4a84", "value": "Gamaredon Group uses Data from Removable Media" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "c987dc63-ef3d-43aa-9344-bd9fd528c55d", "value": "Elise uses Account Discovery" }, { "meta": { "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" }, "uuid": "1bbb499c-81c8-4e94-8305-86b199e8298b", "value": "Wingbird uses DLL Side-Loading" }, { "meta": { "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", "target-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d" }, "uuid": "0cde085d-12ca-4cde-a99c-c37d63d7dc2e", "value": "Putter Panda uses pngdowner" }, { "meta": { "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "5dd257c0-c2cb-422a-9991-93ff667c5ad6", "value": "FALLCHILL uses System Information Discovery" }, { "meta": { "source-uuid": "fdb1ae84-7b00-4d3d-b7dc-c774beef6425", "target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27" }, "uuid": "bb55d7e7-28af-4efd-8384-289f1a8b173e", "value": "Account Manipulation Mitigation mitigates Account Manipulation" }, { "meta": { "source-uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "8bbb18a7-5eab-4832-beac-f52f30b54862", "value": "Scheduled Task Mitigation mitigates Scheduled Task" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "39590383-ba69-4d8f-9520-e893cd4ebcdf", "value": "FIN5 uses Scripting" }, { "meta": { "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "d021d378-a5ff-4020-972c-cc9152e824b0", "value": "Darkhotel uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "0e58b447-7b3e-404c-b8e5-003734c34574", "value": "MoonWind uses Input Capture" }, { "meta": { "source-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "32a470e7-4bbc-43e8-ae8e-09b382dd441f", "value": "Tasklist uses Process Discovery" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" }, "uuid": "13d8aec7-3e49-41f8-b57c-475cdc0d9632", "value": "Threat Group-3390 uses Network Service Scanning" }, { "meta": { "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "5e2e672a-02d4-4510-a629-942d44a558f1", "value": "DustySky uses Input Capture" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "d3c8d1a9-9413-4633-9cbf-4bc34bb5054d", "value": "ADVSTORESHELL uses Commonly Used Port" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "48f662fe-1ba2-4c19-b782-dd06d9fb67fa", "value": "APT28 uses Screen Capture" }, { "meta": { "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", "target-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf" }, "uuid": "6782d7bb-5e81-4656-9445-fbd6ae1f2bdb", "value": "EvilGrab uses Video Capture" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164" }, "uuid": "02462741-4148-48b3-881b-1b813ce62fcc", "value": "APT29 uses PinchDuke" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" }, "uuid": "a36263d1-d109-4c94-930a-6be1e9615527", "value": "admin@338 uses Net" }, { "meta": { "source-uuid": "16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d", "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" }, "uuid": "06cd0498-7ebb-41e6-9399-c43c82487540", "value": "Audio Capture Mitigation mitigates Audio Capture" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "b1e7f787-2d43-442b-8bd1-4fa064f089b2", "value": "Threat Group-3390 uses Commonly Used Port" }, { "meta": { "source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" }, "uuid": "f28627be-fddd-455c-b001-abddaaa29fa7", "value": "Winnti Group uses Code Signing" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "8f269f6c-9e8b-4296-ab47-2f60c9156b58", "value": "APT28 uses Rundll32" }, { "meta": { "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "92c901ce-5edb-417f-8af5-d569203e241c", "value": "ChChes uses Remote File Copy" }, { "meta": { "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "ad50f322-18b6-43c7-bf6b-f77f4932fdad", "value": "DustySky uses Security Software Discovery" }, { "meta": { "source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "bf8ae26c-c28c-4de7-a3e2-ad1a2851c1c0", "value": "CallMe uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "fe4ed27a-6d45-4e6a-bbc0-7ebe15a38046", "value": "RTM uses File Deletion" }, { "meta": { "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", "target-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe" }, "uuid": "01b924d7-42dd-412f-a9af-cabcb46512ea", "value": "Suckfly uses Nidiran" }, { "meta": { "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "92fb7408-1638-43b7-95a3-0cfeebd7624d", "value": "RawPOS uses Data from Local System" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "e104cf3c-a802-4e06-8abc-6293cea9492f", "value": "menuPass uses PowerShell" }, { "meta": { "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "24503815-4ac5-4d57-9e95-ebeb84e0c11b", "value": "Daserf uses Remote File Copy" }, { "meta": { "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "13204383-a747-4f7f-a75c-858ddc76beab", "value": "WinMM uses Process Discovery" }, { "meta": { "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "target-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87" }, "uuid": "2858ec3b-5814-4515-9dda-f8009fbf4cd3", "value": "Flame uses Exfiltration Over Other Network Medium" }, { "meta": { "source-uuid": "8c553311-0baa-4146-997a-f79acef3d831", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "345c6135-7557-4292-8214-66618ba17edd", "value": "RARSTONE uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "3b9e7ec8-8b10-4fe4-87b3-38b7710dbbb9", "value": "Sakula uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "efa98949-4b58-4407-8fa2-366c06dc2ed9", "value": "BlackEnergy uses System Information Discovery" }, { "meta": { "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "44908b0a-993a-4339-b30f-f0f1a64c0753", "value": "Pteranodon uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "9779ccbc-c376-4a6e-a43f-56a782892302", "value": "OilRig uses Valid Accounts" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" }, "uuid": "94b4648a-4108-468c-be51-cca365fd97ac", "value": "Stealth Falcon uses Windows Management Instrumentation" }, { "meta": { "source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" }, "uuid": "9453d60b-4f3f-494f-985d-e29094ef8945", "value": "Net Crawler uses Service Execution" }, { "meta": { "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "3ebc8829-f260-4d75-817a-cd23a4ebb194", "value": "HAMMERTOSS uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "51a03c8a-1983-4bdd-b326-78ec67f86f06", "value": "Trojan.Karagany uses Process Discovery" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "ae61abba-14fb-4d4e-9f8e-a3b18500b449", "value": "Lazarus Group uses Disabling Security Tools" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "bde913a9-9895-4414-b79a-3156159033aa", "value": "Ke3chang uses Data Encrypted" }, { "meta": { "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "bdde6ad0-b6eb-4e3a-80e4-8a9db6a9570d", "value": "TinyZBot uses Disabling Security Tools" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "ea40711b-461d-4629-b1fd-5f020b1f3257", "value": "APT1 uses Scripting" }, { "meta": { "source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "76e75bfe-b72c-471b-9a26-eab5ed04a812", "value": "ELMER uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "61d02387-351a-453e-a575-160a9abc3e04", "target-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300" }, "uuid": "9064fd2e-4e0a-44e4-8bde-6e6c4cf8495f", "value": "Re-opened Applications Mitigation mitigates Re-opened Applications" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" }, "uuid": "7d047513-5fbf-4d9e-8a5d-54317123e34c", "value": "admin@338 uses Permission Groups Discovery" }, { "meta": { "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "9b1709f3-5062-42f1-82d9-191e66e1d14a", "value": "Nidiran uses Masquerading" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" }, "uuid": "fdcda836-4a21-45d2-8269-31b82aa3c08e", "value": "APT29 uses Bypass User Account Control" }, { "meta": { "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "91d4c776-c259-46b0-b511-b344ca027009", "value": "CozyCar uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" }, "uuid": "70495f42-0a81-485c-8f30-c75af61f1c6a", "value": "OilRig uses Exfiltration Over Alternative Protocol" }, { "meta": { "source-uuid": "82fbc58b-171d-4a2d-9a20-c6b2a716bd08", "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" }, "uuid": "f9ca3697-51a1-494b-8a61-06e516f29860", "value": "Code Signing Mitigation mitigates Code Signing" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "fada6223-ba24-4c26-aa89-3998f07604f9", "value": "Prikormka uses Data Compressed" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "a1fe7df1-7c20-422e-8e86-042cd11b3501", "value": "APT28 uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" }, "uuid": "56d023cf-4390-40d9-afc6-cb0d40b4cdd1", "value": "APT28 uses Peripheral Device Discovery" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "e42eef1a-107e-40a3-9227-45621e277ff3", "value": "Lazarus Group uses New Service" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "5c816fc0-c4e3-47ef-8193-ef88eabdfc7e", "value": "admin@338 uses File and Directory Discovery" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "72fe5021-bace-41e4-9cc6-73af415225ac", "value": "MoonWind uses System Information Discovery" }, { "meta": { "source-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" }, "uuid": "f36a8899-940f-4c8f-924d-eef2f056744d", "value": "dsquery uses Permission Groups Discovery" }, { "meta": { "source-uuid": "e0703d4f-3972-424a-8277-84004817e024", "target-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02" }, "uuid": "f132ff40-9e9d-49b8-a47d-832a21e1e56d", "value": "Path Interception Mitigation mitigates Path Interception" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "df207207-01b2-456b-9dc4-7afd5ffeeb46", "value": "Prikormka uses Data Staged" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808" }, "uuid": "2db640ab-413b-4c49-9842-3bf190c5e184", "value": "APT29 uses POSHSPY" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "089efdf8-b07a-4cda-aa5d-e60f9501ffd1", "value": "BRONZE BUTLER uses File Deletion" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "4a4a5d60-ec17-49a2-b651-ea8918410fc2", "value": "JHUHUGIT uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", "target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529" }, "uuid": "fcfe071b-e527-44e9-9970-9243a354f563", "value": "Regin uses Network Sniffing" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "3f14994e-149d-4cca-85b8-eec0964120d3", "value": "BACKSPACE uses Command-Line Interface" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "49c7a467-98ce-4764-af86-c950ed951d13", "value": "Helminth uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd" }, "uuid": "412b7fbf-bc21-4373-9f2c-5f0a26482536", "value": "Threat Group-3390 uses PlugX" }, { "meta": { "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "95a1ac52-e022-4c81-96cc-b7b39ca776d3", "value": "Kasidet uses Security Software Discovery" }, { "meta": { "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" }, "uuid": "6b83bc1e-edfc-4c6a-961f-d3757ae6a234", "value": "Mimikatz uses Pass the Hash" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "05076bd4-e4cb-4234-90ae-c7ce45feb41f", "value": "Dragonfly uses PowerShell" }, { "meta": { "source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" }, "uuid": "fb3b8f32-0991-4d05-a80d-a4736372ad2a", "value": "Janicab uses Code Signing" }, { "meta": { "source-uuid": "77fd4d73-6b79-4593-82e7-e4a439cc7604", "target-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb" }, "uuid": "918956f2-db79-4721-8741-3b461a280e51", "value": "LC_LOAD_DYLIB Addition Mitigation mitigates LC_LOAD_DYLIB Addition" }, { "meta": { "source-uuid": "d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "4b12c645-96fc-45ac-b515-8333d6e254ef", "value": "Data Obfuscation Mitigation mitigates Data Obfuscation" }, { "meta": { "source-uuid": "a90da496-b460-47e8-92e7-cc36eb00bd9a", "target-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302" }, "uuid": "f4aaf7ec-7ff1-4519-bd93-3eaf3074d11f", "value": "Regsvcs/Regasm Mitigation mitigates Regsvcs/Regasm" }, { "meta": { "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "fbfc610a-5355-40fc-b5a1-059e89a1eb8d", "value": "SslMM uses System Information Discovery" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "deb7df24-689e-4e4e-909f-a270241ab65a", "value": "Gazer uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" }, "uuid": "91ca1017-0b33-4fa1-a61f-b3dae24c7e40", "value": "Wingbird uses Service Execution" }, { "meta": { "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" }, "uuid": "bc85f8f4-5d65-484c-af82-6adbe42083d9", "value": "OSInfo uses Permission Groups Discovery" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" }, "uuid": "7aa43cd7-ada3-49c9-8dc7-9492fa22c7d8", "value": "Lazarus Group uses Uncommonly Used Port" }, { "meta": { "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" }, "uuid": "ea93ff11-939f-449a-a222-4273d9fc9f3c", "value": "T9000 uses Peripheral Device Discovery" }, { "meta": { "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "e3909a5f-ebfb-48e1-b0fc-5737217a994b", "value": "DownPaper uses PowerShell" }, { "meta": { "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "6139509a-709b-4ef4-81fb-25b9a35e2c60", "value": "Volgmer uses System Service Discovery" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "7138c1e4-6791-424b-adc1-5b4c7d5e3cca", "value": "Naikon uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "92e6d080-ca3f-4f95-bc45-172a32c4e502", "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" }, "uuid": "d2a028a0-3c4f-4984-be51-80dbcf93a1a9", "value": "Exploitation of Vulnerability Mitigation mitigates Exploitation of Vulnerability" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" }, "uuid": "3b35fec9-ee0d-4c2d-9936-0aa06ad6a49a", "value": "APT1 uses Pass the Hash" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "b26eb7d2-1147-4c2b-a1eb-4a457e081e22", "value": "Cobalt Strike uses Remote System Discovery" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" }, "uuid": "35419603-7bc2-40f6-8e5d-4e7a8f13ebb7", "value": "POWRUNER uses Windows Management Instrumentation" }, { "meta": { "source-uuid": "92c28497-2820-445e-9f3e-a03dd77dc0c8", "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" }, "uuid": "cd38481c-7c23-4e72-b1b4-056830f5f7f3", "value": "Exfiltration Over Command and Control Channel Mitigation mitigates Exfiltration Over Command and Control Channel" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466" }, "uuid": "5eb253cb-2e81-4f51-bd0e-d1734283491c", "value": "ADVSTORESHELL uses Scheduled Transfer" }, { "meta": { "source-uuid": "8b880b41-5139-4807-baa9-309690218719", "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" }, "uuid": "8a48e090-ab8c-414e-b559-7a0437c92850", "value": "SPACESHIP uses Shortcut Modification" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "1782bb6e-7a06-4dfb-96f5-dd671d8a02d5", "value": "MoonWind uses Scripting" }, { "meta": { "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "9f618c0f-79b8-4990-a02b-6e3187b14033", "value": "Sowbug uses Command-Line Interface" }, { "meta": { "source-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "b4228f64-bc0c-47a5-a3d8-d9aabdf66bfc", "value": "OnionDuke uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "56fac514-4461-4d8c-93a0-d12cade25169", "value": "Prikormka uses Data Encrypted" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "fc1ec654-af35-4a7d-b2f6-54b4d8378cfb", "value": "APT34 uses Remote File Copy" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "5d397a8d-2195-440d-a0f5-bbf6c3e8f6e4", "value": "ADVSTORESHELL uses Data Staged" }, { "meta": { "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "59d4e54d-66b8-4603-b189-ba67160da44d", "value": "Pisloader uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "04e4f0d1-32a9-4d64-a733-3316b0bf2740", "value": "CozyCar uses Command-Line Interface" }, { "meta": { "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "dc187ed1-3987-4575-b1af-dc150e4329f8", "value": "Agent.btz uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "17bc0957-1509-4faf-bb51-a6a9e1959978", "value": "Magic Hound uses Command-Line Interface" }, { "meta": { "source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "c75cc595-79d7-4a77-9647-d2323aad93d0", "value": "SNUGRIDE uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "fe8a320f-e5e5-4503-8c3a-5c21b628a61d", "value": "Threat Group-3390 uses System Network Connections Discovery" }, { "meta": { "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", "target-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236" }, "uuid": "95842c88-c596-44c7-a16e-40d98e2457cc", "value": "APT18 uses Pisloader" }, { "meta": { "source-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "42dc03ec-03fb-4bf0-8f5f-e90d1aacd6e7", "value": "KOMPROGO uses System Information Discovery" }, { "meta": { "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "cbc4c186-028e-4a24-93ff-5f2bb7edd98a", "value": "Pisloader uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "4a9f7553-b3ee-405b-9c81-f487b4bed868", "value": "Flame uses Security Software Discovery" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "016dc21c-ade9-43cc-9d88-a0c4c0891ccc", "value": "USBStealer uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "539f8bc3-3fb4-43af-8918-9a65239cdff6", "value": "Carbanak uses Rundll32" }, { "meta": { "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "954961e4-0bf5-496e-b200-e63d99c006de", "value": "CHOPSTICK uses Input Capture" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "ed283e07-a029-4d23-aa8f-55f92abb5203", "value": "APT3 uses Input Capture" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" }, "uuid": "c354bbc0-74c4-4805-b6e6-f33f49272f86", "value": "Gazer uses Code Signing" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "e30c24d3-d440-4395-88b3-3192a02c4364", "value": "OilRig uses Query Registry" }, { "meta": { "source-uuid": "beb45abb-11e8-4aef-9778-1f9ac249784f", "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" }, "uuid": "483a70b9-eae9-4d5f-925c-95c2dd7b9fa5", "value": "Bypass User Account Control Mitigation mitigates Bypass User Account Control" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "a3de3705-8085-4992-9b90-1cb8ef532b5c", "value": "APT28 uses System Owner/User Discovery" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "d13aaa09-5465-4439-b100-444242601a98", "value": "Cobalt Strike uses Connection Proxy" }, { "meta": { "source-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", "target-uuid": "519630c5-f03f-4882-825c-3af924935817" }, "uuid": "83cfa11e-f221-4dc4-b184-943c2c7f4562", "value": "Moafee uses Binary Padding" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "746b0def-62c8-438d-b5ec-aa6b7dbfb860", "value": "Stealth Falcon uses Query Registry" }, { "meta": { "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "19c33297-1efd-4489-b09c-a4230ce194f4", "value": "Sys10 uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" }, "uuid": "13f986d2-949b-42c8-bd4b-b8a833b9d5de", "value": "APT3 uses Redundant Access" }, { "meta": { "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "33c8fb30-3515-4582-ad29-34fa0d7e15e5", "value": "FIN10 uses Remote File Copy" }, { "meta": { "source-uuid": "8b880b41-5139-4807-baa9-309690218719", "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" }, "uuid": "04e2c418-8f6c-453c-8e17-4d3aeec0f755", "value": "SPACESHIP uses Exfiltration Over Physical Medium" }, { "meta": { "source-uuid": "cdecc44a-1dbf-4c1f-881c-f21e3f47272a", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "ab637576-5bf9-423f-b5e8-6d1ac26bbb5c", "value": "Remote File Copy Mitigation mitigates Remote File Copy" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" }, "uuid": "fb6ffb5c-5405-4515-a120-7a34414933ea", "value": "OilRig uses Indicator Removal from Tools" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "4ac3f9d6-73e6-49d0-a49a-329eca1f5a3a", "value": "Duqu uses Commonly Used Port" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "7d751199-05fa-4a72-920f-85df4506c76c" }, "uuid": "54188543-7746-4158-9a9f-5556bb99ec7a", "value": "APT29 uses Multi-hop Proxy" }, { "meta": { "source-uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7", "target-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1" }, "uuid": "764b5d56-83a1-4c8d-824a-2021c7fe8052", "value": "Lotus Blossom uses Emissary" }, { "meta": { "source-uuid": "c88151a5-fe3f-4773-8147-d801587065a4", "target-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61" }, "uuid": "e1275bcd-0462-4f79-b18f-2132b0bb74ec", "value": "Application Deployment Software Mitigation mitigates Application Deployment Software" }, { "meta": { "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" }, "uuid": "8ce2219f-6c25-46a2-8215-a78871e2773a", "value": "TinyZBot uses Shortcut Modification" }, { "meta": { "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "087721ee-6643-4453-8a76-8768ced7e506", "value": "Backdoor.Oldrea uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" }, "uuid": "4fab8d06-e6fb-472f-91ee-f2fd29ef444e", "value": "Deep Panda uses Regsvr32" }, { "meta": { "source-uuid": "383caaa3-c46a-4f61-b2e3-653eb132f0e7", "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" }, "uuid": "42ab2855-fe9b-4ed2-bef7-db3a9dcf5a89", "value": "Email Collection Mitigation mitigates Email Collection" }, { "meta": { "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "47415cec-25f8-4425-9125-157e1637a687", "value": "Matroyshka uses Process Injection" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" }, "uuid": "4c3890f0-378d-4cef-8db7-0258161ff3f7", "value": "RTM uses System Time Discovery" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "0db8a021-2f3a-41cc-abc6-d8723c7e802b", "value": "PowerDuke uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "fc67e15c-ae09-45e1-925f-8a6b0e8ca4ab", "value": "Janicab uses Screen Capture" }, { "meta": { "source-uuid": "7aee8ea0-0baa-4232-b379-5d9ce98352cf", "target-uuid": "66f73398-8394-4711-85e5-34c8540b22a5" }, "uuid": "9692d2b6-c933-4c1a-8ea0-1f0babfeeec9", "value": "Hooking Mitigation mitigates Hooking" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86" }, "uuid": "66a3ab46-abcb-4234-a786-638044cfc50e", "value": "Deep Panda uses StreamEx" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "e32b53b5-b112-483a-8d95-56bf3f43671f", "value": "CosmicDuke uses Scheduled Task" }, { "meta": { "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "2d090e9d-f9fb-4f73-99df-0e17a7489adb", "value": "H1N1 uses File Deletion" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" }, "uuid": "976202db-cdfa-4c4e-bc09-9b3cad90e6fb", "value": "JHUHUGIT uses Exploitation of Vulnerability" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70" }, "uuid": "71daf1fe-a979-4cbc-bb0d-4e2d6c79274a", "value": "Threat Group-3390 uses China Chopper" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "bd745d11-93d8-45db-8a68-08a52383375a", "value": "Lazarus Group uses File and Directory Discovery" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "30489451-5886-4c46-90c9-0dff9adc5252" }, "uuid": "5c0645e4-f0c7-4bb4-bedb-29a96a472fe0", "value": "Turla uses Arp" }, { "meta": { "source-uuid": "12c13879-b7bd-4bc5-8def-aacec386d432", "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" }, "uuid": "0727c98a-b7e0-45ba-a20e-632d394ef422", "value": "Regsvr32 Mitigation mitigates Regsvr32" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472" }, "uuid": "24013fde-5ce7-4995-9d9f-d2ced31b9d9a", "value": "APT28 uses CHOPSTICK" }, { "meta": { "source-uuid": "33f76731-b840-446f-bee0-53687dad24d9", "target-uuid": "62166220-e498-410f-a90a-19d4339d4e99" }, "uuid": "3e9d8f68-a9c6-4be7-9639-56b64d4f600a", "value": "Image File Execution Options Injection Mitigation mitigates Image File Execution Options Injection" }, { "meta": { "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", "target-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360" }, "uuid": "e9612cb1-79a5-4987-aa83-b84aa7fa050f", "value": "APT18 uses HTTPBrowser" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "854a3a7e-09a7-4523-ac7f-d625a0b50b6b", "value": "Cobalt Strike uses Screen Capture" }, { "meta": { "source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "target-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2" }, "uuid": "581f8dd6-edd4-467b-a3d5-3177870b0264", "value": "netsh uses Netsh Helper DLL" }, { "meta": { "source-uuid": "51b37302-b844-4c08-ac98-ae6955ed1f55", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "366214ea-29b0-458a-a852-7a76420783d2", "value": "Screen Capture Mitigation mitigates Screen Capture" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" }, "uuid": "a92197a8-ec5c-4366-92af-f45078a3bfd7", "value": "APT3 uses Accessibility Features" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "bcdbb8dc-87e5-4f29-8ff2-d660e53015cb", "value": "SeaDuke uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" }, "uuid": "b942cd55-6fed-49a1-ba05-af23836b518f", "value": "Cobalt Strike uses Exploitation of Vulnerability" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" }, "uuid": "ab6a19e4-ce00-46cd-ae83-0798471e4a4a", "value": "Threat Group-3390 uses External Remote Services" }, { "meta": { "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" }, "uuid": "59261bc8-0220-4e37-8018-7a3618a5dd1b", "value": "Rover uses Automated Exfiltration" }, { "meta": { "source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "6cfd1f0f-0355-4b1a-af29-84ed992bbb71", "value": "TINYTYPHON uses File and Directory Discovery" }, { "meta": { "source-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "5b3d2b2f-73f4-4fef-9cb9-b11db3eb4c4f", "value": "httpclient uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" }, "uuid": "d16d59aa-f056-4cc7-9f67-0e80db9cdacb", "value": "Patchwork uses Bypass User Account Control" }, { "meta": { "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "a713d0d3-2897-4da2-995f-df3a40f04b29", "value": "NETEAGLE uses Fallback Channels" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "1df7df54-c4c1-49f0-a0c3-11102db44f2c", "value": "Patchwork uses Credential Dumping" }, { "meta": { "source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "b4b71687-5aed-4cde-ba59-c37bb5231878", "value": "ELMER uses Commonly Used Port" }, { "meta": { "source-uuid": "16a8ac85-a06f-460f-ad22-910167bd7332", "target-uuid": "519630c5-f03f-4882-825c-3af924935817" }, "uuid": "1a3de27b-377c-4390-9911-2da8aaa705e3", "value": "Binary Padding Mitigation mitigates Binary Padding" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47" }, "uuid": "e5f75ae0-45f5-48b8-938f-f0d9e17e53eb", "value": "menuPass uses Ping" }, { "meta": { "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "2eb985a1-e73e-4554-8638-2e6f27690ec0", "value": "Sykipot uses Account Discovery" }, { "meta": { "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "c7420523-7dc0-4118-a075-93f9c0268627", "value": "HAMMERTOSS uses Web Service" }, { "meta": { "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "b4e77f71-970a-4b24-938f-0d50ecea1969", "value": "Misdat uses Command-Line Interface" }, { "meta": { "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "b82f51f9-74a0-43e1-b3c6-63df3a90c9eb", "value": "BBSRAT uses Process Discovery" }, { "meta": { "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "a0c55c8d-6192-4faa-a5a2-1742fb5815a0", "value": "Suckfly uses Credential Dumping" }, { "meta": { "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "259b878f-147e-443b-8360-aabc00cf6d73", "value": "HTTPBrowser uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" }, "uuid": "5744b31d-6633-44ca-8170-17489fec124c", "value": "OilRig uses netstat" }, { "meta": { "source-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "84bc4ba8-ab0e-4c60-92ed-26496a831611", "value": "Truvasys uses Masquerading" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "9b8ff36d-ff96-460a-b5cf-d369e7f598d9", "value": "RedLeaves uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" }, "uuid": "5682d524-80f0-4fd8-9960-6f54eeafce96", "value": "Turla uses Brute Force" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "39791d22-fec7-4459-8321-c9aa824d5fc1", "value": "BRONZE BUTLER uses Command-Line Interface" }, { "meta": { "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "896cd1de-ffa7-4f69-a981-2859cc756601", "value": "CopyKittens uses Rundll32" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" }, "uuid": "f2d601c9-8cc7-4425-b76f-fbc9997b55fd", "value": "Naikon uses Tasklist" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "62f9aa2c-b0c1-4028-a2b8-c436e30ace4b", "value": "PowerDuke uses Process Discovery" }, { "meta": { "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "11ed82c1-88af-4c23-860e-185505389288", "value": "XAgentOSX uses Input Capture" }, { "meta": { "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "8904bd95-4844-4fe4-b6b6-47e4a4f8d85d", "value": "SslMM uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "3e9f8875-d2f7-4380-a578-84393bd3b025", "target-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39" }, "uuid": "d35b9e63-a236-47f4-9fa8-d04719858115", "value": "Windows Remote Management Mitigation mitigates Windows Remote Management" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "3ef6a3fb-0d59-4ba5-b2d0-dc32d547b74f", "value": "FIN5 uses Remote System Discovery" }, { "meta": { "source-uuid": "25e53928-6f33-49b7-baee-8180578286f6", "target-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3" }, "uuid": "ab524992-5666-466b-8c12-ec79b269901b", "value": "System Firmware Mitigation mitigates System Firmware" }, { "meta": { "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "d04d6101-f6f6-42a2-8679-351956b75228", "value": "POWERSOURCE uses Remote File Copy" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "11247a95-272b-4ae2-8dae-2cd049328734", "value": "Remsec uses Process Injection" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "1035fe41-56b9-4966-bf3b-109ae950c908", "value": "MoonWind uses Process Discovery" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" }, "uuid": "3d4dabc2-3bee-409a-a05d-e107677cfdc7", "value": "CosmicDuke uses Exfiltration Over Alternative Protocol" }, { "meta": { "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "37804b22-63b4-4b24-846e-6541688d9213", "value": "OwaAuth uses Timestomp" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "c8db7b65-563d-47ba-9e06-cabdbade47e9", "value": "Ke3chang uses Credential Dumping" }, { "meta": { "source-uuid": "e333cf16-5bfa-453e-8e6a-3a4c63d6bfcc", "target-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee" }, "uuid": "d9ae86e6-377b-45d5-b32c-89776fd7755c", "value": "Launchctl Mitigation mitigates Launchctl" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f" }, "uuid": "e603a78c-ecbc-46b2-95cc-08251c1faea9", "value": "APT34 uses Reg" }, { "meta": { "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" }, "uuid": "98abda72-4760-4e8c-ab6c-5ed080868cfc", "value": "Backdoor.Oldrea uses Email Collection" }, { "meta": { "source-uuid": "2497ac92-e751-4391-82c6-1b86e34d0294", "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" }, "uuid": "b8306976-370f-403d-9983-fe3327c00709", "value": "Automated Exfiltration Mitigation mitigates Automated Exfiltration" }, { "meta": { "source-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "3ac3a282-e1be-45f8-8974-0a94e5d43644", "value": "BISCUIT uses Fallback Channels" }, { "meta": { "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "b7601a08-a52d-4daa-acb9-2f5e3392b6c3", "value": "ZLib uses System Service Discovery" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "f72d9605-eea6-4ed4-8502-231d4c21431f", "value": "Elise uses Process Injection" }, { "meta": { "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "b052a076-6d4e-49f5-95ac-16264ef05b1d", "value": "HTTPBrowser uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "c5fa4766-4468-4afd-9b5f-5ce4f443729d", "value": "Prikormka uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "b9b0e376-f249-432f-a0d3-dfa259b4757a", "value": "BUBBLEWRAP uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "8c553311-0baa-4146-997a-f79acef3d831", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "22a75bbf-5490-40cb-bdb7-a0eda5e95d21", "value": "RARSTONE uses Process Injection" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "28b27852-4125-4639-a07b-0b97dfdb650a", "value": "APT1 uses Credential Dumping" }, { "meta": { "source-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "ea4c3651-b2a3-418e-8d3b-3c8075b988ef", "value": "BUBBLEWRAP uses System Information Discovery" }, { "meta": { "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "40772ec1-2f25-425f-aad5-635f64ba8fd2", "value": "DustySky uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "db91e39d-daa4-4f9c-a7a6-be67eba712d2", "value": "APT32 uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "ce4707f0-d5b8-4dd6-b5ab-cf1483dd236f", "value": "Pisloader uses Remote File Copy" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "3c630128-27ba-4c71-b09a-c9ac39e7acac", "value": "Shamoon uses Masquerading" }, { "meta": { "source-uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "ef79ec2f-fd7f-4f0b-851c-d215693987be", "value": "Credential Dumping Mitigation mitigates Credential Dumping" }, { "meta": { "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "720cc0d6-9285-425b-bda2-3bdd59b4ea8f", "value": "Volgmer uses Remote File Copy" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "5efe685d-66a6-4f1f-8779-4aae5db859d0", "value": "PowerDuke uses System Owner/User Discovery" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" }, "uuid": "44f230bb-b59a-4f30-8203-5e5ffd9796f5", "value": "Deep Panda uses Web Shell" }, { "meta": { "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "d7699bcf-5732-40f5-a715-d430b00b043e", "value": "Mivast uses Remote File Copy" }, { "meta": { "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "60198640-1e5a-4b8e-9a69-5f275f7e0e68", "value": "OSInfo uses Query Registry" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" }, "uuid": "cce31baa-5862-4df5-806f-15aaa7410fa5", "value": "APT28 uses Exploitation of Vulnerability" }, { "meta": { "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "27a64a3a-62cb-4c1b-adfc-5070e2f1e744", "value": "Hi-Zor uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "752db800-ea54-4e7a-b4c1-2a0292350ea7", "target-uuid": "7d751199-05fa-4a72-920f-85df4506c76c" }, "uuid": "4ce0f95f-577c-4a02-a355-328cf376ceba", "value": "Multi-hop Proxy Mitigation mitigates Multi-hop Proxy" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "bdee01a7-16cb-417e-8d9b-c98afd445bbc", "value": "Duqu uses Scheduled Task" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" }, "uuid": "1334cbe3-8613-4279-9a1f-58781c2656a4", "value": "APT3 uses Brute Force" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "4b45b720-a606-4c52-a28a-2ef298f9b42f", "value": "FIN6 uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" }, "uuid": "7a892ca0-f915-4dc1-817a-cdcfb6777f28", "value": "USBStealer uses Automated Collection" }, { "meta": { "source-uuid": "12cba7de-0a22-4a56-b51e-c514c67c3b43", "target-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff" }, "uuid": "0fe893d6-a52f-4828-a792-eeb6a3e4f979", "value": "Hidden Users Mitigation mitigates Hidden Users" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "a73f9ed3-7f51-4709-a63f-f5ef59aa25cf", "value": "Threat Group-3390 uses Data Compressed" }, { "meta": { "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "0bd9fd2b-e2f7-48f1-8988-31c041691585", "value": "Trojan.Karagany uses Screen Capture" }, { "meta": { "source-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" }, "uuid": "229e8b6e-6c16-406a-8def-7588aaae4fcb", "value": "Uroburos uses Software Packing" }, { "meta": { "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "f6cb3957-be7f-41bf-ad44-3dfbd7a5dfe2", "value": "Reaver uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "059f8b03-59f9-45da-9c12-862f50e5fe45", "value": "FIN10 uses File Deletion" }, { "meta": { "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "5576c38e-6b03-4ea9-8936-60eeddb749a7", "value": "StreamEx uses New Service" }, { "meta": { "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" }, "uuid": "deafd60c-af1a-40eb-bc43-287b37553fae", "value": "PlugX uses Execution through API" }, { "meta": { "source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" }, "uuid": "5cd8b8a9-fd11-4405-8369-b12398b94def", "value": "AutoIt backdoor uses Bypass User Account Control" }, { "meta": { "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" }, "uuid": "12455fe5-42dd-420e-839e-8a96886488f7", "value": "Net uses System Time Discovery" }, { "meta": { "source-uuid": "910482b1-6749-4934-abcb-3e34d58294fc", "target-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7" }, "uuid": "65a4317d-86b2-40c1-9d27-a067bcc2ad80", "value": "Distributed Component Object Model Mitigation mitigates Distributed Component Object Model" }, { "meta": { "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "f29a3a93-e697-4d6f-8087-eec72856bae5", "value": "CHOPSTICK uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "20c7d1a2-be94-4f58-83a9-7eb9e05c4449", "value": "FIN6 uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "33630ee4-24dc-4339-b29f-3d8b39e7daae", "value": "SHOTPUT uses Account Discovery" }, { "meta": { "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "1f7b17e9-9ad3-42dd-ab92-e3afe752247b", "value": "FIN7 uses Scheduled Task" }, { "meta": { "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27" }, "uuid": "6e641c36-188b-480e-b177-e412cd000b34", "value": "Mimikatz uses Account Manipulation" }, { "meta": { "source-uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49", "target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27" }, "uuid": "f76355cb-9aa5-403c-aae4-8faed799ac31", "value": "Skeleton Key uses Account Manipulation" }, { "meta": { "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "92b34cc0-b059-4294-824f-bb92298f3ae6", "value": "Daserf uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54" }, "uuid": "6e366a30-cf75-4a47-855f-91a006014ada", "value": "APT1 uses gsecdump" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" }, "uuid": "ab9b78cc-2b83-4074-beeb-0af4aad906d3", "value": "APT32 uses Cobalt Strike" }, { "meta": { "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" }, "uuid": "6c8303dd-6ecc-47ea-abd6-6d5b2e557d96", "value": "XAgentOSX uses Peripheral Device Discovery" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "0d328be7-85d2-4558-a4e3-cc5ce8bc7e2e", "value": "ADVSTORESHELL uses Input Capture" }, { "meta": { "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "e7baabf7-9300-432d-aa78-000ac099d4d3", "value": "Wingbird uses Process Injection" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" }, "uuid": "99c0cda4-91b1-4845-9891-9a4b89c128f9", "value": "APT3 uses DLL Side-Loading" }, { "meta": { "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "5b650388-4ab3-4c56-a69e-df7eba7f0756", "value": "Hi-Zor uses Commonly Used Port" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "5ea36f9f-f5b6-4494-be0a-061058d6b1f1", "value": "APT28 uses File Deletion" }, { "meta": { "source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "12cc7738-bb90-4e77-a96d-8e4f312e07d4", "value": "LOWBALL uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "a7cb0193-e854-4361-b1a1-fc4e68354c59", "value": "Derusbi uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "3f02c07f-663f-4c54-b7e0-c2b2dbe82335", "value": "ZLib uses New Service" }, { "meta": { "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "75b383eb-5483-4c44-a721-ee1cffa6edb7", "value": "FIN10 uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee" }, "uuid": "eeae630c-0c58-4397-90fb-05f5b60b720f", "value": "APT29 uses CosmicDuke" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "f4865a5c-c17c-408a-94de-2feac0d006fd", "value": "Cobalt Strike uses Data from Local System" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "7c3b845e-56ca-4580-b060-a3fa42b86a86", "value": "Duqu uses Process Injection" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "ea6289bb-c974-4e4c-bdc4-1c3211a6d1d4", "value": "Emissary uses New Service" }, { "meta": { "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "2fe9c7cf-44aa-495b-bde6-80cbfc4fbed9", "value": "Regin uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "47f611f4-b9f0-42ef-9629-ee4a56e737ed", "value": "WINDSHIELD uses Query Registry" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "782da600-bc3b-4dae-89d1-4a79522bed02", "value": "Stealth Falcon uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "5c84cfe2-a395-47c6-831a-4491f8585a00", "value": "Prikormka uses Credential Dumping" }, { "meta": { "source-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "05352dad-ecbb-477c-a05c-5eb3d67ae9ae", "value": "FTP uses Commonly Used Port" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" }, "uuid": "5de21fc4-c460-4da4-9dc4-2acdd54640a8", "value": "APT29 uses Pass the Hash" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "24bce281-7858-4a42-bfd6-601800fb63f7", "value": "Remsec uses System Network Connections Discovery" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" }, "uuid": "131fde9c-7a83-4603-9c1e-c41f815fb14c", "value": "Remsec uses Exploitation of Vulnerability" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c" }, "uuid": "7243a679-467e-4c31-b413-547016b9c3ad", "value": "APT29 uses MiniDuke" }, { "meta": { "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "target-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe" }, "uuid": "1c5b8ff2-400a-4e0f-a819-3cc8f1bc76b8", "value": "Mimikatz uses Private Keys" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700" }, "uuid": "4aa62b6b-7441-4ece-9cb0-2a5bcb46f966", "value": "menuPass uses pwdump" }, { "meta": { "source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" }, "uuid": "b1df64c9-782d-4452-8c4a-5ef933503c13", "value": "ISMInjector uses Process Hollowing" }, { "meta": { "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" }, "uuid": "5bad7b38-36b5-4208-9895-e4a113c511a3", "value": "Darkhotel uses Replication Through Removable Media" }, { "meta": { "source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "8e82a523-fc73-4f3b-98dc-3b1e7199cd93", "value": "OLDBAIT uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c" }, "uuid": "46f301cd-8ae3-431a-931b-df4bb4fee271", "value": "Remsec uses Password Filter DLL" }, { "meta": { "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "9fe01f98-e0b3-4749-b9a6-eb10c216c548", "value": "BLACKCOFFEE uses File Deletion" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b" }, "uuid": "cf467be5-c162-4763-801b-32cb57a514ef", "value": "APT1 uses xCmd" }, { "meta": { "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "1b4ee147-dc39-43d2-b468-fcd308e6cbae", "value": "StreamEx uses Rundll32" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "c0905059-1f3c-414c-8027-b8ec2e4b3c89", "value": "Duqu uses Data Obfuscation" }, { "meta": { "source-uuid": "23bff3ce-021c-4e7a-9aee-60fd40bc7c6c", "target-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72" }, "uuid": "2e5931ef-cc28-49e8-b0c1-7705227ee5cf", "value": "Sudo Mitigation mitigates Sudo" }, { "meta": { "source-uuid": "7c1796c7-9fc3-4c3e-9416-527295bf5d95", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "a34d1e30-dcf5-4743-93e5-e4834e980f0f", "value": "Commonly Used Port Mitigation mitigates Commonly Used Port" }, { "meta": { "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "35ae6625-8563-493c-8950-1230bd0fd122", "value": "Pteranodon uses Remote File Copy" }, { "meta": { "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "1f99a883-e78f-423d-9837-2b5ebb14fe63", "value": "Matroyshka uses Input Capture" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "1b45f3b5-b7a4-4424-a8ff-1b1f1c1a55d9", "value": "Threat Group-3390 uses Data Staged" }, { "meta": { "source-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "f3bbff8f-5f4b-40aa-a55f-e3880a582868", "value": "KOMPROGO uses Command-Line Interface" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" }, "uuid": "533deac3-2f27-4256-bb11-7d68d8824d47", "value": "POWRUNER uses Permission Groups Discovery" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab" }, "uuid": "92c68b65-18b8-44e9-a368-692048ba9611", "value": "APT28 uses XTunnel" }, { "meta": { "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" }, "uuid": "98aeed7c-e88b-4c5b-8e8e-21ee3534abe9", "value": "H1N1 uses Software Packing" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "4da943df-a7dc-499f-a8b7-ca8d298d8ff6", "value": "admin@338 uses Masquerading" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360" }, "uuid": "75c3b5f6-a0ca-4afc-baad-ef19ed4317b3", "value": "Threat Group-3390 uses HTTPBrowser" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091" }, "uuid": "290c0a54-2702-4d6e-97db-1eafa9a7a1f3", "value": "Cobalt Strike uses Multiband Communication" }, { "meta": { "source-uuid": "0e5bdf42-a7f7-4d16-a074-4915bd262f80", "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" }, "uuid": "6f991c49-462a-4cb8-8096-15c77f7ccace", "value": "Exfiltration Over Alternative Protocol Mitigation mitigates Exfiltration Over Alternative Protocol" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "5697b245-d888-40ab-af72-9236c6daa273", "value": "BACKSPACE uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "e64a09d0-4205-4aca-8acb-f6926233d107", "value": "Prikormka uses File and Directory Discovery" }, { "meta": { "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "a83992e1-5be5-433e-b3f1-d9ccde98c9ca", "value": "OwaAuth uses Data Encrypted" }, { "meta": { "source-uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "04ba0d26-d931-423e-a3de-713892c0af97", "value": "P2P ZeuS uses Data Obfuscation" }, { "meta": { "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "a8aac75d-ef58-4dda-97a8-9584a6a6baaf", "value": "Wingbird uses New Service" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c" }, "uuid": "02a7ea5c-695c-4932-9160-6e0441789670", "value": "SeaDuke uses Pass the Ticket" }, { "meta": { "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "3bf633d0-5578-4e3a-a599-52f3946f6623", "value": "Reaver uses File Deletion" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" }, "uuid": "e1592867-e02f-4c1f-a9f2-1c60e25a1301", "value": "Stealth Falcon uses Exfiltration Over Command and Control Channel" }, { "meta": { "source-uuid": "a13e35cc-8c90-4d77-a965-5461042c1612", "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" }, "uuid": "2482623f-65a7-4da5-8cb2-64279319e3dc", "value": "Shortcut Modification Mitigation mitigates Shortcut Modification" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "f5a175ba-ed26-44f8-9828-c2aa0e1f7d86", "value": "BlackEnergy uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "f0d218a3-9f7b-4f21-aa4a-34dc25f05b61", "value": "netsh uses Security Software Discovery" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "f0b00a47-9d63-4d05-b771-022a21a4ed06", "value": "PowerDuke uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "9cf37d0b-a23d-4514-961d-94d1cc6e2bef", "value": "Prikormka uses Data Encoding" }, { "meta": { "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "c93bb2b9-bd22-4e14-b884-2141168387b2", "value": "Pteranodon uses Data Staged" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "5f055076-79d1-44e8-95cb-43fc515df2f6", "value": "Lazarus Group uses Data Staged" }, { "meta": { "source-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "108a1655-faba-4016-a276-c224665cb5c4", "value": "gsecdump uses Credential Dumping" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "0c78e3a7-45c5-454f-8905-a831fbede841", "value": "FIN6 uses Data Encrypted" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "991c16bd-c17b-479a-8f45-385467323c0a", "value": "BACKSPACE uses File and Directory Discovery" }, { "meta": { "source-uuid": "4689b9fb-dca4-473e-831b-34717ad50c97", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "91af9744-413c-4e9c-bfdb-a9ca167e9bb5", "value": "Web Service Mitigation mitigates Web Service" }, { "meta": { "source-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "7985b09e-9241-489c-a0f2-45a6f5c782f1", "value": "pngdowner uses File Deletion" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" }, "uuid": "ab51525b-93c6-4ea8-bd83-b9547f1317bb", "value": "APT29 uses Windows Management Instrumentation" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "a2a31eb7-0b22-416c-b12d-e52e5f37f8b8", "value": "BADNEWS uses Command-Line Interface" }, { "meta": { "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "e2b4bcf2-58a6-49ed-bc72-21226ff419bd", "value": "TDTESS uses New Service" }, { "meta": { "source-uuid": "d45f03a8-790a-4f90-b956-cd7e5b8886bf", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "3c3f26b3-d676-4e17-adca-2a8ea4643148", "value": "Valid Accounts Mitigation mitigates Valid Accounts" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" }, "uuid": "cd79beea-20ee-4b4f-aad1-5cc34d27398c", "value": "Turla uses Net" }, { "meta": { "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "c1421d39-cb5d-4bac-a931-9c641066c0fd", "value": "Sykipot uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "c954a1f5-c925-4c5c-ad64-62545dfbe383", "value": "route uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "9066dcee-7c80-429c-a5cc-77458e891349", "value": "menuPass uses Credential Dumping" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46" }, "uuid": "96235e56-e55a-4146-a9a6-956f8f1f7dcf", "value": "APT34 uses POWRUNER" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "9b7bf5d9-23a0-4190-80c0-b27b906bafcc", "value": "APT3 uses File Deletion" }, { "meta": { "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "56d858ef-2d62-4aa9-b050-699de9b048e9", "value": "MobileOrder uses Remote File Copy" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" }, "uuid": "64a17aba-5182-4666-bd37-dafa9d835fe8", "value": "Lazarus Group uses Windows Management Instrumentation" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "23dca74f-2b3e-46c0-b7a3-9d9eab932f58", "value": "Cobalt Strike uses Scripting" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "519630c5-f03f-4882-825c-3af924935817" }, "uuid": "d200ba08-8179-495e-a854-9b13be5c0f93", "value": "Emissary uses Binary Padding" }, { "meta": { "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "e20b57e5-c010-4b9e-a04e-660daa8b5c87", "value": "Sowbug uses System Information Discovery" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "6deeb486-90c3-4279-8549-17c81ea2466b", "value": "Elise uses Timestomp" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" }, "uuid": "febbf503-d7e5-4896-90b9-35b6a811b19b", "value": "APT3 uses Indicator Removal from Tools" }, { "meta": { "source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "2902ccff-873a-4ebc-bdf4-caaae629ae9d", "value": "Volgmer uses Commonly Used Port" }, { "meta": { "source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8", "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" }, "uuid": "047ee6d3-1b85-4a0f-96a6-6ead4be43548", "value": "Night Dragon uses Software Packing" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" }, "uuid": "3e7c9978-4db1-4ee1-ae27-640acee5a543", "value": "CosmicDuke uses Data from Network Shared Drive" }, { "meta": { "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "a56aafe6-4a54-4ce5-b927-8b56826b3445", "value": "Matroyshka uses Screen Capture" }, { "meta": { "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" }, "uuid": "5f3eb1ae-782e-4e49-8e1e-650f3e5a1139", "value": "Sowbug uses Data from Network Shared Drive" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" }, "uuid": "3fb836b7-41cf-40d1-bd56-14e45e6bbd02", "value": "OilRig uses Net" }, { "meta": { "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "target-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352" }, "uuid": "019eb3cf-35df-4109-a006-1b91331866c3", "value": "Wingbird uses LSASS Driver" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "2fb450c6-e236-4b81-b5ac-a9d4be0cf167", "value": "Gazer uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "2c158663-599b-45a8-b946-6d545206428d", "value": "Emissary uses Command-Line Interface" }, { "meta": { "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "7f1c30eb-051f-4d1a-9d81-1ee46f7779c7", "value": "Mis-Type uses Data Encoding" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "12daddcc-b964-485e-8c2d-10f554d78bcc", "value": "OilRig uses Fallback Channels" }, { "meta": { "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "9a62c02a-e373-494e-af73-f8b3274e8c9b", "value": "Komplex uses Process Discovery" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "aec0a948-428f-4327-b466-a0472da12928", "value": "Threat Group-3390 uses Data from Local System" }, { "meta": { "source-uuid": "23061b40-a7b6-454f-8950-95d5ff80331c", "target-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1" }, "uuid": "85bddba6-3848-4d2d-a4fa-4c4b71274a02", "value": "Install Root Certificate Mitigation mitigates Install Root Certificate" }, { "meta": { "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "1ae1ce05-3db2-4a97-8e58-0ed3d65d9d22", "value": "Carbanak uses Disabling Security Tools" }, { "meta": { "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "8b0e9de1-a7b0-479e-aee7-76f2549508c6", "value": "BLACKCOFFEE uses Web Service" }, { "meta": { "source-uuid": "c085476e-1964-4d7f-86e1-d8657a7741e8", "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" }, "uuid": "1da0f3c7-d9e2-4379-a84c-782fc94a75d5", "value": "Accessibility Features Mitigation mitigates Accessibility Features" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565" }, "uuid": "0ead6cee-20a4-46fb-a9c1-8686a776f455", "value": "Naikon uses FTP" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "b3a9c32f-c6d0-46d4-8936-dd4fec61d305", "value": "Patchwork uses Web Service" }, { "meta": { "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "2ade8c03-2395-4175-9a22-8541836f27cd", "value": "ChChes uses Disabling Security Tools" }, { "meta": { "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "16043223-3846-4138-93d0-671339ba3646", "value": "NETEAGLE uses Process Discovery" }, { "meta": { "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "8d5d9206-a213-465d-b384-6152eb2796a0", "value": "POSHSPY uses PowerShell" }, { "meta": { "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" }, "uuid": "11bc3d01-fc44-415c-b5a3-5576f5cb6057", "value": "T9000 uses Automated Collection" }, { "meta": { "source-uuid": "96913243-2b5e-4483-a65c-bb152ddd2f04", "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" }, "uuid": "069e82d5-89f2-4477-a1f5-115be8ab040a", "value": "DLL Search Order Hijacking Mitigation mitigates DLL Search Order Hijacking" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "4a0887ab-3ec3-436a-b378-6e28847dfb1e", "value": "APT29 uses Scheduled Task" }, { "meta": { "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" }, "uuid": "6592447f-31c8-46d0-8e88-47584fa301f0", "value": "SOUNDBITE uses Modify Registry" }, { "meta": { "source-uuid": "f9b3e5d9-7454-4b7d-bce6-27620e19924e", "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" }, "uuid": "9691a6a8-12d0-45a7-8217-11d1793234cb", "value": "Redundant Access Mitigation mitigates Redundant Access" }, { "meta": { "source-uuid": "c620e3a1-fff5-424f-abea-d2b0f3616f67", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "c28d6f10-431f-493c-8abd-918240c5c970", "value": "System Information Discovery Mitigation mitigates System Information Discovery" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "3325e625-d76b-42df-b952-749dabb57517", "value": "Turla uses System Network Connections Discovery" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "f4902ad9-b1bb-41ce-a448-55e2d9437503", "value": "RedLeaves uses Remote File Copy" }, { "meta": { "source-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" }, "uuid": "89433640-bf49-48b3-9f26-76423cd36f77", "value": "Hacking Team UEFI Rootkit uses Rootkit" }, { "meta": { "source-uuid": "e547ed6a-f1ca-40df-8613-2ce27927f145", "target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549" }, "uuid": "2083aef8-4d72-4bef-8cbc-33f2c5f4a176", "value": "Exfiltration Over Physical Medium Mitigation mitigates Exfiltration Over Physical Medium" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "be20faa9-64bf-4a65-86c2-dc12f5695d22", "value": "Cobalt Strike uses Input Capture" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4" }, "uuid": "6a87ff58-10b1-4fbc-a633-d7d8a34d1b29", "value": "Turla uses Uroburos" }, { "meta": { "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", "target-uuid": "95047f03-4811-4300-922e-1ba937d53a61" }, "uuid": "a8122755-90fe-4b68-8fa1-55ed7be90931", "value": "Axiom uses Hikit" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "7f78df2e-e6e9-43f1-815b-58e4a10fc594", "value": "APT29 uses PowerShell" }, { "meta": { "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "8d4effdd-6d91-473d-aa81-d121f1c77881", "value": "SslMM uses Input Capture" }, { "meta": { "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "a2423ac3-94b4-4936-962b-06562115cb70", "value": "Net uses Windows Admin Shares" }, { "meta": { "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "aeaa2f37-4014-4313-9fe2-8616b352a90c", "value": "TinyZBot uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "617fe29d-ac48-4cd0-ae8c-19cf7cfdbedd", "value": "NETEAGLE uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e" }, "uuid": "ae1de9c5-6bc0-459a-b4ca-568139a5ee41", "value": "OilRig uses Helminth" }, { "meta": { "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "33caa1a2-8465-47b9-89c4-94f4e9a899c7", "value": "OwaAuth uses Input Capture" }, { "meta": { "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "35d35ecf-1326-4690-b105-23280e29c120", "value": "CORESHELL uses Data Encoding" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "ade72dc6-559e-4a84-9024-1a862faec6a0", "value": "FIN6 uses Remote System Discovery" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "7cbedb9a-666f-47eb-b70e-905bcf80940a", "value": "BACKSPACE uses Connection Proxy" }, { "meta": { "source-uuid": "e8d22ec6-2236-48de-954b-974d17492782", "target-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49" }, "uuid": "196a2d37-4b87-465d-8d92-2e614cda869c", "value": "Two-Factor Authentication Interception Mitigation mitigates Two-Factor Authentication Interception" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "aad1cfa0-0df0-4768-87c2-5e59da2c5e44", "value": "RTM uses System Owner/User Discovery" }, { "meta": { "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "d8a7ec97-b262-489d-bc4b-e2c7007f75bc", "value": "Psylo uses Timestomp" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "4c06e313-2cde-494c-a8dc-449649a1afa6", "value": "Lazarus Group uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", "target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54" }, "uuid": "7ed93170-2dba-4e59-b0f0-7c716c73bdc0", "value": "PittyTiger uses gsecdump" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "552ac18c-4fac-4cb0-aefc-811a10e1c320", "value": "Lazarus Group uses Data Encrypted" }, { "meta": { "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" }, "uuid": "121a09bd-f603-4476-a149-a3cba52f268c", "value": "Rover uses Automated Collection" }, { "meta": { "source-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "062b1f19-2afb-4bdc-908e-99594ff114cf", "value": "Epic uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "11ebf3ff-b184-4010-b238-951e041370db", "value": "APT34 uses Screen Capture" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "37f94533-8fbe-48d2-bf4f-f825ad75ff98", "value": "BlackEnergy uses File and Directory Discovery" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" }, "uuid": "94b4de9a-1f83-4923-8d4b-e9bafdb1bef9", "value": "RTM uses Modify Registry" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "103f1ad4-feec-4be3-9da7-ee0b2503c318", "value": "ADVSTORESHELL uses Data Encoding" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" }, "uuid": "283e242a-72d4-4b40-8905-888595c34919", "value": "BADNEWS uses DLL Side-Loading" }, { "meta": { "source-uuid": "979e6485-7a2f-42bd-ae96-4e622c3cd173", "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" }, "uuid": "2c0fe330-edcf-4519-a577-c3c9b086d60a", "value": "Remote Services Mitigation mitigates Remote Services" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "17629f20-194c-48cb-aa1c-b3da2b6f06ba", "value": "CosmicDuke uses New Service" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "4cc8afb8-86ab-4537-926f-3178975a7886", "value": "menuPass uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31", "target-uuid": "c1a452f3-6499-4c12-b7e9-a6a0a102af76" }, "uuid": "fcf18dc5-8ac0-4ae7-84b9-c47ebd468022", "value": "Process Doppelg\u00e4nging Mitigation mitigates Process Doppelg\u00e4nging" }, { "meta": { "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "3264e1db-0f54-4049-a45c-3a03a24709aa", "value": "XTunnel uses Command-Line Interface" }, { "meta": { "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "d2d9a619-4379-4e15-9115-40ca9209f316", "value": "Backdoor.Oldrea uses System Owner/User Discovery" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "51c5e624-d08e-4750-91f9-fdc98ec56552", "value": "MoonWind uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "388606d3-f38f-45bf-885d-a9dc9df3c8a8", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "b35a5218-e64d-49b5-a37d-6390edddece6", "value": "Disabling Security Tools Mitigation mitigates Disabling Security Tools" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "de840f88-b9d0-4f7e-b5c0-b666faa2d92f", "value": "FIN6 uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "03c08ef9-80c7-4f20-b197-ad44f702f2e0", "value": "Daserf uses Command-Line Interface" }, { "meta": { "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "805f7ba3-a904-410c-b9fd-20356c595b19", "value": "BBSRAT uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" }, "uuid": "a24299ed-9735-453c-bd13-66269b2d5d16", "value": "OilRig uses Automated Collection" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "343d285a-e910-487b-8e85-dc87cdb63be3", "value": "APT29 uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" }, "uuid": "5c38fba7-20c6-4872-ad05-21f0f77e0820", "value": "APT34 uses Tasklist" }, { "meta": { "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "2f68f61d-07e1-4181-a26c-93433f9f0db7", "value": "CopyKittens uses PowerShell" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "1b143de7-af2d-4991-9e2e-aa85a8d7d330", "value": "APT28 uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "7331b11d-1d5e-4275-ba7e-a83ec4a59259", "value": "CosmicDuke uses Screen Capture" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "d57dd9d9-d075-48c4-ae54-ed0aeae575de", "value": "BRONZE BUTLER uses Scripting" }, { "meta": { "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "ce424541-5cfa-4885-ad62-f3f70fa27099", "value": "TDTESS uses Command-Line Interface" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "db8f1355-57f0-446d-a261-b168497b20c6", "value": "BADNEWS uses Data Staged" }, { "meta": { "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "6bf4098c-7667-44df-bdaa-076b9099f851", "value": "PlugX uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", "target-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca" }, "uuid": "13aa912e-bb51-4293-a971-9179442d516a", "value": "MONSOON uses TINYTYPHON" }, { "meta": { "source-uuid": "00d7d21b-69d6-4797-88a2-c86f3fc97651", "target-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c" }, "uuid": "af088283-7416-466d-86f3-8b55e6d698d4", "value": "Password Filter DLL Mitigation mitigates Password Filter DLL" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "a8f11c39-df96-451e-a93a-417512f82819", "value": "RedLeaves uses System Information Discovery" }, { "meta": { "source-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "ecb5e830-b678-47a6-98a2-d4dbe162f09e", "value": "PHOREAL uses Command-Line Interface" }, { "meta": { "source-uuid": "bcee7b05-89a6-41a5-b7aa-fce4da7ede9e", "target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff" }, "uuid": "396287ea-36d9-4d84-bf22-af559eb20f58", "value": "Pass the Hash Mitigation mitigates Pass the Hash" }, { "meta": { "source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "9f852541-3fc7-4036-9268-7bc6bfe94900", "value": "EvilGrab uses Commonly Used Port" }, { "meta": { "source-uuid": "a766ce73-5583-48f3-b7c0-0bb43c6ef8c7", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "32ba984e-dbe9-4a8a-a1b7-16ba560d31d5", "value": "Standard Cryptographic Protocol Mitigation mitigates Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" }, "uuid": "489e5386-b177-455f-a8b3-d3c6e7afb9b1", "value": "Threat Group-1314 uses Net" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" }, "uuid": "33e0178f-c9b2-43db-9e63-3e664ae6bef0", "value": "Prikormka uses Peripheral Device Discovery" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11" }, "uuid": "72d6fe7e-ba33-4117-8153-64226f189ed2", "value": "OilRig uses ipconfig" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "1879905d-a4f6-43a7-aafe-a7e436e5c559", "value": "Prikormka uses Input Capture" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "0191f3d3-59d3-4fcc-bfff-5fbfa0675cfd", "value": "SeaDuke uses Command-Line Interface" }, { "meta": { "source-uuid": "f28a20fd-d173-4603-807e-2cb3f51bdf04", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "b1ee5cba-d4e0-4af0-aa5c-5faacfdb0dbc", "value": "Command-Line Interface Mitigation mitigates Command-Line Interface" }, { "meta": { "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e" }, "uuid": "10c33088-630e-456d-ad0f-8a63be4d3946", "value": "Sykipot uses Multilayer Encryption" }, { "meta": { "source-uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "bdba5fef-c560-4b8a-9ce5-616395a73841", "value": "Taidoor uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700" }, "uuid": "de979692-5ca5-4874-bfc8-91cea8697ef1", "value": "APT1 uses pwdump" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "6f448f20-0349-4132-80ec-d46e94d52426", "value": "ADVSTORESHELL uses Command-Line Interface" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4" }, "uuid": "337dc23f-d825-415d-886b-53c3457fbd56", "value": "APT29 uses Windows Management Instrumentation Event Subscription" }, { "meta": { "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "50f39180-6e5a-476b-b18f-d4e09e83c9d9", "value": "Pteranodon uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "de168dd4-3c59-4fa4-901a-911b1ee81a31", "value": "BlackEnergy uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "7009ba4d-83d4-4851-9fbb-e09e28497765", "target-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2" }, "uuid": "66a16f64-8c0d-4647-8589-83ea8ef4fbd3", "value": "Forced Authentication Mitigation mitigates Forced Authentication" }, { "meta": { "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "afa1f53f-abd9-4e57-b4e1-4e161dd34e9b", "value": "POWERSOURCE uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" }, "uuid": "2dec6ce1-e459-4266-86d5-f336ab056f17", "value": "BACKSPACE uses Modify Registry" }, { "meta": { "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "target-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704" }, "uuid": "16fd44bf-405b-49c1-96d7-0cacb5d65e74", "value": "Cleaver uses Net Crawler" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "8087d99b-cc05-4e2a-abce-687eb726a9e7", "value": "Magic Hound uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "3ded5760-4f2e-41f5-a2c5-f2b39eaf5733", "value": "Shamoon uses Remote File Copy" }, { "meta": { "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "f44478f1-fdd7-4e84-8b96-60e6c6a10683", "value": "Reaver uses Query Registry" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "c4d77981-d2e4-4a12-8e52-5b7464cdc8fd", "value": "POWRUNER uses Remote File Copy" }, { "meta": { "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" }, "uuid": "b640dfee-9502-4ffb-92e4-f153f8726383", "value": "SOUNDBITE uses Application Window Discovery" }, { "meta": { "source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "25cb2c8f-79d2-4157-8329-fb86caaca0c3", "value": "LOWBALL uses Remote File Copy" }, { "meta": { "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" }, "uuid": "3eb29574-145d-4d4a-b4c6-e94b8a79781e", "value": "DustySky uses Replication Through Removable Media" }, { "meta": { "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "9a7ff784-436b-40c5-bfb0-25e02e1d9940", "value": "DustySky uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "82d8e990-c901-4aed-8596-cc002e7eb307", "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" }, "uuid": "c593abb1-54ce-4196-a11f-f1dd65fed9aa", "value": "System Time Discovery Mitigation mitigates System Time Discovery" }, { "meta": { "source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" }, "uuid": "dbb1d0eb-c7ee-4794-80d4-66e6281cbc63", "value": "CallMe uses Exfiltration Over Command and Control Channel" }, { "meta": { "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "e8d2c3f1-7c86-438c-bead-6a86f9a36463", "value": "XTunnel uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "14b70990-48b0-482b-bd5a-3a99d9d9a653", "value": "POWRUNER uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "fb9cf04b-ad28-472a-9ee3-a2e744e0e122", "value": "ZLib uses Masquerading" }, { "meta": { "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "d43315b0-d708-4197-b3ed-0a0b1199e434", "value": "3PARA RAT uses Timestomp" }, { "meta": { "source-uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085", "target-uuid": "92a78814-b191-47ca-909c-1ccfe3777414" }, "uuid": "82268341-e0a8-4937-8618-351e147daa0c", "value": "Wiper uses Third-party Software" }, { "meta": { "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "2eaea386-ee0f-42c4-bca1-ce2d22062f98", "value": "PlugX uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc" }, "uuid": "eb9366d5-2bd1-4d0b-8f55-2305827c20d1", "value": "APT34 uses certutil" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "8c58cfe5-0b71-434c-939a-329b612d2337", "value": "Lazarus Group uses Data Compressed" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "553dbb57-1174-494c-9cfd-dbc83ecc74f6", "value": "USBStealer uses Timestomp" }, { "meta": { "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "0471088d-7b45-4fec-8946-ae5bf463286b", "value": "Pteranodon uses Screen Capture" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71" }, "uuid": "437dd20a-234f-430b-b9ee-4524e1e12aa9", "value": "Naikon uses netsh" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "86c9bd0f-4251-4103-9be5-65079750c495", "value": "Shamoon uses File Deletion" }, { "meta": { "source-uuid": "80c91478-ac87-434f-bee7-11f37aec4d74", "target-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0" }, "uuid": "8467ea5f-cb0d-4eb6-b524-8bfd01e58721", "value": "Dynamic Data Exchange Mitigation mitigates Dynamic Data Exchange" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "98b7d901-4ede-451f-bab8-3b2b37c56bfd", "value": "Prikormka uses Security Software Discovery" }, { "meta": { "source-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "5ebd97d4-1979-40b2-b38b-b6ed44a2f32f", "value": "CloudDuke uses Web Service" }, { "meta": { "source-uuid": "fae44eea-caa7-42b7-a2e2-0c815ba81b9a", "target-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf" }, "uuid": "edb697fa-d6b2-400a-acad-ccacc38c87c0", "value": "Hidden Window Mitigation mitigates Hidden Window" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "166326b3-6864-4667-aee9-4d7b24cc75d8", "value": "OilRig uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4" }, "uuid": "f653eb7d-7027-4161-9071-b52336bd4fbc", "value": "SeaDuke uses Windows Management Instrumentation Event Subscription" }, { "meta": { "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "e68684df-28b4-4f06-b553-cacf14866605", "value": "ChChes uses Masquerading" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" }, "uuid": "77c63e89-71fe-47e3-babb-13e7722932ad", "value": "MoonWind uses System Time Discovery" }, { "meta": { "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "fb0aef48-57f5-4331-acdd-25fdfdf1babb", "value": "S-Type uses Account Discovery" }, { "meta": { "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "266a5edd-1425-4ab1-88bf-a0d7897699eb", "value": "Sakula uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "87ddc052-0933-4722-9fb2-4653c4a3663c", "value": "APT3 uses Data Staged" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "3a2d591a-f918-44b3-9e75-7520906b9aa3", "value": "menuPass uses Connection Proxy" }, { "meta": { "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" }, "uuid": "7e55e411-230e-4d1a-a780-d07784ed2cd6", "value": "Mis-Type uses Create Account" }, { "meta": { "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" }, "uuid": "4f3473a4-f5f5-43d8-a4ec-589763695942", "value": "Derusbi uses Regsvr32" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" }, "uuid": "02b9b0b1-5e7d-42dd-ae8c-68d126a8c3cd", "value": "APT34 uses Remote Desktop Protocol" }, { "meta": { "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "9b203f00-34db-475f-a28b-f5088d937f4e", "value": "Sykipot uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "c35702f8-f13f-4851-9cfc-1eea526bd6e1", "value": "PlugX uses Commonly Used Port" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" }, "uuid": "f9c7d0e1-135f-4e21-8251-3049bc24c18d", "value": "BADNEWS uses Peripheral Device Discovery" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" }, "uuid": "8e7ff07b-7a32-4ced-ac22-b523586dbde3", "value": "Remsec uses Data from Removable Media" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "6c0aae73-fe06-4aa3-8216-568d78747c6d", "value": "BACKSPACE uses Data Obfuscation" }, { "meta": { "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "34c4b497-00e3-415c-8e09-3b73667d9bbe", "value": "HAMMERTOSS uses Data Obfuscation" }, { "meta": { "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "dd89d8a2-257a-47f9-8b55-8011ca53007b", "value": "T9000 uses Screen Capture" }, { "meta": { "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" }, "uuid": "1762fe5a-0810-4179-bfb0-16d965ffe055", "value": "HTTPBrowser uses DLL Search Order Hijacking" }, { "meta": { "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "4a70e764-5c19-4c8e-97e4-486af893cbfc", "value": "3PARA RAT uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "bd315928-0b74-491c-b526-ee5e1841842b", "value": "Derusbi uses Commonly Used Port" }, { "meta": { "source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "438cae9c-cb03-4db9-ae59-24ed27147725", "value": "Nidiran uses Remote File Copy" }, { "meta": { "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "0d989c2e-0207-4412-b52a-5d9bf9f96d18", "value": "PlugX uses Masquerading" }, { "meta": { "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "9bc7f2ff-7ba1-42f4-9e96-2112e99ab12a", "value": "ChChes uses Credential Dumping" }, { "meta": { "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "d6154157-fe69-4da3-8cc3-790eecf33f8c", "value": "HALFBAKED uses System Information Discovery" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7" }, "uuid": "2b469307-a635-4392-a18f-ed1f24b3a684", "value": "Cobalt Strike uses Distributed Component Object Model" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "611cb6eb-efdb-4d74-b354-5064ab52bd34", "value": "Duqu uses Data Staged" }, { "meta": { "source-uuid": "03c0c586-50ed-45a7-95f4-f496d7eb5330", "target-uuid": "086952c4-5b90-4185-b573-02bad8e11953" }, "uuid": "94db2b6e-c01c-4aec-9229-4a6dcda3c6ee", "value": "HISTCONTROL Mitigation mitigates HISTCONTROL" }, { "meta": { "source-uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507", "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" }, "uuid": "ecd83e69-2eb1-4c2d-a01f-e42ea8f807f9", "value": "UACMe uses Bypass User Account Control" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "e68ff1c2-ef03-486b-96df-167a1652a97b", "value": "Helminth uses Data Encoding" }, { "meta": { "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "292b2a10-ebee-4fbb-b359-2eee16aa46ba", "value": "CopyKittens uses Data Encrypted" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" }, "uuid": "66eb9cc1-4eb4-4b84-8140-bd48da33e93d", "value": "Cobalt Strike uses Remote Services" }, { "meta": { "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "82b679af-7408-4f41-8fc0-5b0cf5993726", "value": "Suckfly uses Valid Accounts" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "bbd29878-c16a-45ee-9785-78550f080d83", "value": "menuPass uses Data Staged" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" }, "uuid": "e3e841fa-b806-4c22-9f98-a97950b68931", "value": "USBStealer uses Replication Through Removable Media" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" }, "uuid": "1fe875f1-89b6-447b-9d96-63c0cebecb9b", "value": "APT34 uses netstat" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "38a72b32-dc04-493d-8b92-31174c32f3ed", "value": "APT1 uses Data from Local System" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "86ebda8c-df0c-4d76-970b-27bf392606a7", "value": "Gazer uses Process Injection" }, { "meta": { "source-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "6b11697f-be6c-4cd7-b445-4d277a8d7346", "value": "Winnti uses Rundll32" }, { "meta": { "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "70a1cab8-dd98-4b82-9f7f-36294e3889c0", "value": "Misdat uses File Deletion" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "090a553a-b863-4214-aa3b-cf8ea7ba2d68", "value": "ADVSTORESHELL uses System Information Discovery" }, { "meta": { "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "cd70a632-a961-4adb-aea9-9995ef8e2b54", "value": "Matroyshka uses Rundll32" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "272068a3-47e3-42d6-8772-71d39c1976c3", "value": "Shamoon uses System Information Discovery" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "f108215f-3487-489d-be8b-80e346d32518" }, "uuid": "63841959-afe2-4cb0-a93e-d407eb1b8d66", "value": "APT28 uses Komplex" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "d7c5e4f4-cede-4a81-b46f-035b9e702e61", "value": "BRONZE BUTLER uses Remote File Copy" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "9dfb7899-20af-4eea-bfca-f608d885cb00", "value": "Turla uses Process Discovery" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "c948f964-e26c-4226-9577-7b78b5bf271f", "value": "APT3 uses Credential Dumping" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a" }, "uuid": "dc7cb17d-c3d3-4c3c-b79e-499cede49baa", "value": "Threat Group-3390 uses Network Share Connection Removal" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" }, "uuid": "2fbcd38e-0ec9-4f2d-823b-3654f108f3a3", "value": "Dragonfly uses Web Shell" }, { "meta": { "source-uuid": "4b998a71-7b8f-4dcc-8f3f-277f2e740271", "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" }, "uuid": "5978c8e0-8b60-4ad5-8fc9-9fa1ee4d7387", "value": "Indicator Removal from Tools Mitigation mitigates Indicator Removal from Tools" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "8ebab956-4440-4fd7-96ff-8da29e0f0b46", "value": "Stealth Falcon uses System Owner/User Discovery" }, { "meta": { "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "84fcda4b-e58e-4ecd-8366-77d464e043ee", "value": "NETEAGLE uses Command-Line Interface" }, { "meta": { "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "321544e0-902c-443e-adf9-d7e78f0e4d13", "value": "Unknown Logger uses Remote File Copy" }, { "meta": { "source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "8c9f23e6-2665-45b3-9c28-53a9335b16ce", "value": "LOWBALL uses Web Service" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "b2cf6651-3f2c-4522-9360-dbc5c7af43c5", "value": "Remsec uses Scheduled Task" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776" }, "uuid": "1ce50a6a-5f0b-40ca-9a71-41369ae3fdcd", "value": "Remsec uses Exfiltration Over Alternative Protocol" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "2d840d1b-28d7-4387-86fd-6d3df8650171", "value": "BRONZE BUTLER uses Screen Capture" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" }, "uuid": "054a22c3-f0ee-476a-b0cb-e3277c755032", "value": "BlackEnergy uses Bypass User Account Control" }, { "meta": { "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "7fd6c479-00ae-478d-a29b-fc40619eea97", "value": "BBSRAT uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" }, "uuid": "10c6cc56-a028-4c2a-b24e-38d97fb4ebb7", "value": "NetTraveler uses Application Window Discovery" }, { "meta": { "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" }, "uuid": "3cd8ef78-9d92-4e28-97ae-5bd6c698bfec", "value": "Cleaver uses PsExec" }, { "meta": { "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "e6f5bde4-869f-4c9a-9414-11ea48386204", "value": "CORESHELL uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" }, "uuid": "a48e7d01-012a-4336-9676-0f34e8501e22", "value": "FIN10 uses Remote Desktop Protocol" }, { "meta": { "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "bfd49393-75b6-4e67-af74-4bf3c87624b0", "value": "FakeM uses Input Capture" }, { "meta": { "source-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719", "target-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0" }, "uuid": "aef7fe44-f381-41d5-88af-f04135e3aeab", "value": "Responder uses LLMNR/NBT-NS Poisoning" }, { "meta": { "source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", "target-uuid": "e9595678-d269-469e-ae6b-75e49259de63" }, "uuid": "238a7a2c-34db-4f43-a94b-4a6ad225129d", "value": "MONSOON uses BADNEWS" }, { "meta": { "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "4438ba64-0cd2-46e9-8a67-c685bf9b404c", "value": "Sykipot uses Process Discovery" }, { "meta": { "source-uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f", "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" }, "uuid": "7db7f665-6e29-4789-8a3d-d6cb8d0af31e", "value": "GCMAN uses Remote Services" }, { "meta": { "source-uuid": "0998045d-f96e-4284-95ce-3c8219707486", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "6d562520-86bb-4251-9431-a4958bec097c", "value": "SEASHARPEE uses Timestomp" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" }, "uuid": "596c4579-14ea-4c1f-9503-cf47693f18a8", "value": "Dragonfly uses Indicator Removal on Host" }, { "meta": { "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "3b32f3be-5bdd-4de8-9e39-83b0b8c1e70f", "value": "FALLCHILL uses File Deletion" }, { "meta": { "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "384c75e4-04e7-4ff8-9da6-0c8a03cb7a61", "value": "Sakula uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "f6d23c00-158e-4e39-bf9b-f18344cd0151", "value": "RTM uses Screen Capture" }, { "meta": { "source-uuid": "d75a3d1b-b536-4f15-a23c-f4bcc17837b8", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "eede138c-9745-453c-a8b5-684b696c2ad0", "value": "Connection Proxy Mitigation mitigates Connection Proxy" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" }, "uuid": "bab6aadc-7a93-43e4-88cb-904fd1f2fddd", "value": "menuPass uses PoisonIvy" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" }, "uuid": "49f2c182-bd69-4874-9102-b5fd1acac59c", "value": "Ke3chang uses Exfiltration Over Command and Control Channel" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "42d4ae64-75da-4dfd-b23f-d270252115ee", "value": "Patchwork uses Masquerading" }, { "meta": { "source-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "6476b9fe-dc7f-4578-a39d-beebc8390af2", "value": "Strider uses Connection Proxy" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "c8d0e862-20af-4f9f-84e8-0419c8080008", "value": "SeaDuke uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5" }, "uuid": "3dd745f5-1c0c-4376-8850-89679fcd4e31", "value": "menuPass uses RedLeaves" }, { "meta": { "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "c74cbdc5-e454-4b22-957e-926854dd37f1", "value": "Felismus uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" }, "uuid": "318afc9f-92f3-4262-af70-b2e045b87737", "value": "admin@338 uses Systeminfo" }, { "meta": { "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" }, "uuid": "47109a67-e1af-4f5c-8c58-c1580ff5c6ec", "value": "Regin uses Code Signing" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "c6606ced-4641-451f-ac2a-493b1d15d0aa", "value": "RTM uses System Information Discovery" }, { "meta": { "source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "a0500766-a6ba-4672-b7fc-2a712cd0cfca", "value": "ISMInjector uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" }, "uuid": "70f3eaca-179d-4412-ad32-c4e3cf60c27c", "value": "Axiom uses Remote Desktop Protocol" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1" }, "uuid": "4b521c7b-c66b-4bbc-847e-d6a13e9ae62c", "value": "Naikon uses Systeminfo" }, { "meta": { "source-uuid": "06824aa2-94a5-474c-97f6-57c2e983d885", "target-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9" }, "uuid": "ab6dbf38-dfed-4bfa-9d7d-bbe6864f82d3", "value": "Login Item Mitigation mitigates Login Item" }, { "meta": { "source-uuid": "d8787791-d22e-45bb-a9a8-251d8d0a1ff2", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "338cf92d-43a8-4fdd-948d-1a3bde10d917", "value": "System Service Discovery Mitigation mitigates System Service Discovery" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "d4f48744-0564-4ef3-bdae-421076912495", "value": "Cobalt Strike uses New Service" }, { "meta": { "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" }, "uuid": "fe0c8388-46fb-4064-9837-56a23339ffaa", "value": "ChChes uses Code Signing" }, { "meta": { "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" }, "uuid": "40c202ae-fd92-4506-b72a-5fb0e7bcf99a", "value": "Trojan.Karagany uses Software Packing" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "8c359d18-06fc-4db1-9b58-6e85fa563066", "value": "BADNEWS uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39" }, "uuid": "d328f1e2-c98f-473e-aea5-063e1ee70744", "value": "Cobalt Strike uses Windows Remote Management" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "8d7cd505-3b0e-4e90-bf47-6552612958dc", "value": "Duqu uses Windows Admin Shares" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "d412ff4a-d9d0-44a9-b8b3-36a650f18036", "value": "RTM uses File and Directory Discovery" }, { "meta": { "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "35aac341-5371-42e8-ad93-3ab94a11b51a", "value": "Poseidon Group uses Credential Dumping" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" }, "uuid": "b368c7c2-a593-45cb-b557-aac668a02656", "value": "Ke3chang uses Permission Groups Discovery" }, { "meta": { "source-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "7209b3d7-b8c8-4fc0-89fb-a5448f015540", "value": "HDoor uses Disabling Security Tools" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "03f32a8b-4cd9-488c-9759-37f3dff9faea", "value": "menuPass uses Remote System Discovery" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b" }, "uuid": "44858dc2-c869-42a0-8f67-3ddd9660b538", "value": "APT1 uses Lslsass" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" }, "uuid": "80dcd852-39c2-4ef9-a401-e54982010a65", "value": "APT3 uses Credentials in Files" }, { "meta": { "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "fa04b7b3-e9ea-4c35-a2a5-8d0c73f5698b", "value": "StreamEx uses Command-Line Interface" }, { "meta": { "source-uuid": "552462b9-ae79-49dd-855c-5973014e157f", "target-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d" }, "uuid": "e584ec5f-af99-4d61-8b02-3dbacae4adf4", "value": "Zeroaccess uses NTFS Extended Attributes" }, { "meta": { "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "adf7a6a5-91b0-4c37-9fa5-0bfbb382a838", "value": "Backdoor.Oldrea uses Credential Dumping" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "ba95a6e7-3235-4dcd-93eb-4eebc4d0aaec", "value": "Dragonfly uses Scheduled Task" }, { "meta": { "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c" }, "uuid": "1539eaf6-e4ea-4e9d-af2b-2594d1ca5b38", "value": "H1N1 uses Taint Shared Content" }, { "meta": { "source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "10619fa8-c479-4b61-9aac-ee08f00114d1", "value": "ELMER uses File and Directory Discovery" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" }, "uuid": "03303147-db81-4cb3-9368-98ee4f963c1a", "value": "BRONZE BUTLER uses Deobfuscate/Decode Files or Information" }, { "meta": { "source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "37aa4e22-824b-468c-ae46-d9d007cc7cc7", "value": "RawPOS uses Masquerading" }, { "meta": { "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "330c8e43-575f-4c9a-b6c2-def7306841ad", "value": "CozyCar uses Security Software Discovery" }, { "meta": { "source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "0e630f6b-8662-4ffe-b666-709e17aad69f", "value": "3PARA RAT uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "6e39f6fe-3808-41ae-9263-1fd23865bd7b", "value": "Elise uses File and Directory Discovery" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" }, "uuid": "8200c438-ec29-4f0e-81c3-9a058c735748", "value": "BlackEnergy uses Shortcut Modification" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "2f5f2d31-739e-4dc5-b137-840401985244", "value": "Remsec uses Input Capture" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "9f496c45-eac5-464f-858b-ef481f2f37ff", "value": "ADVSTORESHELL uses Query Registry" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "1c6f35f0-1169-4218-9881-7291e1765cd8", "value": "Emissary uses Rundll32" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" }, "uuid": "c2909563-2b7e-48d6-b165-05b8eff63862", "value": "menuPass uses Data from Network Shared Drive" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26" }, "uuid": "f24d37c0-283d-4f37-8278-07fc75cc0e94", "value": "APT3 uses RemoteCMD" }, { "meta": { "source-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "2be17426-9704-4913-981b-6d8fe4471147", "value": "NetTraveler uses Input Capture" }, { "meta": { "source-uuid": "9378f139-10ef-4e4b-b679-2255a0818902", "target-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427" }, "uuid": "52b6181e-881e-4b96-93a3-1292bc2f1352", "value": "Service Registry Permissions Weakness Mitigation mitigates Service Registry Permissions Weakness" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "cdf73653-b2d7-422f-b433-b6a428ff12d4", "value": "Stealth Falcon uses Data from Local System" }, { "meta": { "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "90347c97-c0c5-4407-9087-b917d0789b0e", "value": "TinyZBot uses New Service" }, { "meta": { "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "1fbde0c8-1b00-40bf-8fef-11892d103d63", "value": "PinchDuke uses File and Directory Discovery" }, { "meta": { "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "828afc32-9874-40aa-b752-315c7623ffee", "value": "Kasidet uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "d0013f9d-4243-4ade-8d06-a2cd6158ca58", "value": "HALFBAKED uses File Deletion" }, { "meta": { "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", "target-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61" }, "uuid": "2092cbf8-4b5e-40e9-93dd-bfd8a71b4e8c", "value": "Dust Storm uses Mis-Type" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "852009ed-1b50-4b08-9e77-53f0271d995c", "value": "Remsec uses Credential Dumping" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952" }, "uuid": "80fc5f0c-3dcb-45ab-807a-bfa3d64334c6", "value": "BRONZE BUTLER uses at" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "0fd5d3bc-d736-43c0-b9ec-f1dcd95411a7", "value": "Elise uses Masquerading" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" }, "uuid": "ac7d5b88-7929-4f64-abcd-8219caafac24", "value": "FIN6 uses Automated Collection" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "c667befa-7242-47f8-bdc1-1056f62bb466", "value": "Elise uses Data Encoding" }, { "meta": { "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "6175bbbe-1bc1-4562-8c5f-9e437348636a", "value": "APT18 uses File Deletion" }, { "meta": { "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "18572125-3439-4f7c-92c8-d787913dc989", "value": "Hi-Zor uses Remote File Copy" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "9ef58dda-688d-4461-b5fc-25f2ba3a9c54", "value": "BRONZE BUTLER uses Scheduled Task" }, { "meta": { "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "a33c172b-9910-4f36-8373-32126201144b", "value": "Mis-Type uses Account Discovery" }, { "meta": { "source-uuid": "7a14d974-f3d9-4e4e-9b7d-980385762908", "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" }, "uuid": "4f2dbf3d-70f6-42d9-8894-c98d8bc70abc", "value": "DLL Side-Loading Mitigation mitigates DLL Side-Loading" }, { "meta": { "source-uuid": "8c553311-0baa-4146-997a-f79acef3d831", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "4bf364ad-1e9c-4860-93c0-241da4c81068", "value": "RARSTONE uses Remote File Copy" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "4b5540e5-eac1-40f4-93d0-155f60e9395a", "value": "Emissary uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" }, "uuid": "27ead6bc-2bba-49d3-bcfe-667c7654a6fc", "value": "OilRig uses Remote Desktop Protocol" }, { "meta": { "source-uuid": "1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158", "target-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e" }, "uuid": "47639246-6268-4a7e-9670-965873bdfb42", "value": "Gatekeeper Bypass Mitigation mitigates Gatekeeper Bypass" }, { "meta": { "source-uuid": "b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55", "target-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d" }, "uuid": "e59e9443-740a-4e2b-a775-8ae59ceb3844", "value": "SID-History Injection Mitigation mitigates SID-History Injection" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" }, "uuid": "6c053469-7bd4-4b55-90b2-289a09aa53fa", "value": "BRONZE BUTLER uses System Time Discovery" }, { "meta": { "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "d2bc1c1b-987b-4a1a-b488-8199f8113697", "value": "Daserf uses Input Capture" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" }, "uuid": "a83182d2-b619-4ca4-984b-21ecfe43da26", "value": "RTM uses Automated Collection" }, { "meta": { "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "ecde1551-bca2-4f45-8692-cbc583cf3d4f", "value": "Unknown Logger uses Input Capture" }, { "meta": { "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "fb11df98-790a-4b1c-9ca0-73224226cff3", "value": "ZLib uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "39e856a1-4bab-474e-a6b2-3ce69249bc29", "value": "Mis-Type uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "target-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351" }, "uuid": "b6eb09bc-fef4-4cf3-b337-dfe6bd87ca35", "value": "FIN7 uses POWERSOURCE" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" }, "uuid": "f08c1f67-485b-4ebd-81dd-e886f63025e6", "value": "Naikon uses PsExec" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "11010986-1b4d-4158-b47d-bbff34306c98", "value": "BADNEWS uses Screen Capture" }, { "meta": { "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "18324fed-7770-4768-b652-59860ac4782f", "value": "FLASHFLOOD uses Data from Local System" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" }, "uuid": "2a93ea80-d0f6-4b81-887d-8911f7573245", "value": "Threat Group-3390 uses DLL Side-Loading" }, { "meta": { "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "ce42140b-f801-40da-8185-105a9b1a915a", "value": "PlugX uses New Service" }, { "meta": { "source-uuid": "b7b2c89c-09c1-4b71-ae7c-000ec2893aab", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "bb1de6e6-23ce-42a8-bcd7-fd75aec24c50", "value": "New Service Mitigation mitigates New Service" }, { "meta": { "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "7cf7d162-a34f-4951-a643-5bf959283f6b", "value": "Trojan.Karagany uses Data Staged" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "4fde23ab-b8db-4275-ac37-37e608cb00b0", "value": "OilRig uses PowerShell" }, { "meta": { "source-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" }, "uuid": "114f98a4-6243-4a0c-a6c4-3e693a4f9b08", "value": "SHIPSHAPE uses Replication Through Removable Media" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "11a7431f-416f-48de-a3c0-8782abdede63", "value": "BADNEWS uses Data from Local System" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "545a618f-9fe4-4573-a0a0-ecfcef0b407c", "value": "BRONZE BUTLER uses Data Encoding" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd" }, "uuid": "3427863f-d4c4-4272-ad60-1479e42ed4af", "value": "APT3 uses PlugX" }, { "meta": { "source-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "92d3b6b0-7c61-452a-a9b9-c2549357bfef", "value": "nbtstat uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" }, "uuid": "0d0b4507-b600-41f1-be98-03909e5d99cf", "value": "RTM uses Bypass User Account Control" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "e2675622-ec8e-4894-9f5e-3c82944e3019", "value": "Turla uses System Information Discovery" }, { "meta": { "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "02206f22-80e9-4f87-9e4b-5c1df1eb737e", "value": "Unknown Logger uses System Information Discovery" }, { "meta": { "source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "9253e8b3-9fbb-4149-a2e4-60d36c006ba6", "value": "Downdelph uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "4556634c-06f7-48f9-bcaa-22d023524068", "value": "HAMMERTOSS uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "1a4c94a1-6362-42b3-b1d9-41ae3fbf5ea5", "value": "Misdat uses File and Directory Discovery" }, { "meta": { "source-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b", "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" }, "uuid": "db283fff-4b13-4c79-85f0-5cdb6b76e964", "value": "HDoor uses Network Service Scanning" }, { "meta": { "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" }, "uuid": "5fc0ca38-bb65-43ab-b8b2-6861442b25a8", "value": "Net uses Service Execution" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "f865403f-5b4a-4e5a-bb50-8d416ad36db4", "value": "Ke3chang uses System Information Discovery" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" }, "uuid": "4c6aea43-27ba-4e6a-8907-e5db364a145b", "value": "BRONZE BUTLER uses Bypass User Account Control" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" }, "uuid": "f9600732-9116-4325-8073-28d81721b37a", "value": "menuPass uses PsExec" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a" }, "uuid": "5ccd4b15-ef11-4b89-b0e1-4dd714fa2fb5", "value": "APT32 uses KOMPROGO" }, { "meta": { "source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca", "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" }, "uuid": "ff922dd7-21b6-4f95-bb8b-080d0dee6655", "value": "TINYTYPHON uses Automated Exfiltration" }, { "meta": { "source-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "b97e696f-6386-4b15-8f24-81d0abe51830", "value": "HIDEDRV uses Process Injection" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "20f863a1-f7de-4d66-a564-c4adee24fdbe", "value": "Ke3chang uses Account Discovery" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "39b735d3-c659-4d1a-8e7e-082c0f049c2d", "value": "Lazarus Group uses Query Registry" }, { "meta": { "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "ced15447-281b-4d92-941e-b5df9747a3d5", "value": "Flame uses Rundll32" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "05e9e12f-be5e-46f4-9f42-6f7fb7e9fb4a", "value": "BRONZE BUTLER uses Data from Local System" }, { "meta": { "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "d64ba78c-a332-40be-8e2f-904f15ceffe7", "value": "Sakula uses New Service" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "0e89ca75-b73e-476e-b56d-1cf815fa7868", "value": "Patchwork uses File and Directory Discovery" }, { "meta": { "source-uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3", "target-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79" }, "uuid": "cca3a63c-e00e-49d1-bf10-f2c21f3469e6", "value": "Winlogon Helper DLL Mitigation mitigates Winlogon Helper DLL" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" }, "uuid": "a5b4d08c-963a-48fe-8f22-ba344835d00e", "value": "BADNEWS uses Process Hollowing" }, { "meta": { "source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b", "target-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8" }, "uuid": "3ec34d16-a4e6-4fc7-b819-5a041605aa42", "value": "Janicab uses Local Job Scheduling" }, { "meta": { "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "babaa2be-7c41-490a-bd0b-2cf140858244", "value": "SslMM uses Disabling Security Tools" }, { "meta": { "source-uuid": "d7c49196-b40e-42bc-8eed-b803113692ed", "target-uuid": "68c96494-1a50-403e-8844-69a6af278c68" }, "uuid": "0b0884f1-1a40-436e-9a74-8cbe9c9d6732", "value": "Change Default File Association Mitigation mitigates Change Default File Association" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "16c7058c-8fa5-4477-8332-9e76fcb38924", "value": "FIN6 uses Account Discovery" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "fb6f077c-06a2-46bb-9aef-959ef818d4aa", "value": "admin@338 uses Command-Line Interface" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" }, "uuid": "45f9e4b6-a6a0-4f9f-aae9-9e8a69f5681d", "value": "RTM uses Peripheral Device Discovery" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "afbf5119-6e39-4e4c-8329-57f7249a67b4", "value": "APT3 uses Commonly Used Port" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" }, "uuid": "2e45dc12-f493-42ea-829e-011ba786bef1", "value": "Threat Group-3390 uses Net" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "62507790-a137-409e-a655-9190ff78cb52", "value": "CosmicDuke uses File and Directory Discovery" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "5f5af879-c239-416b-99ec-b46e2f9926a2", "value": "OilRig uses Account Discovery" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6" }, "uuid": "cf7cd81f-3684-469f-936b-a6098ff76dbd", "value": "Cobalt Strike uses Indicator Removal from Tools" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "a6929a8b-e9b4-4122-8dd8-4030173346c9", "value": "Cobalt Strike uses Command-Line Interface" }, { "meta": { "source-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e", "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" }, "uuid": "202b96f6-0f7c-4aed-8004-780f1d880059", "value": "PHOREAL uses Modify Registry" }, { "meta": { "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "2e80a049-220e-4d47-98f7-c0dbfe245cdc", "value": "PinchDuke uses Credential Dumping" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "c8c5b766-a719-43bd-988a-cb00beedbba3", "value": "Threat Group-3390 uses Data Encrypted" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069" }, "uuid": "cfe2a359-bbab-4520-bdd7-b2d6abf742cc", "value": "APT28 uses XAgentOSX" }, { "meta": { "source-uuid": "5c49bc54-9929-48ca-b581-7018219b5a97", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "3d635b23-78b7-4de4-9417-8077787c7c0b", "value": "Account Discovery Mitigation mitigates Account Discovery" }, { "meta": { "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "535e3fbe-e6d9-4608-9689-f8f1f8c1ddc9", "value": "Backdoor.Oldrea uses Process Injection" }, { "meta": { "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", "target-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39" }, "uuid": "6dbb3a1e-5fb4-4494-950c-570616302ece", "value": "CopyKittens uses Cobalt Strike" }, { "meta": { "source-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "093215eb-4edb-4c55-bb5f-b8ca2de7962c", "value": "SHIPSHAPE uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "9df1a5b0-f1fb-4239-abb5-67ba6e9e05f6", "value": "WinMM uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "54e99ba2-143f-43be-8d7f-79de5551d1ac", "value": "BBSRAT uses System Service Discovery" }, { "meta": { "source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "2e82ef21-9fb2-421e-bd96-73599089b448", "value": "CopyKittens uses Data Compressed" }, { "meta": { "source-uuid": "57019a80-8523-46b6-be7d-f763a15a2cc6", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "edbef2c6-4005-4fdb-b978-9699a7b2a309", "value": "Scripting Mitigation mitigates Scripting" }, { "meta": { "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "5cdbfaba-b4be-4cff-bdc6-c9205c44c844", "value": "Felismus uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "ec30b3a9-69b4-4604-9def-db9e904df309", "value": "Gazer uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "52c18ed1-91a5-4394-a4d0-f700c75bf3d9", "value": "Turla uses System Service Discovery" }, { "meta": { "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "4ec9a523-e27f-4984-9bde-4af785e5e75a", "value": "Pisloader uses Data Encoding" }, { "meta": { "source-uuid": "95047f03-4811-4300-922e-1ba937d53a61", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "2c29e6cf-a177-4578-bf1f-fd73ae254edd", "value": "Hikit uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" }, "uuid": "4b8d211d-4969-4c0f-8b01-fd176c8172d1", "value": "APT28 uses Indicator Removal on Host" }, { "meta": { "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "f4480854-9424-49d5-8b54-f839302e3ee7", "value": "Rover uses Input Capture" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" }, "uuid": "ffee4cd1-f193-4dbc-9f47-6fe47e1523eb", "value": "menuPass uses DLL Search Order Hijacking" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" }, "uuid": "032fb34d-3434-4667-9d5e-6bb9fd6b7d00", "value": "APT32 uses Mimikatz" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "284d622d-8b28-4569-97a7-936edced1b18", "value": "Helminth uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" }, "uuid": "07a550a2-27c1-43f5-8b30-c288441ad5b0", "value": "OilRig uses Custom Command and Control Protocol" }, { "meta": { "source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", "target-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56" }, "uuid": "34627bc3-c857-46c4-a9e8-060a779b643e", "value": "MONSOON uses Unknown Logger" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61" }, "uuid": "1d3654f8-3a5e-4ef8-826f-4242ecf78c0a", "value": "APT32 uses Application Deployment Software" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754" }, "uuid": "0585e082-8f8e-4162-b4a8-3c1cef02f7e3", "value": "APT29 uses CozyCar" }, { "meta": { "source-uuid": "823fbfe9-b015-4bf3-9e67-d340c7373ca0", "target-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b" }, "uuid": "e81d69cf-62b8-464b-ad5b-9a9e80236801", "value": "Trusted Developer Utilities Mitigation mitigates Trusted Developer Utilities" }, { "meta": { "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "a3fe1f58-b507-42ea-a21e-a6ac46de9ca8", "value": "Sakula uses Command-Line Interface" }, { "meta": { "source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063", "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" }, "uuid": "b08e3c96-25a7-412f-bbfb-63e010ef3891", "value": "Cleaver uses Mimikatz" }, { "meta": { "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "target-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d" }, "uuid": "69d05cb2-ded0-4847-b52e-af7af421f303", "value": "Flame uses Authentication Package" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "8db1b5bd-8f0c-4c13-8667-c83713ce799e", "value": "Gazer uses Remote File Copy" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "daf56e8e-ea82-4ef2-bb03-78dd7e6ef3c0", "value": "APT3 uses Process Discovery" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "6a5bc2dd-2132-4af0-9b12-0e781971d96c", "value": "Patchwork uses Security Software Discovery" }, { "meta": { "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "ccb67d98-71d6-4a26-86b6-281174ca07b0", "value": "Kasidet uses File and Directory Discovery" }, { "meta": { "source-uuid": "10571bf2-8073-4edf-a71c-23bad225532e", "target-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41" }, "uuid": "8b439661-99e2-4410-b043-082155793155", "value": "AppInit DLLs Mitigation mitigates AppInit DLLs" }, { "meta": { "source-uuid": "46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4", "target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529" }, "uuid": "c1600f3f-6c21-4c5b-82fe-a4514785f6bb", "value": "Network Sniffing Mitigation mitigates Network Sniffing" }, { "meta": { "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "03c9b56e-f006-43b2-ac98-bcbe0c05e979", "value": "ChChes uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "c839344c-a96d-412f-bded-5ac7c8fd446a", "value": "RTM uses Remote File Copy" }, { "meta": { "source-uuid": "7ee0879d-ce4f-4f54-a96b-c532dfb98ffd", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "1b4cd403-8e3a-43da-bc25-a7e8d707794b", "value": "Data from Local System Mitigation mitigates Data from Local System" }, { "meta": { "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "cef7d272-ee0c-4379-9d7b-63adf1f40252", "value": "Mis-Type uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "c560f682-0d21-4c9b-b35d-33aec2287117", "value": "POWERSOURCE uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "30489451-5886-4c46-90c9-0dff9adc5252", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "d4fd461f-fc58-4060-aed4-cebe64f249b9", "value": "Arp uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "d9e8d70a-06f6-4873-baf8-29ebfaf6bf99", "value": "MiniDuke uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "1d36c3e8-238f-46c6-9b20-9fb4cb5c75ba", "value": "Net uses System Service Discovery" }, { "meta": { "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "87e080cf-b8c0-4679-bcfb-ff77ab7698f3", "value": "Misdat uses System Information Discovery" }, { "meta": { "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "d067b113-4584-419f-860b-d3184f734350", "value": "S-Type uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "94927849-03e3-4a07-8f4c-9ee21b626719", "target-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f" }, "uuid": "56086ed3-641e-4fd5-b26e-1ca9479c2081", "value": "Startup Items Mitigation mitigates Startup Items" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "519c4c7f-8495-4b8a-b58e-551a78e469cc", "value": "Turla uses Query Registry" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "e0301b36-c339-49c5-b257-9ece19152922", "value": "OilRig uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "f837cc68-8715-4301-ae15-bf89c8b1f7ee", "value": "Axiom uses Data Obfuscation" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "388b4637-f634-42ab-a370-981be7da89bd", "value": "RedLeaves uses Commonly Used Port" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "7f17927d-b371-42c4-bd68-0c5c57e3edab", "value": "Magic Hound uses File Deletion" }, { "meta": { "source-uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43", "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" }, "uuid": "13f5fad8-1b6f-4b65-9803-155f93b5d357", "value": "Process Hollowing Mitigation mitigates Process Hollowing" }, { "meta": { "source-uuid": "1f34230d-b6ae-4dc7-8599-78c18820bd21", "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" }, "uuid": "fb1a7bbd-9dec-4038-9935-1647378f739f", "value": "Network Share Discovery Mitigation mitigates Network Share Discovery" }, { "meta": { "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "c5cf4822-a0bf-442a-9943-1937ac45520b", "value": "SslMM uses Masquerading" }, { "meta": { "source-uuid": "1022138b-497c-40e6-b53a-13351cbd4090", "target-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a" }, "uuid": "c7047518-c63f-41b5-a803-1ed54066a62e", "value": "File System Permissions Weakness Mitigation mitigates File System Permissions Weakness" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "2cc93cb7-fbe6-4c79-b619-a2eb877de1cf", "value": "menuPass uses Remote File Copy" }, { "meta": { "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "f8a90328-b7ee-474a-9773-f5bf501defd3", "value": "Mivast uses Command-Line Interface" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "00ce7309-114c-45a1-b905-f7a973cb3837", "value": "APT29 uses Scripting" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27" }, "uuid": "2325c0b2-fb89-44e1-9206-e495811f2907", "value": "Lazarus Group uses Account Manipulation" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "43c34939-8236-4ddd-8def-0eb7b5fe62cf", "value": "APT1 uses Data Compressed" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" }, "uuid": "e65112dc-8a58-486f-9f3b-5a84925a3e53", "value": "APT29 uses Accessibility Features" }, { "meta": { "source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "d2fa2382-dcfc-4cff-969b-2b5ec12dc406", "value": "TDTESS uses Timestomp" }, { "meta": { "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", "target-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06" }, "uuid": "762f85a3-0120-4b09-aafd-3f460764e85f", "value": "APT12 uses Ixeshe" }, { "meta": { "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" }, "uuid": "69bff194-c90e-4e30-a369-57da4cff014d", "value": "StreamEx uses Modify Registry" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "ed2f811d-3258-4489-abe1-57dac4bdbbf8", "value": "RedLeaves uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "4a959425-4d43-4969-9a47-768894a3afaa", "value": "Emissary uses System Information Discovery" }, { "meta": { "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "edbd751e-29ad-419f-a3ff-9d210453351d", "value": "Reaver uses System Information Discovery" }, { "meta": { "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c" }, "uuid": "044ad6d3-9389-4764-9b96-ad53dc98840d", "value": "XTunnel uses Credentials in Files" }, { "meta": { "source-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858", "target-uuid": "66f73398-8394-4711-85e5-34c8540b22a5" }, "uuid": "3b4f48d3-eb5d-4d7e-9f0b-86f68951207d", "value": "FinFisher uses Hooking" }, { "meta": { "source-uuid": "addb3703-5a59-4461-9bcd-7e2b5d4e92a0", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "2a0b74b3-cbc3-45fa-aba4-eabdb0cb89b5", "value": "Standard Application Layer Protocol Mitigation mitigates Standard Application Layer Protocol" }, { "meta": { "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "5d55979e-d4e8-44eb-97d6-e3e78baa60c7", "value": "MobileOrder uses Data from Local System" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "79057890-3cd0-4124-8b35-b86db6b4f9d7", "value": "APT32 uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "ed45fb1c-048a-4378-8c15-6f6ea0c72d7a", "value": "RedLeaves uses System Network Connections Discovery" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" }, "uuid": "325ccde0-2d5a-4306-9c4e-e1a554ee0d87", "value": "Ke3chang uses netstat" }, { "meta": { "source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "f19f6e41-14b2-44a1-940f-6a6f2cfab6be", "value": "LOWBALL uses Commonly Used Port" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "e1f4c08f-b5b1-4d62-8f1c-75f4302b0bce", "value": "Shamoon uses Remote System Discovery" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "9194756f-c455-427b-9fb0-4887c7bf3bf3", "value": "RedLeaves uses Command-Line Interface" }, { "meta": { "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "15f74597-d92d-406f-9941-c0dfef3cb609", "value": "Net uses Account Discovery" }, { "meta": { "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "dbacc7d5-5d10-4b41-994d-51e0792cfb19", "value": "Pteranodon uses Scheduled Task" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "26af1f3f-806e-45bd-860a-2eead8af7d3e", "value": "Cobalt Strike uses Valid Accounts" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "bd5b4264-1f10-4cd5-b7b0-a6a8b9dad7c3", "value": "Remsec uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "52781f1e-4b91-4ff2-8f48-89e15bc40d42", "value": "POWRUNER uses Security Software Discovery" }, { "meta": { "source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973", "target-uuid": "94379dec-5c87-49db-b36e-66abc0b81344" }, "uuid": "e4c7c4b7-fe19-4433-acd9-ec94f436f381", "value": "Axiom uses Derusbi" }, { "meta": { "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "7c792d18-25a3-4d85-be44-93523228748c", "value": "Rover uses Data from Local System" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c" }, "uuid": "d9c29485-ced4-4ebc-880c-31d35dd54b26", "value": "APT32 uses WINDSHIELD" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd" }, "uuid": "68487d82-458b-4f45-b1c8-c6e4affaa226", "value": "menuPass uses PlugX" }, { "meta": { "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "a566127b-1d88-4b38-84dd-4686e2837399", "value": "Daserf uses Data Obfuscation" }, { "meta": { "source-uuid": "95047f03-4811-4300-922e-1ba937d53a61", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "d7c40b1d-efe6-4869-9754-6494d45f51f1", "value": "Hikit uses Connection Proxy" }, { "meta": { "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "007cc21a-685a-4701-99c1-20f258cedc7c", "value": "BLACKCOFFEE uses File and Directory Discovery" }, { "meta": { "source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "becf0a5e-4636-4d2f-bd4a-fd60b15ee74a", "value": "gh0st uses Input Capture" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "a72ad83f-8336-4d01-b22d-5c836f5e5bf9", "value": "PowerDuke uses Commonly Used Port" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" }, "uuid": "e6b68811-113e-4f86-8096-9f506e34dda1", "value": "Remsec uses Network Service Scanning" }, { "meta": { "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "252c0e02-0da6-4812-b147-81d9cfb3c998", "value": "CHOPSTICK uses Connection Proxy" }, { "meta": { "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810" }, "uuid": "907df22e-fdfe-4b93-8b18-ebf66f83868c", "value": "S-Type uses Shortcut Modification" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "a39bc982-3934-4ec7-ba33-0de9331d55f5", "value": "APT34 uses Scripting" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4" }, "uuid": "773e99eb-0739-42d3-afaa-aff65e86329d", "value": "Turla uses Gazer" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" }, "uuid": "68edf451-bda3-4159-9715-dbcfda8eb8e2", "value": "APT3 uses Exfiltration Over Command and Control Channel" }, { "meta": { "source-uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f", "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" }, "uuid": "1e91cd45-a725-4965-abe3-700694374432", "value": "Rootkit Mitigation mitigates Rootkit" }, { "meta": { "source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "4d90fd9d-9f9b-45f8-986d-3db43b679905", "value": "Kasidet uses Process Discovery" }, { "meta": { "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" }, "uuid": "fad44d26-02a8-4cdc-b566-5e24f32a93b3", "value": "Molerats uses PoisonIvy" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "5bb39b9d-3651-4cdf-80b1-9d88b2062258", "value": "Shamoon uses Commonly Used Port" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" }, "uuid": "1a40426a-355c-4d7e-b51c-e95a102b31e2", "value": "Lazarus Group uses Access Token Manipulation" }, { "meta": { "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "target-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4" }, "uuid": "64aab090-e7c2-4114-8c15-49700b611fb8", "value": "Sowbug uses Starloader" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" }, "uuid": "d8abe157-f6cd-4959-b9d5-e0c87d16bcfe", "value": "ADVSTORESHELL uses Exfiltration Over Command and Control Channel" }, { "meta": { "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" }, "uuid": "35ca6c35-f1e9-49b7-a8c9-a67951c57ea0", "value": "TinyZBot uses Clipboard Data" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "129cacdc-8acb-4209-a77c-a6a7e0820a97", "value": "POWRUNER uses Data Obfuscation" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "1fe4be95-b162-4fc7-a3c9-4277547ea722", "value": "Remsec uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52" }, "uuid": "1d5e0da2-7741-4a31-9c54-cbbe584fe27b", "value": "APT1 uses Cachedump" }, { "meta": { "source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "2a7d01e9-9c42-4d17-947a-629ca7a9d515", "value": "Elise uses System Service Discovery" }, { "meta": { "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "93b12e1a-7f21-4fa0-9b2a-c96c7c270625", "value": "PittyTiger uses Valid Accounts" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1" }, "uuid": "e02d1cb4-1bb7-49b5-a918-5e0d194974aa", "value": "Turla uses Epic" }, { "meta": { "source-uuid": "cba5667e-e3c6-44a4-811c-266dbc00e440", "target-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0" }, "uuid": "f6483534-196c-4540-a456-985594171cd8", "value": "Extra Window Memory Injection Mitigation mitigates Extra Window Memory Injection" }, { "meta": { "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "13a8be40-1190-4553-b026-58c5088c322a", "value": "Suckfly uses Command-Line Interface" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "7cb48d6d-1171-4e9d-87c7-4779293f6921", "value": "Duqu uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772", "target-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300" }, "uuid": "ded85906-e996-45cd-ae64-82adc22397e3", "value": "MONSOON uses AutoIt backdoor" }, { "meta": { "source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "5a77e097-3aed-4bd3-b5fc-997746da62ad", "value": "BLACKCOFFEE uses Process Discovery" }, { "meta": { "source-uuid": "56648de3-8947-4559-90c4-eda10acc0f5a", "target-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d" }, "uuid": "dce95526-cb24-4d3e-9b3b-de704e0730e4", "value": "Keychain Mitigation mitigates Keychain" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "ed94edc7-e687-409e-9143-20a15190bd83", "value": "Shamoon uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "2d450e2f-25c9-49af-b83f-6c91029ed28a", "value": "APT28 uses Input Capture" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" }, "uuid": "3beb0c09-e584-4fd8-92bb-d7a1ae9192e6", "value": "OilRig uses Tasklist" }, { "meta": { "source-uuid": "d01f473f-3cdc-4867-9e55-1de9cf1986f0", "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" }, "uuid": "8104dfee-8883-4f7c-8f7d-84c9b409efc3", "value": "Deobfuscate/Decode Files or Information Mitigation mitigates Deobfuscate/Decode Files or Information" }, { "meta": { "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" }, "uuid": "0dee5507-6e61-4244-86a8-c7e8a34469da", "value": "OwaAuth uses Web Shell" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "3fe9b64a-6435-4592-9181-2ad50ee93044", "value": "Lazarus Group uses Data from Local System" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3" }, "uuid": "ab069468-3dff-4c77-9293-adb0b2627a4e", "value": "Deep Panda uses Accessibility Features" }, { "meta": { "source-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b", "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" }, "uuid": "3f416bd3-a06f-4ec2-8cf6-4a84e0611c63", "value": "xCmd uses Service Execution" }, { "meta": { "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "79106ad4-28d3-4f67-a2c3-116d138ec84a", "value": "PlugX uses Command-Line Interface" }, { "meta": { "source-uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234", "target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c" }, "uuid": "e0d33a40-a0d1-49fe-bea1-d0e4f000f628", "value": "Miner-C uses Taint Shared Content" }, { "meta": { "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "1d54c1d7-529f-4e4f-9a38-55b1b8cbff66", "value": "Backdoor.Oldrea uses File Deletion" }, { "meta": { "source-uuid": "6cac62ce-550b-4793-8ee6-6a1b8836edb0", "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" }, "uuid": "dd21c8fe-caf8-40df-b049-787ba465eef7", "value": "Indicator Removal on Host Mitigation mitigates Indicator Removal on Host" }, { "meta": { "source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7", "target-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4" }, "uuid": "9155d072-d94b-4a63-b089-26781aff5275", "value": "Scarlet Mimic uses MobileOrder" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "e8193b28-b28a-4ab7-8390-8a5bd4d851b5", "value": "Threat Group-3390 uses File Deletion" }, { "meta": { "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "target-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b" }, "uuid": "96077086-d811-47a1-a805-decbf6f249b7", "value": "BBSRAT uses Modify Existing Service" }, { "meta": { "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "target-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566" }, "uuid": "506acc8a-e691-4f4e-b69f-bfab84cf2c73", "value": "FIN7 uses Application Shimming" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "818a401d-dd4d-426a-b89c-d33625380b8b", "value": "MoonWind uses System Owner/User Discovery" }, { "meta": { "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "d53d1e84-f4de-4e6a-bc84-5edfce84b055", "value": "OwaAuth uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" }, "uuid": "b3981ca6-7ef0-4625-99a8-9cbec731bac9", "value": "Helminth uses Permission Groups Discovery" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "8f897f1c-7bc6-4a85-8d3b-627f976af215", "value": "BRONZE BUTLER uses Credential Dumping" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "69682171-e717-4af7-a24a-06a39f381641", "value": "Threat Group-3390 uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "fce2d07b-7bc7-497a-b21a-75a23fbccf50", "value": "Prikormka uses System Owner/User Discovery" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "13c97dd2-5c0b-4f18-84ab-533949fbeb25", "value": "SeaDuke uses Data Encoding" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" }, "uuid": "b51f3b69-d62b-4ccf-9ce8-62ec7f934e4b", "value": "Lazarus Group uses Custom Command and Control Protocol" }, { "meta": { "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" }, "uuid": "cc831c63-94af-4937-b8e6-668591ec7d04", "value": "PittyTiger uses Mimikatz" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "64cb753d-eb72-4dce-a417-7df747334347", "value": "BACKSPACE uses Process Discovery" }, { "meta": { "source-uuid": "95c29444-49f9-49f7-8b20-bcd68d8fcaa6", "target-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025" }, "uuid": "0c2ba74b-a5b0-493c-84f3-41b6131070a0", "value": "AppCert DLLs Mitigation mitigates AppCert DLLs" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "d5c86dd3-3cfa-4ade-8984-fdf079b9f81b", "value": "RTM uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383", "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" }, "uuid": "b69424ec-3af6-44aa-842a-81fba219b9f4", "value": "Darkhotel uses Code Signing" }, { "meta": { "source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "695c2f41-140a-48f9-9e14-0cd58d7712d1", "value": "OLDBAIT uses Credential Dumping" }, { "meta": { "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" }, "uuid": "8961d93e-ec51-42dd-8f76-54d46ea21967", "value": "H1N1 uses Bypass User Account Control" }, { "meta": { "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "bc72acee-e417-4de8-8084-153e141917b6", "value": "MobileOrder uses File and Directory Discovery" }, { "meta": { "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "61fa303b-a9ff-419f-b3ac-96e43e37b6e5", "value": "HALFBAKED uses Process Discovery" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "dd4c02ea-b54a-4753-beb5-3248d89a7e04", "value": "APT1 uses Command-Line Interface" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "da44c85c-914b-41e0-aef7-68cd3c1faea1", "value": "JHUHUGIT uses Process Injection" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "fc4dd2b6-63a0-46fe-bfc4-90e58e5d1422", "value": "BRONZE BUTLER uses File and Directory Discovery" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "87b8b451-bf9b-4e93-b591-05ef502970f5", "value": "Magic Hound uses File and Directory Discovery" }, { "meta": { "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "a1e74408-5c7b-4538-afd9-a01b23a92429", "value": "Psylo uses Remote File Copy" }, { "meta": { "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "bb005145-438c-4fd8-9cac-a636df7465da", "value": "XAgentOSX uses Process Discovery" }, { "meta": { "source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80", "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" }, "uuid": "ec6074e4-4137-42a4-86c8-1ea95ce54df6", "value": "BBSRAT uses Process Hollowing" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "61dd6d75-a95b-488d-9a1d-924563592df7", "value": "POWRUNER uses Account Discovery" }, { "meta": { "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "a5ffea60-7694-48cd-92e9-b755669b2fdb", "value": "Gamaredon Group uses System Owner/User Discovery" }, { "meta": { "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "0f5d3626-1dc2-4ebe-ba37-3f86ab0df9ec", "value": "Rover uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" }, "uuid": "edaf0203-4959-4e1e-9240-3d20cf0f3b6a", "value": "APT28 uses Replication Through Removable Media" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" }, "uuid": "44090eb6-1166-4986-8583-60dcc8e69cc7", "value": "RedLeaves uses Uncommonly Used Port" }, { "meta": { "source-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68", "target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e" }, "uuid": "74486fa3-a5b8-49b2-82b7-0c453b4baf12", "value": "Tor uses Multilayer Encryption" }, { "meta": { "source-uuid": "b52f41b9-ccf6-4da7-a6c0-167eeb71fbd8", "target-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8" }, "uuid": "d18d4353-e344-4759-b51b-ed39ab2b5f46", "value": "Browser Extensions Mitigation mitigates Browser Extensions" }, { "meta": { "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "e41ab3e7-2b69-4461-a693-e53a24c9ab59", "value": "CORESHELL uses Remote File Copy" }, { "meta": { "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "b8f1354c-9cff-40ef-aa47-591952c735c3", "value": "Backdoor.Oldrea uses File and Directory Discovery" }, { "meta": { "source-uuid": "94f6b4f5-b528-4f50-91d5-f66457c2f8f7", "target-uuid": "544b0346-29ad-41e1-a808-501bb4193f47" }, "uuid": "efa2ae6b-8942-4ea2-80ca-b4181dd01427", "value": "Man in the Browser Mitigation mitigates Man in the Browser" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69" }, "uuid": "76393f0c-a13c-48a8-ba7d-80502ae938a7", "value": "APT1 uses Pass-The-Hash Toolkit" }, { "meta": { "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "f9669551-29f8-4aaf-83b9-50e541bbdced", "value": "FLASHFLOOD uses Data Encrypted" }, { "meta": { "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "ed74954d-4717-4d63-9836-4cbd66c37345", "value": "Crimson uses Credential Dumping" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "555e47f2-54bb-4c97-8804-536aa354126c", "value": "APT3 uses Rundll32" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "22addc7b-b39f-483d-979a-1b35147da5de" }, "uuid": "45966f4c-51d4-4940-854d-79d712f63ed5", "value": "Naikon uses WinMM" }, { "meta": { "source-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "c088f23e-b741-453c-a710-01990dead853", "value": "Systeminfo uses System Information Discovery" }, { "meta": { "source-uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "01e01c24-ba4c-41d7-8f30-8fca364dc2c6", "value": "ifconfig uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "27834043-1004-4a70-9023-a318bd6db7c6", "value": "FALLCHILL uses File and Directory Discovery" }, { "meta": { "source-uuid": "515f6584-fa98-44fe-a4e8-e428c7188514", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "bb523d35-52f1-4c61-a8de-b4605ce9e596", "value": "Fallback Channels Mitigation mitigates Fallback Channels" }, { "meta": { "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", "target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd" }, "uuid": "3e497bf1-4fdc-40a2-b8a2-3492c1d605e5", "value": "POSHSPY uses Data Transfer Size Limits" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "25d96e8e-6893-4b90-82cc-253cbd499543", "value": "Dragonfly uses Commonly Used Port" }, { "meta": { "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "ed8b5029-835d-492c-a1f4-10ccbf084a76", "value": "Pisloader uses File and Directory Discovery" }, { "meta": { "source-uuid": "19edfa02-1a5f-47e4-ad82-3288f57f64cf", "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" }, "uuid": "25a46055-25f5-4f91-9b0f-ba099f9dde4b", "value": "Clipboard Data Mitigation mitigates Clipboard Data" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "d4ca926c-6976-4ee8-a5b0-89aa11931bea", "value": "RedLeaves uses File and Directory Discovery" }, { "meta": { "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "838b4a52-1360-4ca7-ab25-1b549508e687", "value": "CHOPSTICK uses File and Directory Discovery" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "b3f53743-4bd9-47a6-bf41-6f7786bbdc87", "value": "BADNEWS uses Remote File Copy" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "17594ffb-af22-4cdc-8849-ca31d2019a9e", "value": "Threat Group-3390 uses Scheduled Task" }, { "meta": { "source-uuid": "74febc44-8955-4e4d-aca0-d4dad2f967d7", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "f004e6c4-0c37-4060-9627-9ec0940aee9c", "value": "Process Injection Mitigation mitigates Process Injection" }, { "meta": { "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "c6f81350-a410-4ac7-a4b0-58bd4a9c1d9e", "value": "Poseidon Group uses Process Discovery" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "d6e43621-ca4a-475f-b81c-037a0878728b", "value": "Patchwork uses PowerShell" }, { "meta": { "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "ec362b37-1a64-4b28-8d34-7819d0aa5b2a", "value": "XAgentOSX uses System Information Discovery" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "3884be12-f73f-4f9b-875e-68d40798faf6", "value": "BADNEWS uses Data Obfuscation" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "bbd9b8d7-431c-44fa-95ac-61f73271ae92", "value": "BlackEnergy uses Input Capture" }, { "meta": { "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "ee51d531-5cc4-4836-a55c-6062bde1a4d4", "value": "StreamEx uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "target-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41" }, "uuid": "3d16b34f-f58b-4469-a0ef-7585f88d6001", "value": "T9000 uses AppInit DLLs" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" }, "uuid": "3cb99d8e-8a3d-47ed-b4b7-e217cea48013", "value": "Cobalt Strike uses Remote Desktop Protocol" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2" }, "uuid": "4a1bfb6c-f110-4785-9dff-4c8e433bf04d", "value": "Threat Group-3390 uses ASPXSpy" }, { "meta": { "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "5bb94c21-96c6-4c71-ae46-b222a69a493a", "value": "NETEAGLE uses File and Directory Discovery" }, { "meta": { "source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "7282eabe-73e0-4a10-824b-f18df7f892e2", "value": "Trojan.Karagany uses Remote File Copy" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" }, "uuid": "d8ac067b-f246-40bb-98bd-fcff74092139", "value": "CosmicDuke uses Automated Exfiltration" }, { "meta": { "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "9b80479d-6f7a-45fd-af5b-1e8adfb1e7fd", "value": "Mis-Type uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "a6150e37-2411-409f-82a0-e259d55d1166", "value": "T9000 uses System Owner/User Discovery" }, { "meta": { "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef" }, "uuid": "167d7b11-01f3-42d5-bb8a-78306dc80243", "value": "CHOPSTICK uses Communication Through Removable Media" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" }, "uuid": "cd58d271-9ee2-45d6-9ca3-22ae8da639b5", "value": "Helminth uses Automated Collection" }, { "meta": { "source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "a5888362-00f3-4c9e-98ee-048aee5169e1", "value": "FIN10 uses PowerShell" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "89da3f24-b9dc-4c68-9240-228215e51bfc", "value": "Dragonfly uses Masquerading" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8" }, "uuid": "16ef3e00-dc40-462c-9b74-5e8a8b24c86e", "value": "APT3 uses OSInfo" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "5f95e123-9f44-47a0-affc-aaae6929d269", "value": "APT34 uses Credential Dumping" }, { "meta": { "source-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f", "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" }, "uuid": "d6e40826-7af0-4e4e-96c3-28493abda6c7", "value": "Moafee uses PoisonIvy" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" }, "uuid": "e9a2c6b5-c02a-404b-818c-d54915a53952", "value": "APT34 uses External Remote Services" }, { "meta": { "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967" }, "uuid": "842f8f4b-9d90-4533-850f-777f33ef8257", "value": "T9000 uses Audio Capture" }, { "meta": { "source-uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "61528841-379e-4fa3-a233-34c745764c18", "value": "Masquerading Mitigation mitigates Masquerading" }, { "meta": { "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "a602be33-6ed6-4f73-b7f6-10b47581707a", "value": "Poseidon Group uses Account Discovery" }, { "meta": { "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "720be590-5ea0-43b6-8360-fa75dd4d1a67", "value": "Poseidon Group uses System Service Discovery" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "f5936bbd-f8cb-404a-bd43-87f7bc836294", "value": "BlackEnergy uses Fallback Channels" }, { "meta": { "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "d57d1a71-6ac7-4028-ba73-86e5df98395f", "value": "POSHSPY uses Timestomp" }, { "meta": { "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "3268cdc0-7cee-4fe5-92cc-2c3cdc06712b", "value": "Derusbi uses Command-Line Interface" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda" }, "uuid": "19fce62c-ba70-4c20-bf74-0bca7886190c", "value": "APT1 uses BISCUIT" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "45522d60-160a-4c07-bd98-9a487175910e", "value": "SeaDuke uses Data Compressed" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" }, "uuid": "9d081347-3446-47a4-b5a9-d7a9d2d499e7", "value": "Deep Panda uses Tasklist" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "448a35fc-fecf-4373-9888-30c37dd1d56a", "value": "Duqu uses Valid Accounts" }, { "meta": { "source-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "44259d7d-e156-4e09-a401-ff62f0706cdd", "value": "dsquery uses Account Discovery" }, { "meta": { "source-uuid": "c47a9b55-8f61-4b82-b833-1db6242c754e", "target-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8" }, "uuid": "cfe1e092-57a9-4f7e-ba4a-794bfa797de8", "value": "Local Job Scheduling Mitigation mitigates Local Job Scheduling" }, { "meta": { "source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "b380ad90-2f3b-4f98-ae23-3dfdba448e0a", "value": "POSHSPY uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4", "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" }, "uuid": "eb74fa31-121d-4e43-9794-048a901f509a", "value": "Uroburos uses Rootkit" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "0b823cda-4775-4690-9ea6-02bbaa3522a1", "value": "Duqu uses Input Capture" }, { "meta": { "source-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1", "target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d" }, "uuid": "88ad4d2e-745e-4712-8901-e772dfaf3298", "value": "Epic uses Code Signing" }, { "meta": { "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "6f01abdc-bd94-4645-afed-8d3bd365bba4", "value": "TinyZBot uses Screen Capture" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "94379dec-5c87-49db-b36e-66abc0b81344" }, "uuid": "ba4e03d1-f9b6-442d-974b-2fb7feddb551", "value": "Deep Panda uses Derusbi" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "1eac1b9e-28f1-4315-8070-6946e7e11444", "value": "APT34 uses Input Capture" }, { "meta": { "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "6e757efa-8231-4674-a1ea-e234e2dfb838", "value": "Molerats uses Process Discovery" }, { "meta": { "source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "7123a6ee-2026-4db8-a983-cbc2932c2a09", "value": "Backdoor.Oldrea uses Data Obfuscation" }, { "meta": { "source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "e376d1ed-a35a-47c1-98c6-4d37f52b1b84", "value": "ChChes uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "0bc3ce00-83bc-4a92-a042-79ffbc6af259", "target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4" }, "uuid": "4b5bd2c6-b460-401d-8457-005add9037d9", "value": "Windows Management Instrumentation Event Subscription Mitigation mitigates Windows Management Instrumentation Event Subscription" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "8bb44b86-379d-49ba-9b28-2451e69db30d", "value": "Patchwork uses System Owner/User Discovery" }, { "meta": { "source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "ad5f49b0-8b92-43d1-99f3-c691ccb7a8ac", "value": "DustySky uses Remote File Copy" }, { "meta": { "source-uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "47316750-4ca7-4ea3-b72c-9d7c7d895e3a", "value": "Data Staged Mitigation mitigates Data Staged" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "d7903e1f-f31c-48bc-b7c3-3616cb1a792f", "value": "RTM uses Security Software Discovery" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870" }, "uuid": "15aa00d1-11c0-4be1-a900-ede5e1376110", "value": "menuPass uses SNUGRIDE" }, { "meta": { "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" }, "uuid": "7f3c015e-d95d-4d35-a583-236134464554", "value": "Agent.btz uses Replication Through Removable Media" }, { "meta": { "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "27375058-3002-4fc2-a964-a1e336a10a2a", "value": "4H RAT uses System Information Discovery" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" }, "uuid": "be5dadd8-71ce-40ac-8858-5d5c5fbe0e96", "value": "Prikormka uses Indicator Removal on Host" }, { "meta": { "source-uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3", "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" }, "uuid": "63d53308-7d7d-4777-a1cc-c7100735609c", "value": "BOOTRASH uses Bootkit" }, { "meta": { "source-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "b91e06c1-9546-4184-9552-ba501bf9182e", "value": "ipconfig uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "80ca0faf-6958-4158-a36d-b3e7936c5f5a", "value": "Tasklist uses Security Software Discovery" }, { "meta": { "source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "3017cf15-f6a8-4281-8c74-9dd8f7c2666f", "value": "FALLCHILL uses Timestomp" }, { "meta": { "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "ed2e17b5-171b-4878-a3ab-2b70e8ca132a", "value": "Pisloader uses System Information Discovery" }, { "meta": { "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "0e12d7d1-5c46-4314-97fb-263853eed6af", "value": "HTTPBrowser uses Remote File Copy" }, { "meta": { "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67" }, "uuid": "6d819560-bdfb-4e0a-bf56-fddcba60cdb5", "value": "S-Type uses Create Account" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "9670979e-9785-45f0-a470-f591c97f6f8a", "value": "POWRUNER uses File and Directory Discovery" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" }, "uuid": "9abd0448-a3b7-4262-8753-fe81dc91c434", "value": "FIN5 uses External Remote Services" }, { "meta": { "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "7a30e6e7-ed64-47b1-b368-c1cec96d5fbf", "value": "Sykipot uses Input Capture" }, { "meta": { "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "3363ae54-1fe3-4c9f-b074-79dc0d7fbba5", "value": "GeminiDuke uses Process Discovery" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "1dfbe8fe-0e7a-42a7-85f0-a94b086b470b", "value": "Gazer uses Timestomp" }, { "meta": { "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "67f19627-27a5-4898-bab5-7b235aa4ad77", "value": "APT18 uses Scheduled Task" }, { "meta": { "source-uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b", "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" }, "uuid": "3e89d94b-5e6f-48b3-ba80-d366940fa968", "value": "Application Window Discovery Mitigation mitigates Application Window Discovery" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "eaaf6671-ead6-441b-b8d0-037a1e47572e", "value": "FIN6 uses Data Staged" }, { "meta": { "source-uuid": "2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "e432b3bc-5539-40e5-bce2-3ba6f463b571", "value": "File and Directory Discovery Mitigation mitigates File and Directory Discovery" }, { "meta": { "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "e0a0966c-7a2f-41b3-962f-3a6b22a5a8a9", "value": "Reaver uses System Owner/User Discovery" }, { "meta": { "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "427a9eb9-659d-433c-9e2c-9a66d115a9a3", "value": "Felismus uses System Owner/User Discovery" }, { "meta": { "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "ae3be82b-3d54-4be8-939b-e074a2cea170", "value": "Misdat uses Remote File Copy" }, { "meta": { "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "4d4c8221-17a9-4e5b-86f9-6a0cffc42424", "value": "S-Type uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc", "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" }, "uuid": "5918cee6-c2f1-41be-ab96-36f3d17e5293", "value": "certutil uses Deobfuscate/Decode Files or Information" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "b8a1739d-240b-46c1-a25a-b82d1c4e4765", "value": "Turla uses Remote System Discovery" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "926d0b0c-9421-4b8e-a740-8823e35c642f", "value": "Dragonfly uses Screen Capture" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "9c4a8336-5f5f-4e58-b00d-b6bf1c59ec03", "value": "MoonWind uses Data Staged" }, { "meta": { "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "41023c59-b41e-454a-ace2-cd98d4fedb8e", "value": "Mis-Type uses Command-Line Interface" }, { "meta": { "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "72cd5bab-20d9-4895-a6be-7d33f28d4b65", "value": "Dust Storm uses Data from Local System" }, { "meta": { "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "33162cc2-a800-4d42-89bb-13ac1e75dfce", "value": "Sakula uses Remote File Copy" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" }, "uuid": "e94576ee-284c-4782-a6ef-b7dd8a780254", "value": "OilRig uses Mimikatz" }, { "meta": { "source-uuid": "1881da33-fdf2-4eea-afd0-e04caf9c000f", "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" }, "uuid": "9d0c7e94-b7d6-4ede-8223-a19e615e0a0b", "value": "Peripheral Device Discovery Mitigation mitigates Peripheral Device Discovery" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" }, "uuid": "2ccda6d1-5196-4e22-b94a-01c3676fecc9", "value": "APT34 uses Web Shell" }, { "meta": { "source-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "3ada7220-b5a6-45b9-a7ca-4a26423da831", "value": "hcdLoader uses Command-Line Interface" }, { "meta": { "source-uuid": "902286b2-96cc-4dd7-931f-e7340c9961da", "target-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5" }, "uuid": "77fad92a-72ba-44d2-b4cb-a3079fbdb256", "value": "File System Logical Offsets Mitigation mitigates File System Logical Offsets" }, { "meta": { "source-uuid": "d9727aee-48b8-4fdb-89e2-4c49746ba4dd", "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" }, "uuid": "592d0c31-e61f-495e-a60e-70d7be59a719", "value": "Data from Network Shared Drive Mitigation mitigates Data from Network Shared Drive" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "26eafe5d-0ffc-48cf-ba1d-3681bdcbfaa3", "value": "Threat Group-3390 uses Command-Line Interface" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00" }, "uuid": "47e827f6-ec1d-4f16-80ab-0c54254ff42c", "value": "Duqu uses Custom Command and Control Protocol" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "5abaaa8f-19c7-448f-9e5a-66f1cbf412f9", "value": "SeaDuke uses Remote File Copy" }, { "meta": { "source-uuid": "1d808f62-cf63-4063-9727-ff6132514c22", "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" }, "uuid": "191885b6-1282-4173-a2bd-174c30c8a1dc", "value": "WEBC2 uses DLL Search Order Hijacking" }, { "meta": { "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" }, "uuid": "9aeda7e2-e452-4cd3-837f-e258cba1fc96", "value": "CHOPSTICK uses Replication Through Removable Media" }, { "meta": { "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", "target-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31" }, "uuid": "4cb1c7b1-6efd-488c-857d-605ff8ca9ab5", "value": "Dust Storm uses ZLib" }, { "meta": { "source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "67f82f6c-18f1-4f1e-8352-b7ecf8839ea2", "value": "Reaver uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "9a902722-cecd-4fbe-a6c9-49333aa0f8c2", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "863d6b6f-9e13-4925-a736-5e719a10a0b8", "value": "Remote System Discovery Mitigation mitigates Remote System Discovery" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "564de5da-7ecc-45c7-bbd5-619a8f316f70", "value": "BACKSPACE uses Query Registry" }, { "meta": { "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" }, "uuid": "3565539f-7ebf-4288-8422-5212c774821b", "value": "NETEAGLE uses Exfiltration Over Command and Control Channel" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" }, "uuid": "0942dc11-0fcd-480a-ae4d-d571ba96331b", "value": "Threat Group-3390 uses Exploitation of Vulnerability" }, { "meta": { "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" }, "uuid": "dc68cc0c-154a-4c69-a35a-b7fd843d8e98", "value": "Misdat uses Indicator Removal on Host" }, { "meta": { "source-uuid": "552462b9-ae79-49dd-855c-5973014e157f", "target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b" }, "uuid": "da6aa745-9eb5-44d9-80f8-e9f542d106d2", "value": "Zeroaccess uses Rootkit" }, { "meta": { "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "02a629d3-b970-43e8-a11b-79f35107a4c0", "value": "Pisloader uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "94211067-148f-4196-a216-c1bb1e5cfc70", "value": "Putter Panda uses Disabling Security Tools" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "d6e48ec5-1634-4ddd-865e-0bcb32a1fd1a", "value": "APT34 uses File Deletion" }, { "meta": { "source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff", "target-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21" }, "uuid": "a70d06e8-63dd-4cb3-83a5-f7bd8f2a8132", "value": "Winnti Group uses Winnti" }, { "meta": { "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "c08ef8e9-9e12-4bb2-9e6a-061934f33ea0", "value": "Komplex uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "71a8ae5e-3a78-49b5-9857-e202d636cedf", "value": "APT32 uses Timestomp" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "e6e324d1-b775-48bb-ac9f-02fcc2428752", "value": "admin@338 uses System Service Discovery" }, { "meta": { "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "358047bf-1dd3-4fc4-bc1a-b7004bd54b8d", "value": "OwaAuth uses File and Directory Discovery" }, { "meta": { "source-uuid": "8b880b41-5139-4807-baa9-309690218719", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "d0332cfa-d932-4bc3-b661-9cd72c00b390", "value": "SPACESHIP uses File and Directory Discovery" }, { "meta": { "source-uuid": "41cff8e9-fd05-408e-b3d5-d98c54c20bcf", "target-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb" }, "uuid": "b02c9017-5ec9-4be0-9aa9-b183d252c516", "value": "SSH Hijacking Mitigation mitigates SSH Hijacking" }, { "meta": { "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", "target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e" }, "uuid": "a5d7526f-2b1f-4a69-abc7-926b22bc402b", "value": "Hi-Zor uses Multilayer Encryption" }, { "meta": { "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "58f6b7ce-c0d0-4a54-b60d-1c39d6204796", "value": "Psylo uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "ccc38b61-c517-4186-909a-760f12ef65e8", "value": "CORESHELL uses Rundll32" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "79f89b33-046c-4bfa-a12d-c50fa0d84ea6", "value": "Magic Hound uses Web Service" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "ba1b953d-08ce-4b4b-924e-92556cdf1d90", "value": "APT3 uses PowerShell" }, { "meta": { "source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "f55d54fe-27ed-41f9-81db-11ccbe2d2125", "value": "CHOPSTICK uses Query Registry" }, { "meta": { "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa" }, "uuid": "09c10778-19ad-441a-8a75-a3cf1288f960", "value": "Sykipot uses System Service Discovery" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "46944654-fcc1-4f63-9dad-628102376586" }, "uuid": "6ce3735c-bfae-4eec-ab6b-bbf08cb7d60f", "value": "Prikormka uses DLL Search Order Hijacking" }, { "meta": { "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", "target-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e" }, "uuid": "89c6bcd7-e330-4902-8296-0918923d6573", "value": "APT18 uses cmd" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be" }, "uuid": "6c030461-42c5-44db-908a-85ac9a5a9822", "value": "Cobalt Strike uses Bypass User Account Control" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "88c50625-6d02-42fb-aa82-4315a532b754", "value": "Magic Hound uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "b22cebe6-129a-41a2-8a9e-70c222c88af6", "value": "OilRig uses System Owner/User Discovery" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "eb85fa2e-3c50-4130-9717-8688237fecbc", "value": "admin@338 uses System Information Discovery" }, { "meta": { "source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "e47397b7-b3c7-4919-ac5e-1f3266ef97e3", "value": "AutoIt backdoor uses PowerShell" }, { "meta": { "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "c3a1969b-1edb-4a78-80ab-b122cc2822e4", "value": "Group5 uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "167e1e15-1fe1-4073-aac1-062557fdd79f", "value": "CORESHELL uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "dcc2c503-25dc-47bb-b9cb-35ce27e73cd2", "value": "CORESHELL uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "37dd9a3c-dd52-4541-be7c-b490d026305c", "value": "RTM uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91" }, "uuid": "1258536b-6cf4-4cfe-98c7-e9c1d30c5a34", "value": "APT3 uses Multi-Stage Channels" }, { "meta": { "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "d0d74930-6b1d-4d1d-ba7f-60b93c114fd9", "value": "Hi-Zor uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "0c56b369-b665-4001-87ff-d27ae135cc64", "value": "Pisloader uses Command-Line Interface" }, { "meta": { "source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "eb7a6a3f-cc88-4ed7-8421-4642c1eb1978", "value": "BACKSPACE uses Disabling Security Tools" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "98229d5a-fce3-442e-91cf-7ec7b7994248", "value": "FIN6 uses Data Compressed" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" }, "uuid": "5e4ec089-c86d-4684-9783-af348d4aaa14", "value": "Dragonfly uses External Remote Services" }, { "meta": { "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" }, "uuid": "3b521f87-a77d-4c8d-8ab8-ffc6dbc3d62e", "value": "APT18 uses External Remote Services" }, { "meta": { "source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "4abcf209-1dab-435b-a347-b8ff318ac5d8", "value": "Daserf uses Data Encoding" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966" }, "uuid": "fb6a8268-5a73-4ac0-8f61-439f472063d6", "value": "Threat Group-3390 uses Windows Credential Editor" }, { "meta": { "source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "a06bd922-b887-4134-81cb-1e4180cf5a5a", "value": "Molerats uses Credential Dumping" }, { "meta": { "source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee", "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" }, "uuid": "66625422-17cd-4b04-beb5-fa2eabe350ad", "value": "CosmicDuke uses Clipboard Data" }, { "meta": { "source-uuid": "b35068ec-107a-4266-bda8-eb7036267aea", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "980e4dca-4d6b-4206-9c51-bff32c72a961", "value": "nbtstat uses System Network Connections Discovery" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974" }, "uuid": "d4968f45-d06b-4843-8f72-6e08beb94cab", "value": "Dragonfly uses Backdoor.Oldrea" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "e362d1ad-5d36-4f6d-b2b0-63af2f5f08ff", "value": "Stealth Falcon uses Scheduled Task" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "8d0d938e-2e4c-49e8-9290-6bfb86161260", "value": "Duqu uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54" }, "uuid": "3b6fc69c-9759-465a-b09c-a6161e4e2f56", "value": "Threat Group-3390 uses gsecdump" }, { "meta": { "source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "5ab3897a-4f37-4b59-99ca-f39605cb1a35", "value": "Mivast uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "21ff06b5-022f-40bf-821b-3e08dc9f08a3", "value": "Poseidon Group uses System Network Connections Discovery" }, { "meta": { "source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "863c1d57-db93-49a9-a953-eb7c2d6b2e5b", "value": "Felismus uses Security Software Discovery" }, { "meta": { "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", "target-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2" }, "uuid": "a5015a35-a6a2-4289-8d79-79b583c23e63", "value": "APT30 uses NETEAGLE" }, { "meta": { "source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "e2e91dcc-87b0-4ff8-a6cd-0dfd6a813483", "value": "Sakula uses File Deletion" }, { "meta": { "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "target-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec" }, "uuid": "9e77b81d-6298-4233-8baa-f419031a9d64", "value": "FIN7 uses Mshta" }, { "meta": { "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "target-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd" }, "uuid": "4f33536d-eb06-4eba-8765-4379e399f3b8", "value": "Gamaredon Group uses Pteranodon" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "979812c4-939e-4a7e-96b3-348028db10ce", "value": "Lazarus Group uses File Deletion" }, { "meta": { "source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "71ee5336-929a-41c7-bfbd-42a7208ca29d", "value": "4H RAT uses Process Discovery" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" }, "uuid": "891a97f1-d3e2-45ff-a079-43dcad21a175", "value": "Patchwork uses Software Packing" }, { "meta": { "source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "3de749e5-353a-4bdc-8951-9e0fa387bc70", "value": "AutoIt backdoor uses File and Directory Discovery" }, { "meta": { "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "target-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a" }, "uuid": "4e167937-d152-4c57-a7b7-e3b407470720", "value": "Net uses Network Share Connection Removal" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "1a7d1db3-9383-4171-8938-382e9b0375c6", "value": "BlackEnergy uses Process Injection" }, { "meta": { "source-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "a45f37c0-da3f-4766-bdb2-4cc1f4bda04d", "value": "httpclient uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5", "target-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db" }, "uuid": "143c0761-981a-4668-ab8a-9ba74cb58869", "value": "Shared Webroot Mitigation mitigates Shared Webroot" }, { "meta": { "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "73fe447a-8d70-433f-be9a-5af74934a662", "value": "WINDSHIELD uses System Information Discovery" }, { "meta": { "source-uuid": "bd2554b8-634f-4434-a986-9b49c29da2ae", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "c0b07b4a-d421-4faa-8564-4cc89668afac", "value": "Security Software Discovery Mitigation mitigates Security Software Discovery" }, { "meta": { "source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "1cbf5583-626a-4a24-bc59-f3b973752cee", "value": "PowerDuke uses Rundll32" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" }, "uuid": "ec6002c7-a2ca-4792-8dc4-0f0746768762", "value": "APT34 uses Windows Management Instrumentation" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e" }, "uuid": "216c15b0-3091-49f2-ba85-356d56265671", "value": "Lazarus Group uses FALLCHILL" }, { "meta": { "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "4cb1a0d0-6276-4c2c-b299-c26c982e9e1e", "value": "PlugX uses Query Registry" }, { "meta": { "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "d6c628b9-789a-416b-8abe-cd457e566346", "value": "Crimson uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "e89d06bc-31f3-49c0-a555-360eeff7f7c6", "value": "Net Crawler uses Windows Admin Shares" }, { "meta": { "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", "target-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93" }, "uuid": "f5acb12e-6d83-4628-9b1d-61f277a699b2", "value": "Komplex uses Hidden Files and Directories" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "e2e33068-b08e-45fd-89e0-0cf79868f902", "value": "Stealth Falcon uses PowerShell" }, { "meta": { "source-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" }, "uuid": "64309b21-2dc2-4369-9c70-66f47f5c4b56", "value": "ComRAT uses Component Object Model Hijacking" }, { "meta": { "source-uuid": "4a99fecc-680b-448e-8fe7-8144c60d272c", "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" }, "uuid": "cade3e14-aab4-4297-b77d-019d3ee0ccef", "value": "Brute Force Mitigation mitigates Brute Force" }, { "meta": { "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" }, "uuid": "677f32ad-2aa1-4fe3-8dab-73494891aa4a", "value": "T9000 uses DLL Side-Loading" }, { "meta": { "source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "bb11119c-c409-4615-8c3f-8491749f2d3b", "value": "T9000 uses Data Encrypted" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53" }, "uuid": "d0560e25-020d-4cd6-b61c-5fc82a757edc", "value": "APT28 uses Office Application Startup" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0" }, "uuid": "7ed59789-3b2d-4acf-9127-7af35234a373", "value": "Remsec uses Uncommonly Used Port" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" }, "uuid": "67469b79-67e2-4932-9776-b09a82871723", "value": "OilRig uses Deobfuscate/Decode Files or Information" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111" }, "uuid": "d75ee2bd-801c-4521-8d70-f5e2d64c87f9", "value": "admin@338 uses netstat" }, { "meta": { "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "a76e4748-2cef-4ee6-96a3-53ee227f0333", "value": "Unknown Logger uses Credential Dumping" }, { "meta": { "source-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "5c6b3fda-2eec-4c7a-af09-5f880f260085", "value": "Cachedump uses Credential Dumping" }, { "meta": { "source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "cc065036-1b46-4f5c-935e-fb80bd3de7c7", "value": "OLDBAIT uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "121b2863-5b97-4538-acb3-f8aae070ec13", "target-uuid": "dd901512-6e37-4155-943b-453e3777b125" }, "uuid": "48b9ca0c-925b-4f6a-8f25-459b2489be7c", "value": "Launch Agent Mitigation mitigates Launch Agent" }, { "meta": { "source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "785abba4-fdb4-4aad-9049-5a0c748cc965", "value": "XAgentOSX uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "df7fb8f2-e7a6-4342-8d67-09655ceefead", "value": "StreamEx uses Security Software Discovery" }, { "meta": { "source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "7b29c94f-1834-42ac-933c-ae6cd125e87a", "value": "PinchDuke uses System Information Discovery" }, { "meta": { "source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60", "target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c" }, "uuid": "76037b22-a3e4-40d3-bd56-699d1ea4e97e", "value": "Mimikatz uses Pass the Ticket" }, { "meta": { "source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "17262c58-2f41-41d2-a86a-5bc86642ddb4", "value": "menuPass uses Data Compressed" }, { "meta": { "source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "e7ac3ee3-a014-4b07-9bad-b93d3d1d0f4b", "value": "Regin uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "f4c6cb3f-b24c-4a1e-9bba-7b129b89a17a", "value": "Agent.btz uses Data Encrypted" }, { "meta": { "source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4", "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" }, "uuid": "4ffcf69a-c7ef-46dc-add7-9093e454a67e", "value": "MobileOrder uses Exfiltration Over Command and Control Channel" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "761edf58-baad-4626-acca-a137c251b0e6", "value": "MoonWind uses File Deletion" }, { "meta": { "source-uuid": "8ca6a5e0-aae5-49bc-8d07-f888c7dba9ea", "target-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53" }, "uuid": "140b4bbc-68c6-474a-adae-9b2275471f13", "value": "Office Application Startup Mitigation mitigates Office Application Startup" }, { "meta": { "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "396edbf6-41b5-4377-90b6-4967c24de7fb", "value": "DownPaper uses System Information Discovery" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" }, "uuid": "2df910df-37cc-4349-96c3-f938fa5a9054", "value": "Deep Panda uses Net" }, { "meta": { "source-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b", "target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea" }, "uuid": "7cfafeb7-2662-4b65-8dfc-93db752f5e71", "value": "FLIPSIDE uses Connection Proxy" }, { "meta": { "source-uuid": "3a476d83-43eb-4fad-9b75-b1febd834e3d", "target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c" }, "uuid": "cb35f782-6fb4-4a0c-b549-8af99dbc57fd", "value": "Pass the Ticket Mitigation mitigates Pass the Ticket" }, { "meta": { "source-uuid": "da987565-27b6-4b31-bbcd-74b909847116", "target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091" }, "uuid": "c57efd0b-817e-45c2-9f11-e8e7ac11b44c", "value": "Multiband Communication Mitigation mitigates Multiband Communication" }, { "meta": { "source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "550bf43e-53da-467e-affd-9f44ad668508", "value": "Sys10 uses System Information Discovery" }, { "meta": { "source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "ef318b23-1b8c-4c24-ad20-09c0977a73b3", "value": "DownPaper uses Command-Line Interface" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" }, "uuid": "dfcc52d8-4664-48c4-9e35-2be2cd649d93", "value": "APT32 uses Regsvr32" }, { "meta": { "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "84f40044-00a2-4015-be0d-1bb0107ef42b", "value": "Crimson uses Process Discovery" }, { "meta": { "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "717d87d5-df97-48a9-8766-c9a947541e1d", "value": "Crimson uses Screen Capture" }, { "meta": { "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "ae1600d0-8271-4709-a1a6-6fb62494fa23", "value": "Sowbug uses Input Capture" }, { "meta": { "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "7296e1e2-514d-4a6c-a1fe-18558a5e3b0f", "value": "ZLib uses Screen Capture" }, { "meta": { "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "ca8ed9e2-f7a6-4d54-b450-94c187b1f9b6", "value": "H1N1 uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f", "target-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841" }, "uuid": "9755e169-0dd5-4bf5-a884-d50d31f33ad9", "value": "RTM uses RTM" }, { "meta": { "source-uuid": "f6469191-1814-4dbe-a081-2a6daf83a10b", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "03f30a17-095b-4656-a7db-87d98628dfd8", "value": "Process Discovery Mitigation mitigates Process Discovery" }, { "meta": { "source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "32568a57-ff9c-42f5-9b60-0b78d7b0a7c0", "value": "ZLib uses Data Compressed" }, { "meta": { "source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "4a419b18-5fb2-43a0-8c0a-6521b8d9de63", "value": "H1N1 uses Command-Line Interface" }, { "meta": { "source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "65f7704a-358a-464d-b09b-fee5dd96adf3", "value": "Magic Hound uses Screen Capture" }, { "meta": { "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "122e6f20-ab3b-4bf0-bef1-0372399bee7c", "value": "NETEAGLE uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" }, "uuid": "b1c49faa-0b6f-4a0e-85da-5ab8ddeab2ce", "value": "FIN6 uses Network Service Scanning" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" }, "uuid": "1e03e95c-1c9a-4fa8-9d6d-b5d244b06509", "value": "RTM uses Clipboard Data" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69" }, "uuid": "075e7d33-8d5c-4016-9a24-dc6e61f56fcd", "value": "ADVSTORESHELL uses Component Object Model Hijacking" }, { "meta": { "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "89424d69-a426-4f76-9e7f-7b2dabe459be", "value": "POWERSOURCE uses PowerShell" }, { "meta": { "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "e97b39d6-7be1-4f59-8959-7f1f01402152", "value": "XTunnel uses Fallback Channels" }, { "meta": { "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "2e69a835-6443-455e-8ff0-775bb8c823f1", "value": "GeminiDuke uses Account Discovery" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "5b2c87e3-8eac-48b3-832b-2290b367403d", "value": "BlackEnergy uses System Network Connections Discovery" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" }, "uuid": "6a5bd9f5-f8ff-4eab-a4bc-edb2e098c47d", "value": "APT34 uses Network Service Scanning" }, { "meta": { "source-uuid": "bcc91b8c-f104-4710-964e-1d5409666736", "target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df" }, "uuid": "38d4c148-6fe8-4703-94e5-1b79b1cf5b8c", "value": "Web Shell Mitigation mitigates Web Shell" }, { "meta": { "source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "6184b127-47cf-43fc-880b-890554d9cc9a", "value": "Rover uses Screen Capture" }, { "meta": { "source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "548e7315-5055-4434-96c1-1429779b0e2b", "value": "Pisloader uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "519630c5-f03f-4882-825c-3af924935817" }, "uuid": "cc13f316-0f88-4ed1-8790-b13bc35be119", "value": "BRONZE BUTLER uses Binary Padding" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "03342581-f790-4f03-ba41-e82e67392e23" }, "uuid": "0ef9bb79-c221-40a8-94b0-58bfc816565f", "value": "Naikon uses Net" }, { "meta": { "source-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "c945e5f2-5622-46ce-8b35-468d41d2af46", "value": "RIPTIDE uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" }, "uuid": "968610c5-7fa5-4840-b9bb-2f70eecd87fa", "value": "Duqu uses Access Token Manipulation" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "8edb0383-cae8-43ee-9241-b25e5068cc95", "value": "OilRig uses System Network Connections Discovery" }, { "meta": { "source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "e5728c4d-d404-44e8-9e28-3411942c5234", "value": "FLASHFLOOD uses Data Staged" }, { "meta": { "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433" }, "uuid": "bd74b90d-ff9f-4ce3-96af-9b809fffc3da", "value": "Derusbi uses Fallback Channels" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790" }, "uuid": "46660a8a-7724-4577-b09e-551a1ce61bfc", "value": "Duqu uses New Service" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" }, "uuid": "6c303446-f8d1-424c-b1ac-8c10f82d33d7", "value": "Cobalt Strike uses Process Hollowing" }, { "meta": { "source-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "c4ce39f8-371c-45dd-a8d2-a411a6f0678d", "value": "RIPTIDE uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "d2560c35-b2f6-47d2-b573-236ef99894d5", "value": "Matroyshka uses Scheduled Task" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "3afd226c-934f-44fd-8194-9a6dee5cba59", "value": "Lazarus Group uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5" }, "uuid": "8c763d80-4c50-4ebd-b2c6-3cad22c55bfa", "value": "Ke3chang uses Data from Local System" }, { "meta": { "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "b5a1cf65-c128-4d2e-bd28-54514d1a3aae", "value": "GeminiDuke uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "943d370b-2054-44df-8be2-ab4139bde1c5", "target-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d" }, "uuid": "758b6582-b988-4ab9-911e-e40c9bbebc2d", "value": "Authentication Package Mitigation mitigates Authentication Package" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "c4962ae6-91e2-407d-9f42-aa0381574476", "value": "admin@338 uses Account Discovery" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" }, "uuid": "1e1b566b-152a-4778-a03f-0ce94b72c5f2", "value": "Dragonfly uses Network Share Discovery" }, { "meta": { "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "b13fd1c9-a42c-45fc-9db8-1cd691740e0a", "value": "HTTPBrowser uses File Deletion" }, { "meta": { "source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "c3ee174d-fd40-4636-97b2-afe80854f987", "value": "SOUNDBITE uses File and Directory Discovery" }, { "meta": { "source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31", "target-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039" }, "uuid": "c8253944-3a69-42e6-b36a-1c3defbb088e", "value": "Dust Storm uses Misdat" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81" }, "uuid": "ba64e6d1-4deb-440a-a4eb-1c3476b6fb47", "value": "APT28 uses CORESHELL" }, { "meta": { "source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "2864eb81-71a5-4325-b42a-7a725f0c6887", "value": "MoonWind uses Commonly Used Port" }, { "meta": { "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "a12a471b-39b2-4abf-80d0-af88d5a4f038", "value": "Misdat uses Data Encoding" }, { "meta": { "source-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "800825f5-6e74-43ad-a732-476fdf471225", "value": "CloudDuke uses Remote File Copy" }, { "meta": { "source-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "210f5206-8763-48ac-a4c3-a08440892b5d", "value": "Carbanak uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08" }, "uuid": "9a615c7f-986d-4769-bea6-af9ffe0d575e", "value": "APT3 uses Account Discovery" }, { "meta": { "source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "7507eb37-407e-4428-b29f-da0bda3f7970", "value": "OSInfo uses System Information Discovery" }, { "meta": { "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", "target-uuid": "8b880b41-5139-4807-baa9-309690218719" }, "uuid": "fca5a601-68fd-4b20-ad1e-0592cadecb73", "value": "APT30 uses SPACESHIP" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "1ace08c6-0f1a-487d-92b2-6c61c2299270", "value": "FIN5 uses File Deletion" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "7105ecea-8da8-4723-b717-ae9c3152cfdd", "value": "ADVSTORESHELL uses File and Directory Discovery" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643" }, "uuid": "a0f1273a-e422-4801-a911-e7cb223ebea2", "value": "ADVSTORESHELL uses Peripheral Device Discovery" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "5206976b-ac4d-4286-a954-4b1ef5c20adc", "value": "Shamoon uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f" }, "uuid": "79cd2ec8-068c-4a7a-8133-1855381d3bd3", "value": "APT1 uses Tasklist" }, { "meta": { "source-uuid": "f27ef4f2-71fe-48b6-b7f4-02dcac14320e", "target-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe" }, "uuid": "5718d7a3-c402-4816-92fb-4322094b84f8", "value": "Private Keys Mitigation mitigates Private Keys" }, { "meta": { "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "4ffe2425-c971-45e5-9256-0b1a2bf63bbf", "value": "Mis-Type uses Masquerading" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60" }, "uuid": "28471736-5b62-4132-b4ed-c22ae449b455", "value": "BRONZE BUTLER uses Mimikatz" }, { "meta": { "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" }, "uuid": "c1884e62-7b2e-45a1-89fd-c76b1b717f50", "value": "OwaAuth uses DLL Side-Loading" }, { "meta": { "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "166c430d-0272-4dca-8d30-318cda0a0a63", "value": "CozyCar uses System Information Discovery" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" }, "uuid": "47e4d006-2685-4628-a46b-f6d9066f3585", "value": "BlackEnergy uses Network Service Scanning" }, { "meta": { "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "a00d3582-7c2d-45dc-8580-1de25356ae70", "value": "FakeM uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "b42378e0-f147-496f-992a-26a49705395b", "target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d" }, "uuid": "7d020981-51b3-4ff6-825f-7cd192c934e1", "value": "PoisonIvy uses Process Injection" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" }, "uuid": "83ba5b2c-b3fd-4558-a3f8-cef4c31e02bd", "value": "Lazarus Group uses Brute Force" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21" }, "uuid": "28139c5b-be96-44d2-8e54-425311d108d6", "value": "Patchwork uses Process Hollowing" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "b028b9a6-4031-4b56-8dd5-0bdd3c59dbec", "value": "APT3 uses Data Compressed" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "f0cf3ea2-5345-48d7-9685-be0180eb0e4a", "value": "RTM uses Process Discovery" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "b42378e0-f147-496f-992a-26a49705395b" }, "uuid": "47545d87-b0ae-45ae-aeea-dc849eac2f6f", "value": "APT1 uses PoisonIvy" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f" }, "uuid": "d0ed3128-67f0-43dd-b1d9-01843eb71b77", "value": "Turla uses Reg" }, { "meta": { "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", "target-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e" }, "uuid": "7dc4c8b9-a380-4dc0-9973-a8a2f8d0175c", "value": "APT18 uses hcdLoader" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e" }, "uuid": "9c7ecbf4-88fe-4144-8dc4-f5bca2c3156d", "value": "Helminth uses Data Staged" }, { "meta": { "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "16632790-94dc-40ce-9c0a-2f6af0f691b1", "value": "Pteranodon uses Command-Line Interface" }, { "meta": { "source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c", "target-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39" }, "uuid": "df8350d6-a7a7-421d-a9e8-64d7e0cc0653", "value": "Threat Group-3390 uses Windows Remote Management" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "b0791504-fc65-402b-bc47-bd96ed4abea1", "value": "APT3 uses System Information Discovery" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "7e216050-e850-4591-a870-7148d4544642", "value": "APT34 uses Command-Line Interface" }, { "meta": { "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "9ea25bfb-3e3a-42cb-8d2a-939169057806", "value": "SHOTPUT uses Remote System Discovery" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "59df5f14-e570-417e-8184-e8e7c6c1ea75", "value": "Shamoon uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "f1d5a985-406e-4b03-9f55-2706a2adba92", "value": "Fgdump uses Credential Dumping" }, { "meta": { "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "1d3296a5-9a15-4bd9-a294-ee014348136c", "value": "Unknown Logger uses System Owner/User Discovery" }, { "meta": { "source-uuid": "ed202147-4026-4330-b5bd-1e8dfa8cf7cc", "target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4" }, "uuid": "ff93eedd-e788-4541-9a9b-ccead3df0d13", "value": "Modify Registry Mitigation mitigates Modify Registry" }, { "meta": { "source-uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b", "target-uuid": "1f47e2fd-fa77-4f2f-88ee-e85df308f125" }, "uuid": "05d3fd1d-6041-4395-906a-e3104a192e1c", "value": "Port Monitors Mitigation mitigates Port Monitors" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "1fbf92c8-747b-4c0f-ab33-ce63cbff8197", "value": "Deep Panda uses Process Discovery" }, { "meta": { "source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd", "target-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d" }, "uuid": "9820c1e9-a414-4af1-a78c-aaf2cb164361", "value": "APT30 uses BACKSPACE" }, { "meta": { "source-uuid": "1e4ef2c7-ee96-4484-9baa-3b5777561301", "target-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b" }, "uuid": "620ab17a-3e46-4083-82b0-aeff74d104cd", "value": "AppleScript Mitigation mitigates AppleScript" }, { "meta": { "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4" }, "uuid": "291df761-474b-4c5f-a9bd-2aaef0f80d70", "value": "Unknown Logger uses Replication Through Removable Media" }, { "meta": { "source-uuid": "d0415180-51e9-40ce-b57c-c332b0b441f2", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "1f8f6283-6004-4204-a54f-759e9c0519b1", "value": "PowerShell Mitigation mitigates PowerShell" }, { "meta": { "source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb", "target-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e" }, "uuid": "d242dc5a-3969-498c-b7eb-5d850e7d384d", "value": "APT12 uses RIPTIDE" }, { "meta": { "source-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26", "target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba" }, "uuid": "d6fd820e-09ea-494d-a5f7-9de4431a309d", "value": "RemoteCMD uses Remote Services" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "7606ad11-1322-4b97-83b9-aaafaee02c07", "value": "APT28 uses Valid Accounts" }, { "meta": { "source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "a20b8e4c-330f-4e91-b4f6-e58e5800d690", "value": "Pteranodon uses Rundll32" }, { "meta": { "source-uuid": "d256cb63-b021-4b4a-bb6d-1b42eea179a3", "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" }, "uuid": "371d43af-ef68-4471-9db9-f2d40d2baefc", "value": "Network Service Scanning Mitigation mitigates Network Service Scanning" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db" }, "uuid": "397e4a59-23b1-47ef-9a57-9f401375b2cb", "value": "Dragonfly uses PsExec" }, { "meta": { "source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c", "target-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71" }, "uuid": "e2e2d332-f27b-46fb-b48f-4ee1872b321f", "value": "Carbanak uses netsh" }, { "meta": { "source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "55120727-0b7f-4d6a-a881-d17bdc9c85ba", "value": "Putter Panda uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "3caec960-fa9c-4b2f-80e4-6dd4471e26ba", "value": "Prikormka uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360", "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" }, "uuid": "71ede2de-7e5f-49fa-ac07-9322ef4857ae", "value": "HTTPBrowser uses DLL Side-Loading" }, { "meta": { "source-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a", "target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd" }, "uuid": "ee2739de-6829-4c73-b72b-91ba4b9fac5c", "value": "DragonOK uses PlugX" }, { "meta": { "source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "83ad6071-8874-49c9-98cd-0d493a8eeb07", "value": "Sykipot uses System Network Connections Discovery" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "0bd2ee1a-6202-4ff5-9a42-4869a276a92c", "value": "POWRUNER uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "bb3c1098-d654-4620-bf40-694386d28921", "target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842" }, "uuid": "d8c5b193-b49d-4c0e-a9da-072302ff47a0", "value": "FakeM uses Data Obfuscation" }, { "meta": { "source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "bdd64378-e348-4156-8490-528392c6ea82", "value": "CallMe uses Remote File Copy" }, { "meta": { "source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "922c214d-ad32-4490-bb3f-a4db73b718d5", "value": "Psylo uses File and Directory Discovery" }, { "meta": { "source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "66819f02-7a22-4f21-8e4f-df24969e5567", "value": "ADVSTORESHELL uses Process Discovery" }, { "meta": { "source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d", "target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88" }, "uuid": "9b360cf4-4600-4ea8-a28c-99d91e0d1734", "value": "Suckfly uses Network Service Scanning" }, { "meta": { "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "target-uuid": "830c9528-df21-472c-8c14-a036bf17d665" }, "uuid": "233d1a32-f826-4705-a535-806edee8a5aa", "value": "CozyCar uses Web Service" }, { "meta": { "source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e", "target-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1" }, "uuid": "b2496438-9431-40e5-8ca0-2ec713f342c3", "value": "Sowbug uses Felismus" }, { "meta": { "source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "0df8e968-716a-4de9-9669-862af62d6eb6", "value": "SslMM uses System Owner/User Discovery" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" }, "uuid": "78e8d9e6-48b7-473f-af94-43f626de7931", "value": "APT28 uses Data from Removable Media" }, { "meta": { "source-uuid": "3e7018e9-7389-48e7-9208-0bdbcbba9483", "target-uuid": "d3046a90-580c-4004-8208-66915bc29830" }, "uuid": "02f28dfb-4e72-47e2-a390-2ec3fa67d26d", "value": "Clear Command History Mitigation mitigates Clear Command History" }, { "meta": { "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "cdca2bdf-a29b-45d5-90ff-17ab56b094a4", "value": "Komplex uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "408db284-4c7a-4ad4-8399-90a8102b4bfa", "value": "POWRUNER uses Process Discovery" }, { "meta": { "source-uuid": "f108215f-3487-489d-be8b-80e346d32518", "target-uuid": "dd901512-6e37-4155-943b-453e3777b125" }, "uuid": "6c879d75-7f07-44ff-9801-815a549cdc44", "value": "Komplex uses Launch Agent" }, { "meta": { "source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662", "target-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2" }, "uuid": "324a5331-cce7-4154-a803-ad68d5de1f94", "value": "APT1 uses GLOOXMAIL" }, { "meta": { "source-uuid": "a569295c-a093-4db4-9fb4-7105edef85ad", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "442aa7b4-00a0-4d73-ae61-5a09c319ac1c", "value": "Custom Cryptographic Protocol Mitigation mitigates Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f" }, "uuid": "892ff1d1-3da9-489e-89c3-374ab07a417b", "value": "Crimson uses Email Collection" }, { "meta": { "source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "a0186caf-482a-4f2a-bf2f-cac9fc51244a", "value": "Crimson uses Remote File Copy" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f" }, "uuid": "a58983e1-45d7-4b45-a578-307659a619dc", "value": "Helminth uses Clipboard Data" }, { "meta": { "source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "01ab8fee-5204-40c1-ac7a-b11a5683a87d", "value": "Misdat uses Masquerading" }, { "meta": { "source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131", "target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f" }, "uuid": "813e4416-bee6-4192-a712-6b5f80a7fff3", "value": "S-Type uses Data Encoding" }, { "meta": { "source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498", "target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688" }, "uuid": "7ba62129-a4ba-42b4-9971-4a650682cb52", "value": "Flame uses Screen Capture" }, { "meta": { "source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "df4b49f1-71ca-4744-8554-47bf36174d89", "value": "APT3 uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "399d9038-b100-43ef-b28d-a5065106b935", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "aa80b239-dc67-4883-adfd-6a10e96c18c6", "value": "Standard Non-Application Layer Protocol Mitigation mitigates Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48" }, "uuid": "b719d37b-8f0e-4704-b21d-8977a5c7cceb", "value": "APT28 uses Access Token Manipulation" }, { "meta": { "source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb", "target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9" }, "uuid": "ae8a95fa-c0ad-40b4-a573-a9441ed94fab", "value": "USBStealer uses Automated Exfiltration" }, { "meta": { "source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704", "target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd" }, "uuid": "2355c588-ff82-4eaf-82db-54af59ede582", "value": "Net Crawler uses Brute Force" }, { "meta": { "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "c52eb151-c8c5-45f1-984b-d99a12ca05cf", "value": "Derusbi uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830" }, "uuid": "0e0197fe-eca5-4d70-bf72-2d9092bc777b", "value": "APT29 uses meek" }, { "meta": { "source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "d8f5283b-fe44-4206-8a7d-393d216beb7e", "value": "TinyZBot uses Input Capture" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5" }, "uuid": "b258b8da-ddd2-4f0e-b5da-83a89f018d54", "value": "RTM uses Rundll32" }, { "meta": { "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce" }, "uuid": "75f7d0e0-b1e9-4289-8895-d8a262930523", "value": "Net uses Permission Groups Discovery" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "5183147b-4563-4a01-a360-a419691e35f8", "value": "POWRUNER uses System Owner/User Discovery" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077" }, "uuid": "0024d82d-97ea-4dc5-81a1-8738862e1f3b", "value": "Shamoon uses System Time Discovery" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830" }, "uuid": "bbc31a33-f55f-43d4-a3fd-23426c5fc638", "value": "Duqu uses Application Window Discovery" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "87fb2671-e71a-4630-bde2-67e546fdeaa6", "value": "RTM uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f", "target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055" }, "uuid": "77ea5d03-715b-4247-8484-6c1cf2bc7984", "value": "HALFBAKED uses Windows Management Instrumentation" }, { "meta": { "source-uuid": "c1676218-c16a-41c9-8f7a-023779916e39", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "b6f00052-49e3-48c5-8f5e-492be4e67acf", "value": "System Network Connections Discovery Mitigation mitigates System Network Connections Discovery" }, { "meta": { "source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "0fa0f5d6-be0b-4a48-938c-6d9bb8b1a170", "value": "OilRig uses Credential Dumping" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a" }, "uuid": "11f6ad22-0293-47bd-95d1-34bf4ee1de9e", "value": "FIN5 uses Redundant Access" }, { "meta": { "source-uuid": "624d063d-cda8-4616-b4e4-54c04e427aec", "target-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2" }, "uuid": "e8c25f99-67f0-4aae-aeee-55e5bcea2d8e", "value": "Netsh Helper DLL Mitigation mitigates Netsh Helper DLL" }, { "meta": { "source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "b41abaa3-a21f-4d2c-9c60-c90c4f360b00", "value": "NETEAGLE uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "48b75b8b-5bef-4f99-baa8-5fa978d371d2", "value": "Remsec uses Masquerading" }, { "meta": { "source-uuid": "03342581-f790-4f03-ba41-e82e67392e23", "target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f" }, "uuid": "3b5d1788-c59b-4e84-97b0-b109df608619", "value": "Net uses Network Share Discovery" }, { "meta": { "source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5", "target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5" }, "uuid": "b94e707d-b2f8-4b68-acac-44d3777dd93f", "value": "RedLeaves uses Standard Cryptographic Protocol" }, { "meta": { "source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "42d2f816-9db2-47bf-9481-3065d038725d", "value": "Ke3chang uses Windows Admin Shares" }, { "meta": { "source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39", "target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e" }, "uuid": "8924eb12-0841-48ca-9d36-69de932b1f21", "value": "Cobalt Strike uses Commonly Used Port" }, { "meta": { "source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050", "target-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481" }, "uuid": "956303a4-558c-433d-bc2f-28a7e69192ae", "value": "Naikon uses Sys10" }, { "meta": { "source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5", "target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0" }, "uuid": "1088fc27-2de5-4b73-83fd-6741ab3ff4d6", "value": "OwaAuth uses Masquerading" }, { "meta": { "source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "771c349e-1b23-41ea-bcab-59bdbd6c935f", "value": "ELMER uses Process Discovery" }, { "meta": { "source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "ea5f9e1f-68fb-46dd-9e09-f66066808d0c", "value": "POWRUNER uses Scheduled Task" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef" }, "uuid": "c569059f-8a7d-4777-a111-d3ab62d178ca", "value": "APT28 uses Communication Through Removable Media" }, { "meta": { "source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c", "target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b" }, "uuid": "1984ba26-2309-49db-8c42-75951d0ef678", "value": "WINDSHIELD uses Standard Non-Application Layer Protocol" }, { "meta": { "source-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565", "target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6" }, "uuid": "1782abeb-8d28-42a1-8abe-c137f23b282c", "value": "ComRAT uses Standard Application Layer Protocol" }, { "meta": { "source-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "17f9d6c8-f938-4532-b834-3834655911b8", "value": "Dyre uses Security Software Discovery" }, { "meta": { "source-uuid": "c9703cd3-141c-43a0-a926-380082be5d04", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "eeeac3c6-78d1-4506-a9a9-2518d0c6e500", "value": "schtasks uses Scheduled Task" }, { "meta": { "source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "ae38c68d-cc08-4460-9d98-ddf957f837e2", "value": "CozyCar uses Scheduled Task" }, { "meta": { "source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6", "target-uuid": "b35068ec-107a-4266-bda8-eb7036267aea" }, "uuid": "1ab3f63b-bd80-4e4c-8f62-79f26b9724ab", "value": "Turla uses nbtstat" }, { "meta": { "source-uuid": "8bd1ae32-a686-48f4-a6f8-470287f76152", "target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619" }, "uuid": "fa04ac7f-206f-42ad-b0c7-499e57bc99ce", "value": "Automated Collection Mitigation mitigates Automated Collection" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "de376ec3-0fad-4c41-944d-2d74cee6968c", "value": "Lazarus Group uses Command-Line Interface" }, { "meta": { "source-uuid": "8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df", "target-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b" }, "uuid": "67bde2b2-49d1-4a61-8fe7-1a48c58089e6", "value": "Input Prompt Mitigation mitigates Input Prompt" }, { "meta": { "source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654", "target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7" }, "uuid": "b1371fd9-1bfd-40b2-90a2-4876d89029bf", "value": "Wingbird uses Security Software Discovery" }, { "meta": { "source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56", "target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044" }, "uuid": "fb1ff794-8060-42c8-8969-b6660b07068f", "value": "Unknown Logger uses Disabling Security Tools" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e" }, "uuid": "ce288414-89f3-40d4-9a85-004d8a064eb4", "value": "APT34 uses Helminth" }, { "meta": { "source-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8", "target-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3" }, "uuid": "6ab0ff01-1695-4301-ac9a-1cd0719be532", "value": "Hacking Team UEFI Rootkit uses System Firmware" }, { "meta": { "source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "3b0a7f6a-173f-41e6-8dec-2d1b4a0851d9", "value": "Duqu uses Process Discovery" }, { "meta": { "source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "788ca56e-1194-4c5f-a12b-72678390f1ef", "value": "StreamEx uses System Information Discovery" }, { "meta": { "source-uuid": "39706d54-0d06-4a25-816a-78cc43455100", "target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec" }, "uuid": "bb283a5e-7d61-4b33-aa30-e7c2f0bacbe6", "value": "Data from Removable Media Mitigation mitigates Data from Removable Media" }, { "meta": { "source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983", "target-uuid": "ffe742ed-9100-4686-9e00-c331da544787" }, "uuid": "0512a63b-58c8-4b0c-b2b4-e4da562cee5f", "value": "Threat Group-1314 uses Windows Admin Shares" }, { "meta": { "source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "8dd9d97d-0eb1-4e17-94ac-5589db51f878", "value": "Shamoon uses Scheduled Task" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "85c95ce3-8685-4d2a-9d6f-7e4be4cd9623", "value": "Gazer uses File Deletion" }, { "meta": { "source-uuid": "2c3ce852-06a2-40ee-8fe6-086f6402a739", "target-uuid": "4be89c7c-ace6-4876-9377-c8d54cef3d63" }, "uuid": "4aecd118-a823-4859-9245-90155a0bbe11", "value": "Hypervisor Mitigation mitigates Hypervisor" }, { "meta": { "source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc", "target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a" }, "uuid": "ecb0d858-dd15-4181-b15b-76459db1d294", "value": "Hi-Zor uses Regsvr32" }, { "meta": { "source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "e2ce90d2-7470-4f2d-a86c-f429b934ab35", "value": "Poseidon Group uses PowerShell" }, { "meta": { "source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb", "target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475" }, "uuid": "a5efdeb3-10db-4e40-b8cd-61dee7d72cc0", "value": "SHOTPUT uses System Network Connections Discovery" }, { "meta": { "source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4", "target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9" }, "uuid": "eb0307d6-901d-4140-84f9-a08c6a8ea14c", "value": "Gazer uses Scheduled Task" }, { "meta": { "source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2" }, "uuid": "8c8cc494-628c-4540-b5ba-862cd937f94e", "value": "Dragonfly uses Forced Authentication" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "d20b659b-3595-4171-9beb-668ab26bf398", "value": "BRONZE BUTLER uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0" }, "uuid": "69f57458-bfb2-44a2-a8cf-0fce0e2b0a22", "value": "APT28 uses Dynamic Data Exchange" }, { "meta": { "source-uuid": "6e7db820-9735-4545-bc64-039bc4ce354b", "target-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373" }, "uuid": "0a4e270a-5641-424d-a343-437ae9548125", "value": "LC_MAIN Hijacking Mitigation mitigates LC_MAIN Hijacking" }, { "meta": { "source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb", "target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839" }, "uuid": "74e737cf-67fb-4f80-ac4e-0ddff90b6f8e", "value": "FIN6 uses Exploitation of Vulnerability" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "d35f6c6f-c1ed-4b0d-b95f-9fd762eb3ac7", "value": "Lazarus Group uses Timestomp" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c" }, "uuid": "6c9649b7-00c6-4503-a911-9e8b9086eac4", "value": "BADNEWS uses Data from Network Shared Drive" }, { "meta": { "source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd", "target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09" }, "uuid": "464ce0ed-31a5-4a99-9791-9ce5bb987f58", "value": "PlugX uses DLL Side-Loading" }, { "meta": { "source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "93f1726f-f172-4705-a13a-d5adaeb4e91b", "value": "APT32 uses Remote File Copy" }, { "meta": { "source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc", "target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0" }, "uuid": "4856de0a-2635-4081-97a8-3f15593c2aa5", "value": "FIN7 uses PowerShell" }, { "meta": { "source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "a9bc7666-f637-4093-a5bb-4edb61710e45", "value": "Group5 uses File Deletion" }, { "meta": { "source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6", "target-uuid": "0998045d-f96e-4284-95ce-3c8219707486" }, "uuid": "47214641-972c-4924-828a-3db470553dcb", "value": "APT34 uses SEASHARPEE" }, { "meta": { "source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "e11d4f32-842a-4684-8974-f368e52b8632", "value": "JHUHUGIT uses System Information Discovery" }, { "meta": { "source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14", "target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88" }, "uuid": "8a48e56d-f837-4a5a-99b6-db0f60b541a0", "value": "SeaDuke uses Software Packing" }, { "meta": { "source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8", "target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735" }, "uuid": "51742efe-5f0c-4fbf-9eb7-5e765a0a408f", "value": "Remsec uses Remote System Discovery" }, { "meta": { "source-uuid": "2a8de25c-f743-4348-b101-3ee33ab5871b", "target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638" }, "uuid": "bd5699e8-8765-4f24-8307-c81a296b87e0", "value": "Data Encrypted Mitigation mitigates Data Encrypted" }, { "meta": { "source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648", "target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81" }, "uuid": "1ac5bace-cdc2-4a1b-abad-d30ca0ed7f45", "value": "APT18 uses Valid Accounts" }, { "meta": { "source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0", "target-uuid": "51dea151-0898-4a45-967c-3ebee0420484" }, "uuid": "2816f512-1a04-4cf8-94e9-36720b949c76", "value": "Patchwork uses Remote Desktop Protocol" }, { "meta": { "source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756", "target-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b" }, "uuid": "013ab34f-54bf-4813-bd37-42a4eebb8d52", "value": "admin@338 uses BUBBLEWRAP" }, { "meta": { "source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344", "target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580" }, "uuid": "f017f6c0-96f4-46f1-905f-44e9950effbc", "value": "Derusbi uses Process Discovery" }, { "meta": { "source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90", "target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4" }, "uuid": "99e9583f-433d-437d-bf37-7ea2b3f1b613", "value": "BRONZE BUTLER uses Data Compressed" }, { "meta": { "source-uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7", "target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d" }, "uuid": "44b56e08-7cd1-442c-8806-c69bb65fd231", "value": "ROCKBOOT uses Bootkit" }, { "meta": { "source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab", "target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add" }, "uuid": "59aabb7b-9211-4577-9c6b-ba2cf6e3704c", "value": "XTunnel uses Remote File Copy" }, { "meta": { "source-uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d", "target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59" }, "uuid": "8ff745b7-9985-4781-a8bc-dae6d71233d3", "value": "File Deletion Mitigation mitigates File Deletion" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22" }, "uuid": "6b429676-7b77-4453-a6ce-2d6a6cb0dfe7", "value": "FIN5 uses Credential Dumping" }, { "meta": { "source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458", "target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a" }, "uuid": "573916d8-804d-4453-be37-e6b1865e87db", "value": "Matroyshka uses Obfuscated Files or Information" }, { "meta": { "source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841", "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" }, "uuid": "81cfd1fd-999b-4730-b5dc-363d367dd92e", "value": "RTM uses Indicator Removal on Host" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd" }, "uuid": "f81274dc-2f5b-47f7-b91f-70a4ebdfde95", "value": "Helminth uses Data Transfer Size Limits" }, { "meta": { "source-uuid": "f0a42cad-9b1f-44da-a672-718f18381018", "target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c" }, "uuid": "37781434-3f1e-4f45-af34-b2378647c13a", "value": "Taint Shared Content Mitigation mitigates Taint Shared Content" }, { "meta": { "source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542", "target-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14" }, "uuid": "8d6cf235-4a33-4866-9b73-a7119293e5db", "value": "APT29 uses SeaDuke" }, { "meta": { "source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022", "target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69" }, "uuid": "9b43f780-6a8b-477f-826f-c45e867749c9", "value": "FIN5 uses Indicator Removal on Host" }, { "meta": { "source-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db", "target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392" }, "uuid": "a66aff09-0635-44a3-b591-a530a25c9012", "value": "PsExec uses Service Execution" }, { "meta": { "source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8", "target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1" }, "uuid": "efbe5efa-6863-4334-90e5-d7caab9806a6", "value": "Stealth Falcon uses System Information Discovery" }, { "meta": { "source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647", "target-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad" }, "uuid": "71416f0d-b037-48b2-a14d-acb1a5f3a4a4", "value": "PittyTiger uses Lurid" }, { "meta": { "source-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "b8e6bb17-9652-464d-8e5d-bd21e1f69a2e", "value": "TEXTMATE uses Command-Line Interface" }, { "meta": { "source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "2a7cd52f-46e5-4a18-bdf6-4c38edfcb97c", "value": "Helminth uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08" }, "uuid": "e46836e5-8ffe-45e5-9398-bb9fbb3a4aeb", "value": "Lazarus Group uses Volgmer" }, { "meta": { "source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c", "target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a" }, "uuid": "1036833a-1d4c-4d9e-b716-1e52606ab684", "value": "APT28 uses Timestomp" }, { "meta": { "source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064", "target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44" }, "uuid": "8cbcb17a-01f4-4899-bc83-9b02fd44f861", "value": "Deep Panda uses Scripting" }, { "meta": { "source-uuid": "d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2", "target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d" }, "uuid": "a93e5f9f-5c8c-4832-93db-a6c180840a43", "value": "External Remote Services Mitigation mitigates External Remote Services" }, { "meta": { "source-uuid": "0998045d-f96e-4284-95ce-3c8219707486", "target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830" }, "uuid": "7276fbbe-3237-4e95-b2ad-8518327432ba", "value": "SEASHARPEE uses Command-Line Interface" }, { "meta": { "source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de", "target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18" }, "uuid": "1684e405-53bd-4951-a26d-e7c39887b06a", "value": "WinMM uses File and Directory Discovery" }, { "meta": { "source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6", "target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0" }, "uuid": "847752f4-59a2-46e9-ae28-befe0142b223", "value": "GeminiDuke uses System Network Configuration Discovery" }, { "meta": { "source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf", "target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d" }, "uuid": "d361058d-a11b-470d-bed8-44bfd8e50393", "value": "Gamaredon Group uses Exfiltration Over Command and Control Channel" }, { "meta": { "source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", "target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc" }, "uuid": "cd2a7854-1339-4f40-8ba1-be032dc5249e", "value": "BlackEnergy uses Registry Run Keys / Start Folder" }, { "meta": { "source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351", "target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896" }, "uuid": "9c79076c-341f-4eb3-bed7-300723747b18", "value": "POWERSOURCE uses Query Registry" }, { "meta": { "source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61", "target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104" }, "uuid": "a1e9769e-5172-4959-84d3-5a28796f86e1", "value": "Mis-Type uses System Owner/User Discovery" }, { "meta": { "source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81", "target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d" }, "uuid": "f4e53b40-abcf-4157-9e53-4ab9632619f1", "value": "CORESHELL uses Custom Cryptographic Protocol" }, { "meta": { "source-uuid": "e9595678-d269-469e-ae6b-75e49259de63", "target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670" }, "uuid": "d15cda3e-7ed6-4914-a0a8-ff1f4fe668ec", "value": "BADNEWS uses Execution through API" }, { "meta": { "source-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4", "target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c" }, "uuid": "283bdd5f-f356-43a2-864c-6f8211073d45", "value": "Starloader uses Deobfuscate/Decode Files or Information" }, { "meta": { "source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a", "target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2" }, "uuid": "7f695d14-17e1-46c6-92eb-7c2f57fc6553", "value": "Lazarus Group uses Input Capture" } ] }