misp-galaxy/clusters/mitre-enterprise-attack-relationship.json
Deborah Servili 8d4053741b jq
2018-04-04 12:54:04 +02:00

17277 lines
606 KiB
JSON

{
"name": "Enterprise Attack - Relationship",
"type": "mitre-enterprise-attack-relationship",
"description": "MITRE Relationship",
"version": 3,
"source": "https://github.com/mitre/cti",
"uuid": "fc605f90-1707-11e8-9d6a-9f165ac2ab5c",
"authors": [
"MITRE"
],
"values": [
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78"
},
"uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633",
"value": "menuPass (G0045) uses EvilGrab (S0152)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "ea61c268-d0d1-4cbe-8b26-16f70f515a04",
"value": "Remsec (S0125) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "0998045d-f96e-4284-95ce-3c8219707486",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "04ecc705-0027-4dda-85fe-d6ce028ef05e",
"value": "SEASHARPEE (S0185) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "41d61146-4a42-4897-b4a1-a706130a322d",
"value": "APT3 (G0022) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe",
"target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776"
},
"uuid": "ed2c177c-18fc-4bfd-9169-48af1557a542",
"value": "Cherry Picker (S0107) uses Exfiltration Over Alternative Protocol (T1048)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "ab3ac76f-5ddc-44dc-bb2f-670d6bf08e0b",
"value": "Shamoon (S0140) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c"
},
"uuid": "eb91c7d8-2cfb-4d8b-905a-d146bc8178e2",
"value": "BRONZE BUTLER (G0060) uses Pass the Ticket (T1097)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba"
},
"uuid": "bd83109f-198a-43b0-a4c9-c13dd671c2da",
"value": "OilRig (G0049) uses Remote Services (T1021)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "644b6c21-90f0-43b7-8da4-7f6f24ddabb6",
"value": "APT28 (G0007) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "d7e57ff2-f14b-44fa-97e3-8bc976cb9bd5",
"value": "Remsec (S0125) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "ee5e40d0-f72e-4e0b-8b10-cd5c2057cdc0",
"value": "ISMInjector (S0189) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78",
"target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967"
},
"uuid": "5599906d-5be3-420c-9f84-e762d85c2511",
"value": "EvilGrab (S0152) uses Audio Capture (T1123)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "47f521b8-37e4-489d-b6eb-25f35de80aae",
"value": "Magic Hound (G0059) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "51dea151-0898-4a45-967c-3ebee0420484"
},
"uuid": "a317b097-b819-441b-b344-9f129ba6cb40",
"value": "FIN6 (G0037) uses Remote Desktop Protocol (T1076)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"uuid": "e76b1b21-17c1-4e3b-ac3a-92fb8afc4130",
"value": "APT34 (G0057) uses Net (S0039)"
},
{
"meta": {
"source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "62c8913c-c193-4feb-ab58-88343838336d",
"value": "MiniDuke (S0051) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11"
},
"uuid": "f879eea1-2a05-484d-adbb-c3504813fc5d",
"value": "Ke3chang (G0004) uses ipconfig (S0100)"
},
{
"meta": {
"source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "8447c89e-a743-430e-8ef5-41abfcde1a01",
"value": "Group5 (G0043) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "381fcf73-60f6-4ab2-9991-6af3cbc35192",
"target-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4"
},
"uuid": "b349ef5f-4a05-4eef-afe4-1543b8c832fa",
"value": "Sandworm Team (G0034) uses BlackEnergy (S0089)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "b6fc7740-4e5f-4f4c-8b1e-d0e3368eee03",
"value": "ADVSTORESHELL (S0045) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2"
},
"uuid": "55f58d30-b633-4094-97bb-6ab872c0f480",
"value": "APT32 (G0050) uses SOUNDBITE (S0157)"
},
{
"meta": {
"source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "70a93fc8-83c0-4407-8224-ae447af1235a",
"value": "WinMM (S0059) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "521146dd-185d-4a8c-a3b4-b3caedbc7a14",
"value": "DownPaper (S0186) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "160af6af-e733-4b6a-a04a-71c620ac0930",
"target-uuid": "92a78814-b191-47ca-909c-1ccfe3777414"
},
"uuid": "b0d10c67-94bf-4bb3-8122-6f4d9e8106c1",
"value": "Third-party Software Mitigation (T1072) mitigates Third-party Software (T1072)"
},
{
"meta": {
"source-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "0d9114a6-6452-4668-95eb-f91bcb300d2d",
"value": "TEXTMATE (S0146) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6"
},
"uuid": "4d68b3eb-9689-4a6d-b6ab-367fbc5ddade",
"value": "Deep Panda (G0009) uses Indicator Removal from Tools (T1066)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "0a507d28-ef6b-417b-a968-e82608e8b6a8",
"value": "Magic Hound (G0059) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "cfd2cd3b-93e7-4b3e-ab46-f8bcafdbdfcf",
"target-uuid": "0a5231ec-41af-4a35-83d0-6bdf11f28c65"
},
"uuid": "ef2b823b-2fb1-442a-9d91-cf088242f6a6",
"value": "Execution through Module Load Mitigation (T1129) mitigates Execution through Module Load (T1129)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810"
},
"uuid": "c327c333-46c4-4e23-81e0-2f0e07c24c11",
"value": "BACKSPACE (S0031) uses Shortcut Modification (T1023)"
},
{
"meta": {
"source-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "fb6a804a-1929-4c13-a78d-1cf724c09e77",
"value": "RIPTIDE (S0003) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7",
"target-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5"
},
"uuid": "a4106a52-b3e7-4aa9-b2ca-125f206dbf91",
"value": "Scarlet Mimic (G0029) uses CallMe (S0077)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "da395019-238a-4c4e-b4cd-43947e8aa019",
"value": "FIN6 (G0037) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "af883d09-3f26-4267-9081-4783447e3283",
"value": "gh0st (S0032) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "d0b2e189-e764-44ec-9373-2f23212f6a45",
"value": "RawPOS (S0169) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "115562b8-9d7c-435e-af6e-0be6249742d0",
"value": "Lazarus Group (G0032) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff"
},
"uuid": "22ccfcb8-cb4a-4b9e-bc2d-c0bd2701e2e9",
"value": "APT28 (G0007) uses Pass the Hash (T1075)"
},
{
"meta": {
"source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
"target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839"
},
"uuid": "78b504a4-2bdd-44dd-b954-a7fa120f1efd",
"value": "Flame (S0143) uses Exploitation of Vulnerability (T1068)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "510c2f8c-4570-4c19-8c36-7004f8bbf561",
"value": "Stealth Falcon (G0038) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383",
"target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c"
},
"uuid": "27b05a62-5310-40d9-9e49-b4dce3afad55",
"value": "Darkhotel (G0012) uses Taint Shared Content (T1080)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "a8b248fe-a27c-40fd-83d5-f4382035d656",
"value": "APT3 (G0022) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "c8b0afbb-12eb-4b45-a1e1-b11755de2976",
"value": "StreamEx (S0142) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "78364654-f94c-4b7b-b5ec-19bedb58ec4f",
"value": "APT34 (G0057) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "28adf6fd-ab6c-4553-9aa7-cef18a191f33",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "ea46cbd0-7134-4ede-a117-47380ddd9b5c",
"value": "Data Compressed Mitigation (T1002) mitigates Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "70bc1a16-3c57-4198-b2f9-c7f27bec271c",
"value": "APT32 (G0050) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "6ab291a5-8061-4ad4-a6a7-07a6142e4c27",
"value": "Lazarus Group (G0032) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "3a9abcd5-52ba-44f1-96a5-1593f816b9f0",
"value": "CHOPSTICK (S0023) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "21717b6b-1fc6-4619-9877-bb36237a8efd",
"value": "Lurid (S0010) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "5bb90849-cdfe-4cc0-9ca3-128f17b2a1d1",
"value": "Helminth (S0170) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "2025480a-6d91-4ef5-a6ea-cc025c8aecfb",
"value": "ZLib (S0086) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
"target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67"
},
"uuid": "57e6eba5-cb21-4a0d-b524-4981f49037b1",
"value": "Flame (S0143) uses Create Account (T1136)"
},
{
"meta": {
"source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "a29d9514-3284-4ac2-a93a-e17750519534",
"value": "PlugX (S0013) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4",
"target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776"
},
"uuid": "1e2baacb-9033-49a9-890a-f48c87ab1531",
"value": "HAMMERTOSS (S0037) uses Exfiltration Over Alternative Protocol (T1048)"
},
{
"meta": {
"source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
"target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
"uuid": "11de35bf-195d-4097-a27a-d2e2b7c433b3",
"value": "Volgmer (S0180) uses Uncommonly Used Port (T1065)"
},
{
"meta": {
"source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "fdc4c379-e6e6-4454-933d-2a9a4a78cf98",
"value": "TinyZBot (S0004) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e"
},
"uuid": "70dc6b5c-c524-429e-a6ab-0dd40f0482c1",
"value": "Deep Panda (G0009) uses Sakula (S0074)"
},
{
"meta": {
"source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "93812c9c-39f1-4bf6-adda-601d0ffd88bf",
"value": "BBSRAT (S0127) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8",
"target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f"
},
"uuid": "d07f2da6-6497-414f-96c1-9dd60155b169",
"value": "OSInfo (S0165) uses Network Share Discovery (T1135)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "dd9c1644-259d-4980-8058-fdc3c72fac7b",
"value": "JHUHUGIT (S0044) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"uuid": "6b0b404e-7e1b-4f8f-8b78-85016f36f8e9",
"value": "RTM (S0148) uses Code Signing (T1116)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "c0e78590-0266-43e0-8fb5-efd95556c20c",
"value": "ADVSTORESHELL (S0045) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "d5166d3e-246b-473c-9ff0-c5cc97dd91de",
"value": "BlackEnergy (S0089) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "e0bc7e9b-aec8-4e78-baed-f635ee7bd196",
"value": "FIN6 (G0037) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
"target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"uuid": "6a58662b-4eb1-4172-b387-13e9b574368a",
"value": "DustySky (S0062) uses Windows Management Instrumentation (T1047)"
},
{
"meta": {
"source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "c39e878e-a496-4271-9998-2d5c9511e0a4",
"value": "Kasidet (S0088) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff"
},
"uuid": "9a286577-ccfc-4793-96ce-02c17dc0f4ae",
"value": "Cobalt Strike (S0154) uses Pass the Hash (T1075)"
},
{
"meta": {
"source-uuid": "7a6e5ca3-562f-4185-a323-f3b62b5b2e6b",
"target-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352"
},
"uuid": "bdd223c2-8d3a-4c99-b261-402b7daaace5",
"value": "LSASS Driver Mitigation (T1177) mitigates LSASS Driver (T1177)"
},
{
"meta": {
"source-uuid": "96150c35-466f-4f0a-97a9-ae87ee27f751",
"target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d"
},
"uuid": "49dd2ac1-cd3a-46db-89d7-307c65971a3d",
"value": "Bootkit Mitigation (T1067) mitigates Bootkit (T1067)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "38ea7367-26e7-4a6a-b735-e98e3a35450a",
"value": "Shamoon (S0140) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "147e009d-48db-40bc-999c-70aa1e770a0c",
"value": "Remsec (S0125) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
"target-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a"
},
"uuid": "08d91d3c-b7c7-4cbc-a4eb-29edd3be3e3a",
"value": "APT30 (G0013) uses SHIPSHAPE (S0028)"
},
{
"meta": {
"source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "a49ed7b1-8160-48ae-a65f-feeb4747c522",
"value": "Volgmer (S0180) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67"
},
"uuid": "570c8981-9a08-4c4f-8927-a22148bb880e",
"value": "Dragonfly (G0035) uses Create Account (T1136)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "43edea0b-efb8-41ab-bdda-f5aa62de439f",
"value": "Remsec (S0125) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "f108215f-3487-489d-be8b-80e346d32518",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "707d131d-39ff-4ea0-a8ef-63dd7ca2a854",
"value": "Komplex (S0162) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "4de4a09b-5727-4462-b288-23278e74634e",
"value": "FIN10 (G0051) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "0d8aa058-426a-45c9-af5b-898746ae5862",
"value": "Crimson (S0115) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "0d3e115b-ff08-4bff-8802-be3d21cec68f",
"value": "Prikormka (S0113) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "2843ccc2-4869-48a0-8967-b9856a778a2c",
"value": "Felismus (S0171) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "5c167af7-c2cb-42c8-ae67-3fb275bf8488",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "4fa2cbf0-9721-4bbe-86b4-334848cd3dd6",
"value": "Timestomp Mitigation (T1099) mitigates Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69"
},
"uuid": "c9dca829-6417-4121-9462-650ac852b8c2",
"value": "BlackEnergy (S0089) uses Indicator Removal on Host (T1070)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "4923be5e-dd24-4289-adca-e9dbf545b9c2",
"value": "OilRig (G0049) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "2d659138-90e5-4b67-8956-02120d99506f",
"value": "3PARA RAT (S0066) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "61047751-c353-4190-bc37-19ad959bc35e",
"value": "Gazer (S0168) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "a88332d2-d03f-4139-b11c-19e82459189b",
"value": "POWRUNER (S0184) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "ae9befd5-d8b7-4492-9b47-422a40d610cc",
"value": "GeminiDuke (S0049) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11"
},
"uuid": "13984eec-6c33-4bab-a22c-5c061ddd6e44",
"value": "APT1 (G0006) uses ipconfig (S0100)"
},
{
"meta": {
"source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "6586cae6-bf7a-4b1d-ab5c-53106d1db5c4",
"value": "ChChes (S0144) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "a9727d1b-777a-4c3e-8bcc-e0cbff7431d8",
"value": "CosmicDuke (S0050) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "a58ad2d1-7200-4ba8-9c24-fc640306ea2f",
"value": "RTM (G0048) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd"
},
"uuid": "27e7f34e-9750-4cf0-8260-33f2996ee38c",
"value": "APT29 (G0016) uses Domain Fronting (T1172)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"uuid": "45a89f5b-a7de-46c9-93d6-15f2170128e4",
"value": "APT34 (G0057) uses PsExec (S0029)"
},
{
"meta": {
"source-uuid": "d2dce10b-3562-4d61-b2f5-7c6384b038e2",
"target-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec"
},
"uuid": "2e3b8b06-5148-4313-8b1b-d75789838c84",
"value": "Mshta Mitigation (T1170) mitigates Mshta (T1170)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "1b51b49a-1f3a-4b5d-aea3-989e9ccb72ad",
"value": "Cobalt Strike (S0154) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "46944654-fcc1-4f63-9dad-628102376586"
},
"uuid": "3f8a74a9-55fe-4f9c-bddb-00b715ca3668",
"value": "RedLeaves (S0153) uses DLL Search Order Hijacking (T1038)"
},
{
"meta": {
"source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "2121683c-ab01-4212-b2d2-af290dd8ed17",
"value": "SNUGRIDE (S0159) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"target-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a"
},
"uuid": "3b3435a2-6a24-4527-be6f-03d09ef2b917",
"value": "Putter Panda (G0024) uses 3PARA RAT (S0066)"
},
{
"meta": {
"source-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "90e64a7a-42e6-4b95-ae85-5ac324d7f6e2",
"value": "Starloader (S0188) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "982d9af7-45bb-4cc0-9819-aaadb3304783",
"value": "Lurid (S0010) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "fb866766-d3a5-46f6-9d0e-afc6bd1c7962",
"value": "cmd (S0106) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "f19234f6-5b59-4229-aae1-70df380a076a",
"value": "Backdoor.Oldrea (S0093) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "21caad94-1568-4e40-8e38-c0f7e854aede",
"value": "Patchwork (G0040) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "b8d57b16-d8e2-428c-a645-1083795b3445",
"target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef"
},
"uuid": "cf699238-7091-4d79-9741-d792152f37c1",
"value": "Communication Through Removable Media Mitigation (T1092) mitigates Communication Through Removable Media (T1092)"
},
{
"meta": {
"source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "bbf116bf-6f8a-44f4-9d98-db6ccbbff333",
"value": "Carbanak (G0008) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "284ffb1b-ad42-468e-9897-94c25024f0d4",
"value": "ADVSTORESHELL (S0045) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "8e69c855-db70-4b5e-866b-f9ce0b786156",
"value": "Group5 (G0043) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "ae370b88-fd93-4803-a154-aa3debf2327b",
"value": "httpclient (S0068) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "ed522c9c-038b-43c0-af66-e81b954104f2",
"value": "POWRUNER (S0184) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "d4d35e55-6a09-47ef-8de5-160468276025",
"value": "at (S0110) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "3094a14f-ccd2-4ba4-a3f6-c6d2721f02db",
"value": "APT28 (G0007) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808",
"target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4"
},
"uuid": "f758836e-91b2-4651-ba72-d827553b668c",
"value": "POSHSPY (S0150) uses Windows Management Instrumentation Event Subscription (T1084)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6"
},
"uuid": "fe9c9381-99d7-4798-ab41-3e5cdbda5e21",
"value": "Turla (G0010) uses Indicator Removal from Tools (T1066)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "6d2d4146-bf9e-4b75-9a23-052c09e99eeb",
"value": "CosmicDuke (S0050) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e"
},
"uuid": "99800503-d535-4fae-a318-dfa034dca663",
"value": "menuPass (G0045) uses cmd (S0106)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "f661bda3-d524-44b3-aeb0-d8dd8879a569",
"value": "APT3 (G0022) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "efed95ba-d7e8-47ff-8c53-99c42426ee7c",
"target-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad"
},
"uuid": "34ebfdf4-ef2c-4a6c-8bfa-69704d8f7694",
"value": "PROMETHIUM (G0056) uses Truvasys (S0178)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "1ec53623-4050-498b-ba9e-f149d203036c",
"value": "Emissary (S0082) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "b7930db8-2cb9-4ecf-b3d3-7425f99140d8",
"value": "Mimikatz (S0002) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab",
"target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88"
},
"uuid": "a423dc5c-c506-4cc5-b65c-0c9269d18fb6",
"value": "XTunnel (S0117) uses Network Service Scanning (T1046)"
},
{
"meta": {
"source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "57e1f6b0-7fbd-49b4-8f5d-876b759437ac",
"value": "Trojan.Karagany (S0094) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "7b5919ce-efab-45d1-855b-f827d7489b2b",
"value": "Nidiran (S0118) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a",
"target-uuid": "b42378e0-f147-496f-992a-26a49705395b"
},
"uuid": "8797579b-e3be-4209-a71b-255a4d08243d",
"value": "DragonOK (G0017) uses PoisonIvy (S0012)"
},
{
"meta": {
"source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "50271beb-48b1-411e-86b5-990b4cbb1fb5",
"value": "ZLib (S0086) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519",
"target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be"
},
"uuid": "6a0f3ebb-c805-402f-bb2e-aac2f8d174fa",
"value": "Downdelph (S0134) uses Bypass User Account Control (T1088)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "53cc6b0b-66ec-4f7d-a725-f65b076b5428",
"value": "ADVSTORESHELL (S0045) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "837af41c-0553-4d1d-a38e-e43e2aad5c35",
"value": "SeaDuke (S0053) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "8baf3f0d-0ab4-4691-8ef7-8b9af8a8069c",
"value": "Remsec (S0125) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "c3d3bb7d-65cc-4915-bc28-492d341e6dbd",
"value": "CallMe (S0077) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565"
},
"uuid": "fd518b7a-b35d-4689-89f6-525efbeee18f",
"value": "OilRig (G0049) uses FTP (S0095)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077"
},
"uuid": "87b74ba7-99c4-464c-86d2-1dd8c8b578b1",
"value": "Turla (G0010) uses System Time Discovery (T1124)"
},
{
"meta": {
"source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
"target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6"
},
"uuid": "e79c65f4-f9d2-4568-96a4-b6e00d3bad71",
"value": "Daserf (S0187) uses Indicator Removal from Tools (T1066)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "6fdc3210-9754-4157-b386-8fcd680e732c",
"value": "Deep Panda (G0009) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "a564f3da-349a-4e65-826c-8ca60bc920bf",
"value": "gh0st (S0032) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"uuid": "4ce5e752-97d6-4803-a49c-0f905729a133",
"value": "Threat Group-3390 (G0027) uses Mimikatz (S0002)"
},
{
"meta": {
"source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "a23ab6bc-e5cc-46a9-b77f-747ae6fc6a9b",
"value": "Mis-Type (S0084) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "dea36846-b8ad-4926-a242-9fa2d12069c8",
"value": "menuPass (G0045) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549"
},
"uuid": "137e1ddc-403b-49b5-a214-20b82bab446e",
"value": "Remsec (S0125) uses Exfiltration Over Physical Medium (T1052)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c"
},
"uuid": "46f853ea-3f45-4570-a155-826bec98456d",
"value": "APT28 (G0007) uses Credentials in Files (T1081)"
},
{
"meta": {
"source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "abee00d3-8417-468b-84a4-40c7d0ac4f7d",
"value": "S-Type (S0085) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"uuid": "067814b5-aa57-45e0-9bdf-5536b077c224",
"value": "APT29 (G0016) uses Mimikatz (S0002)"
},
{
"meta": {
"source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "c80250a5-79c0-4a46-a0e3-49d6bcd574c6",
"value": "Sys10 (S0060) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"uuid": "7a783e7e-a735-42d7-874d-633b37e21033",
"value": "APT34 (G0057) uses Mimikatz (S0002)"
},
{
"meta": {
"source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "49af09c8-1460-485d-9f09-dacea47fa016",
"value": "Kasidet (S0088) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be"
},
"uuid": "bceada36-e6ba-49b9-b9f8-99e37e6cbf9e",
"value": "APT28 (G0007) uses OLDBAIT (S0138)"
},
{
"meta": {
"source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "7fbb56bf-cadd-4663-8067-f233d4c9c751",
"value": "S-Type (S0085) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f"
},
"uuid": "757bed64-558b-4ea7-84b9-b82d8b23f9b2",
"value": "APT1 (G0006) uses Email Collection (T1114)"
},
{
"meta": {
"source-uuid": "dd9a85ad-6a92-4986-a215-b01d0ce7b987",
"target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce"
},
"uuid": "4d6def4b-69cf-4dca-848b-53de73536ad6",
"value": "Permission Groups Discovery Mitigation (T1069) mitigates Permission Groups Discovery (T1069)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "b8e50d79-c024-4dc1-aad2-d7181fbbf1bb",
"value": "MoonWind (S0149) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "7b529102-f95c-4ca1-a5c4-5a3497ab3674",
"value": "Ke3chang (G0004) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "5e6e745f-d756-4b6e-90e1-3adcf848570b",
"value": "Shamoon (S0140) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "4a6248d4-4fa1-404a-abed-84e9b7c32dbe",
"value": "Turla (G0010) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7",
"target-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b"
},
"uuid": "79934567-99e6-4184-8b04-717a1b401006",
"value": "Scarlet Mimic (G0029) uses Psylo (S0078)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "ab687dca-2741-4920-a71e-e0e0444809c5",
"value": "Lazarus Group (G0032) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "9b36e877-e637-46b8-bdf1-def74c977472",
"value": "Remsec (S0125) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "110690db-fd9b-425a-9269-ec082f0af3f9",
"value": "Magic Hound (G0059) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "5077f774-95a4-459e-b88c-cb3a4dd5c8c6",
"value": "Reaver (S0172) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "62ae52c9-7197-4f5b-be1d-10d2e1df2c96",
"target-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd"
},
"uuid": "b41c70df-0955-408c-90ee-7acad8b080e1",
"value": "Domain Fronting Mitigation (T1172) mitigates Domain Fronting (T1172)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73"
},
"uuid": "5e9bee3d-ea86-4715-9fdc-199e10ef2161",
"value": "APT28 (G0007) uses ADVSTORESHELL (S0045)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11"
},
"uuid": "c354d751-4688-49c5-9f9a-0d2bc705f645",
"value": "Threat Group-3390 (G0027) uses ipconfig (S0100)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "9ef645ab-afd1-41d6-ad60-d207fd134748",
"value": "SeaDuke (S0053) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "2c09a27c-2eea-4287-9908-964533234e71",
"value": "cmd (S0106) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111"
},
"uuid": "3643f451-322d-4f38-91a4-00a55a42c7f5",
"value": "Turla (G0010) uses netstat (S0104)"
},
{
"meta": {
"source-uuid": "b42378e0-f147-496f-992a-26a49705395b",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "3ef89472-470c-42c9-be01-155efe607b78",
"value": "PoisonIvy (S0012) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "797131cf-fef9-4ece-823f-e931393e72f8",
"value": "Reaver (S0172) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "c8ce3bcd-b74f-497d-8f76-cc8c7333ab49",
"value": "SHOTPUT (S0063) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "ac72c3da-6b58-4f66-8476-8d3cc9ccf6bd",
"value": "Mivast (S0080) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "cdbfa147-52be-411d-bcbd-f6dcbf91d7b5",
"value": "OilRig (G0049) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "253b56a5-232f-44bc-af4d-85ccc12a0577",
"value": "Gamaredon Group (G0047) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "67fc172a-36fa-4a35-88eb-4ba730ed52a6",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "a805a8d5-632c-48df-909d-c3d745652475",
"value": "BS2005 (S0014) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "ba06d68a-4891-4eb5-b634-152e05ec60ee",
"target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd"
},
"uuid": "cff2088f-c003-4d03-aa8a-cca36753b930",
"value": "Data Transfer Size Limits Mitigation (T1030) mitigates Data Transfer Size Limits (T1030)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"uuid": "520f5440-740f-4efe-850e-ea4db340aef1",
"value": "Lazarus Group (G0032) uses Exfiltration Over Command and Control Channel (T1041)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "fa6292a2-c184-4bc9-a37f-0c1ac61e1135",
"value": "Turla (G0010) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "32864e94-8581-4f77-bf7d-53aaf3710f60",
"value": "SeaDuke (S0053) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "3ba2b8bc-1c5b-4cb3-8234-a7dc7b7552d0",
"value": "Matroyshka (S0167) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "0c870326-6b8a-4279-bbd3-2c1ae23ba54a",
"value": "BADNEWS (S0128) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "b6970925-a435-4942-b244-60e4f57acf86",
"value": "WINDSHIELD (S0155) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4"
},
"uuid": "df9beafa-be6b-4e61-9a27-dfb9ec7d6aa3",
"value": "APT29 (G0016) uses HAMMERTOSS (S0037)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "023ff141-8ed7-4132-85a0-494fe075236b",
"value": "Magic Hound (G0059) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "51f1d23c-1ccd-4cc4-918c-39e9a66e510b",
"value": "OilRig (G0049) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643"
},
"uuid": "5cceffd9-5818-4481-bce6-4e326548d6b4",
"value": "MoonWind (S0149) uses Peripheral Device Discovery (T1120)"
},
{
"meta": {
"source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "6db82410-1fcf-483a-be5b-cf09c361b4eb",
"value": "Daserf (S0187) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "090242d7-73fc-4738-af68-20162f7a5aae",
"target-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43"
},
"uuid": "a33388b7-3803-442f-8e31-511eef055470",
"value": "APT17 (G0025) uses BLACKCOFFEE (S0069)"
},
{
"meta": {
"source-uuid": "d6e88e18-81e8-4709-82d8-973095da1e70",
"target-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c"
},
"uuid": "bcd1d261-0228-468f-b02b-52e6784e2491",
"value": "APT16 (G0023) uses ELMER (S0064)"
},
{
"meta": {
"source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4"
},
"uuid": "fe3c4134-ddef-45f8-b83a-6865a01b9764",
"value": "Regin (S0019) uses Modify Registry (T1112)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "bae7f2fb-99d8-4acf-b61e-f37a215aa82e",
"value": "Emissary (S0082) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "b0099b28-bcb8-4214-8166-d9caed1b6491",
"value": "JHUHUGIT (S0044) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a"
},
"uuid": "f52f1b34-a96a-45a0-8cc0-2f138a3f1257",
"value": "BRONZE BUTLER (G0060) uses Daserf (S0187)"
},
{
"meta": {
"source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "df69c29c-01c4-4541-988e-8a5765439d56",
"value": "Poseidon Group (G0033) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "2a8f0313-4059-42b9-b487-6c8f860588c0",
"value": "ADVSTORESHELL (S0045) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "2c79282f-5e60-48b9-962a-d61c3d73b334",
"value": "OilRig (G0049) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "340d4ef7-816b-4758-994f-b913df78afd7",
"value": "Elise (S0081) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40",
"target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88"
},
"uuid": "b9083516-7dd3-4ef2-808a-1df48894122b",
"value": "Group5 (G0043) uses Software Packing (T1045)"
},
{
"meta": {
"source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "d3b787ec-795c-481b-94e5-ff42dc56d79d",
"value": "FIN10 (G0051) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
"target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4"
},
"uuid": "bad90106-a150-4d76-b39f-f35aab4ac766",
"value": "Rover (S0090) uses Modify Registry (T1112)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "5b686a7c-4fcd-44c2-9f57-1d88d6633ef4",
"value": "USBStealer (S0136) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
"target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967"
},
"uuid": "07d16181-ba82-42c8-a67b-8d7d5adef52d",
"value": "Flame (S0143) uses Audio Capture (T1123)"
},
{
"meta": {
"source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392"
},
"uuid": "59b39f06-a71c-42f7-92f2-244a183113d6",
"value": "BBSRAT (S0127) uses Service Execution (T1035)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "e8068ad2-97b3-4693-a6ad-a8ee9a272890",
"value": "Patchwork (G0040) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f"
},
"uuid": "e8048bf8-3931-4d6b-b4a6-475ff717cbae",
"value": "Cobalt Strike (S0154) uses Network Share Discovery (T1135)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "f39d9e4d-b4f9-4c12-aa8e-a44f8550b57f",
"value": "JHUHUGIT (S0044) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "b2ab26e2-eb90-4f19-b35a-b8a0a5438961",
"value": "DustySky (S0062) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "0fec9b91-cd45-493b-b23e-abb3ed2513a0",
"value": "EvilGrab (S0152) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc",
"target-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1"
},
"uuid": "542bb806-3e73-42f5-8a3e-86b498093f4b",
"value": "certutil (S0160) uses Install Root Certificate (T1130)"
},
{
"meta": {
"source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "5e53b45b-ca14-4e8b-8c76-0cf9cb572a92",
"value": "Misdat (S0083) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "699ddfef-6e95-42cf-b212-dc661f790adc",
"value": "Lazarus Group (G0032) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "92711ee1-041b-4e35-a322-3e16790fcce2",
"value": "Crimson (S0115) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"uuid": "5cfcbf60-454a-4673-aa93-9020d04efab7",
"value": "APT28 (G0007) uses Mimikatz (S0002)"
},
{
"meta": {
"source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "ade60661-8dfb-473a-8d12-014ba0273934",
"value": "Kasidet (S0088) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "cd1e409b-e981-4c83-a9ea-86705a45f92c",
"value": "EvilGrab (S0152) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "58fdc63b-05b4-4db9-90fe-c80f7956292f",
"value": "BRONZE BUTLER (G0060) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48"
},
"uuid": "6863078f-fe93-4b84-ad7f-dffe494d9265",
"value": "Cobalt Strike (S0154) uses Access Token Manipulation (T1134)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce"
},
"uuid": "8ca14a24-b8b3-4669-ae56-e7102b543dc6",
"value": "Emissary (S0082) uses Permission Groups Discovery (T1069)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670"
},
"uuid": "5b9fbec2-0e72-44ef-94a5-a9f702469c93",
"value": "Cobalt Strike (S0154) uses Execution through API (T1106)"
},
{
"meta": {
"source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "0e27ebb3-2d48-48f6-ab99-968c0a992c61",
"value": "Downdelph (S0134) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "8e28cc53-3fd4-42ed-8516-71fd9ee57641",
"value": "Patchwork (G0040) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810"
},
"uuid": "0fee8bfd-aec2-44a7-8182-530a648006f3",
"value": "Reaver (S0172) uses Shortcut Modification (T1023)"
},
{
"meta": {
"source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "41747c46-1dd1-418b-84e9-75710f17a10c",
"value": "BLACKCOFFEE (S0069) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "7c0995ef-ab5d-48f9-8884-7d953c4c3247",
"value": "3PARA RAT (S0066) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "a442fcac-55d7-49ff-8ecf-ca61885c27e2",
"value": "Putter Panda (G0024) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"target-uuid": "519630c5-f03f-4882-825c-3af924935817"
},
"uuid": "9b88372d-4f3f-4442-906d-9ab07e22e781",
"value": "CORESHELL (S0137) uses Binary Padding (T1009)"
},
{
"meta": {
"source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091"
},
"uuid": "2c48f039-61f7-4af4-974b-f0e0fcf95f58",
"value": "PlugX (S0013) uses Multiband Communication (T1026)"
},
{
"meta": {
"source-uuid": "9da16278-c6c5-4410-8a6b-9c16ce8005b3",
"target-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae"
},
"uuid": "701a2767-70f3-44f1-a397-9c04517ece67",
"value": "Screensaver Mitigation (T1180) mitigates Screensaver (T1180)"
},
{
"meta": {
"source-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "55df3b40-b130-4313-9064-6b0fc56564d0",
"value": "Truvasys (S0178) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "23e2dc58-4b8d-48d8-82fd-d051892a7d58",
"value": "RTM (S0148) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "4b23ac99-3761-46f0-ad5d-2cf63a95036a",
"value": "S-Type (S0085) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "39fdd17c-5f59-4daf-bf14-95841b5ec248",
"value": "Lazarus Group (G0032) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983",
"target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"uuid": "f1af286d-9367-45de-aced-a762838e58bd",
"value": "Threat Group-1314 (G0028) uses PsExec (S0029)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "bc60180b-2db6-4e0d-8b98-d349db637777",
"value": "Elise (S0081) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d"
},
"uuid": "9e90e4a5-844c-4516-9044-6f35bbf27806",
"value": "APT28 (G0007) uses Bootkit (T1067)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619"
},
"uuid": "55ffbd77-ec97-4dca-9399-b9e4b62fbbf8",
"value": "FIN5 (G0053) uses Automated Collection (T1119)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "c585ae70-1bda-4751-ad34-536a78b7daad",
"value": "MoonWind (S0149) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "6c71a59f-05e6-44cc-ace5-33200e1f0846",
"value": "Agent.btz (S0092) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "025bdaa9-897d-4bad-afa6-013ba5734653",
"target-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654"
},
"uuid": "877a67b0-5dea-467c-9da1-8eee3bcc19a6",
"value": "NEODYMIUM (G0055) uses Wingbird (S0176)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966"
},
"uuid": "fc79f30d-94c8-400e-ab10-21d2a2527788",
"value": "BRONZE BUTLER (G0060) uses Windows Credential Editor (S0005)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "7df747e6-81a1-4bb0-b47f-96136694f2d0",
"value": "APT34 (G0057) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "2db406cf-667d-4ad6-b768-7645f6663ac9",
"value": "Duqu (S0038) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "1fda6ff7-a344-4bc3-b545-4083cc15290d",
"value": "PowerDuke (S0139) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "021c3289-43bb-4787-9d7e-6ad17b3ce84f",
"value": "Emissary (S0082) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "52cf8793-2f13-45c2-8274-1a9bf5d6224a",
"value": "Regin (S0019) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "030fb5ef-3900-4f60-a1d2-0f1d67940aed",
"value": "HTTPBrowser (S0070) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "ff5d862a-ae6b-4833-8c15-e235d654d28e",
"target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69"
},
"uuid": "a65de154-e0dd-445f-9f26-8459a287c790",
"value": "Component Object Model Hijacking Mitigation (T1122) mitigates Component Object Model Hijacking (T1122)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
},
"uuid": "8cdfc8e4-b657-4ae9-b9ee-9b6107fae796",
"value": "Turla (G0010) uses Systeminfo (S0096)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "48fb8267-5d68-467b-a2c0-8302cc15ebed",
"value": "RedLeaves (S0153) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "385f57f4-87b6-4126-ab67-531e482ec9bc",
"value": "Regin (S0019) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "02f0f92a-0a51-4c94-9bda-6437b9a93f22",
"target-uuid": "e2907cea-4b43-4ed7-a570-0fdf0fbeea00"
},
"uuid": "c5747927-2d3d-4d3b-a4d7-56a2b37b039e",
"value": "Space after Filename Mitigation (T1151) mitigates Space after Filename (T1151)"
},
{
"meta": {
"source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "3dcf441c-b987-4c6a-93e7-e24ae1e16475",
"value": "Reaver (S0172) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "512e16e9-634c-45d3-b569-c25a3072bbdc",
"value": "FLASHFLOOD (S0036) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"uuid": "630dedba-136b-4ea3-956e-f8f38e96653d",
"value": "APT1 (G0006) uses Mimikatz (S0002)"
},
{
"meta": {
"source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
"target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670"
},
"uuid": "fc4811c4-103b-48b7-9e52-20d574cfc4bf",
"value": "XAgentOSX (S0161) uses Execution through API (T1106)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec"
},
"uuid": "96e928af-dbfc-4743-a1dc-353904e21fd3",
"value": "Prikormka (S0113) uses Data from Removable Media (T1025)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "1aa10371-6473-416a-8b8b-17c36f700233",
"value": "JHUHUGIT (S0044) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a"
},
"uuid": "59a6700b-3ae5-4039-a07c-cbbf6eb7a78e",
"value": "Threat Group-3390 (G0027) uses Redundant Access (T1108)"
},
{
"meta": {
"source-uuid": "9e57c770-5a39-49a2-bb91-253ba629e3ac",
"target-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446"
},
"uuid": "142800a5-62e9-48e9-97ef-186cfb68ffa1",
"value": "Security Support Provider Mitigation (T1101) mitigates Security Support Provider (T1101)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "2dd15583-34cd-4b49-a6ba-4bd647b7ff27",
"value": "Magic Hound (G0059) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "85a92b0f-f8c3-41a9-a1b3-cfbf8b442b39",
"value": "ADVSTORESHELL (S0045) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "a7e5ffbc-d123-4f62-88eb-36b32656cd35",
"value": "H1N1 (S0132) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "4696a49d-caa1-4746-b106-45faf327270b",
"value": "Matroyshka (S0167) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "aad8c4dc-db11-48b4-b294-f63ccde5e798",
"value": "Carbanak (G0008) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "67b49860-e1e4-4b56-bf83-108c4ac25e5c",
"value": "MiniDuke (S0051) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "e7714693-e792-44f0-a224-9899df75fced",
"value": "APT3 (G0022) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "dac7355a-9d13-4155-a053-d0c18fe92f53",
"value": "Cobalt Strike (S0154) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "0a65c303-52a6-4624-a8fb-fc7448429139",
"value": "Winnti (S0141) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "19be6ce1-8eea-47ff-b87c-3358d390454d",
"value": "China Chopper (S0020) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"uuid": "c4bea2b7-e8a2-45d0-bac2-4d82576c1521",
"value": "Carbanak (G0008) uses Mimikatz (S0002)"
},
{
"meta": {
"source-uuid": "8c918d8a-11c5-4ffd-af10-e74bc06bdfae",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "98c18956-03d7-49e5-93b2-44351682331d",
"value": "Rundll32 Mitigation (T1085) mitigates Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "84e0c62b-b1a6-4ecd-8607-f0b516cb48f6",
"value": "RTM (S0148) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4"
},
"uuid": "af9347a3-00a9-4ece-b075-8c55bd4f4b9b",
"value": "Shamoon (S0140) uses Modify Registry (T1112)"
},
{
"meta": {
"source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "31cd4eb1-f7b3-4030-b087-388d55faba03",
"value": "XAgentOSX (S0161) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"target-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d"
},
"uuid": "1ee44004-6aaa-4b22-934d-4f4ef82cbbd4",
"value": "Regin (S0019) uses NTFS Extended Attributes (T1096)"
},
{
"meta": {
"source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "af6e3f9e-7c71-484d-ab8e-5adaaaedea36",
"value": "WinMM (S0059) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "1ba38510-0489-4305-944f-451e6869b30f",
"value": "BADNEWS (S0128) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "5d46a519-1ef9-4cdb-b737-8c7b3ffb4f0e",
"value": "Pteranodon (S0147) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"uuid": "b9e624b0-47d1-4463-970b-fbb6ddcd7171",
"value": "Cobalt Strike (S0154) uses Windows Management Instrumentation (T1047)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334"
},
"uuid": "70d5a73c-cc14-410a-a430-5948cd21532f",
"value": "JHUHUGIT (S0044) uses Logon Scripts (T1037)"
},
{
"meta": {
"source-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "8cbb1567-70c5-4daf-b163-cbc6cc40a794",
"value": "Strider (G0041) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "36112f24-7814-4c75-b5b7-a1205bb28b68",
"value": "Gamaredon Group (G0047) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd"
},
"uuid": "04b44241-3ff4-4d46-9847-7cb2feaba84e",
"value": "APT34 (G0057) uses Brute Force (T1110)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "c9703cd3-141c-43a0-a926-380082be5d04"
},
"uuid": "1c812537-dfaf-40da-a71b-a49c18870b77",
"value": "APT3 (G0022) uses schtasks (S0111)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "2e77d363-e38f-40ad-a6ef-9222dc12793d",
"value": "Naikon (G0019) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
"uuid": "4176d195-5740-47c2-874d-51704e7d293e",
"value": "RedLeaves (S0153) uses Custom Command and Control Protocol (T1094)"
},
{
"meta": {
"source-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4",
"target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b"
},
"uuid": "69b9edd8-c1a8-4cbd-bd94-9af0fdefe013",
"value": "HIDEDRV (S0135) uses Rootkit (T1014)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df"
},
"uuid": "c7017855-dc52-4e9d-977f-3af701e094c8",
"value": "APT32 (G0050) uses Web Shell (T1100)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "37ab6b56-033c-4cb6-8d1b-e7ff5dcf668d",
"value": "Elise (S0081) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "5a33468d-844d-4b1f-98c9-0e786c556b27",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "d3b810ed-0be4-448b-b1ac-aa3a7dd16c91",
"value": "MimiPenguin (S0179) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "94e95eeb-7cdb-4bd7-afba-f32fda303dbb",
"target-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a"
},
"uuid": "4c2b4c0f-0ded-4f0f-ad5a-a95241ba927e",
"value": "Network Share Connection Removal Mitigation (T1126) mitigates Network Share Connection Removal (T1126)"
},
{
"meta": {
"source-uuid": "8b880b41-5139-4807-baa9-309690218719",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "689c51b8-7e41-474e-abf6-ffdde0acc40b",
"value": "SPACESHIP (S0035) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "953134ab-5816-43b8-b2b1-8f4c9305f57a",
"value": "Sowbug (G0054) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"target-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24"
},
"uuid": "80c071f7-123e-468f-800d-726a1d3e4144",
"value": "APT18 (G0026) uses gh0st (S0032)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "36b9f594-9a27-4281-a18e-9a5e7df70ad9",
"value": "Threat Group-3390 (G0027) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df"
},
"uuid": "2dbed740-1b50-4d59-a729-a1d9e6a839df",
"value": "OilRig (G0049) uses Web Shell (T1100)"
},
{
"meta": {
"source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "37ba7858-8765-4445-a65e-d2765b673b34",
"value": "FIN7 (G0046) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "b0db4b00-8716-430f-a9d8-29a878a12eac",
"value": "Dragonfly (G0035) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "fa035513-59b6-4f54-8b85-13ec08849453",
"value": "Felismus (S0171) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "327a64df-b405-453b-83d2-528d17e8df51",
"value": "CozyCar (S0046) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "3fe559f9-9bee-48ea-8a7c-7d65b63419ee",
"value": "APT34 (G0057) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "51dea151-0898-4a45-967c-3ebee0420484"
},
"uuid": "fc2ffb01-2c4e-429d-b4fd-e0d20678504a",
"value": "APT1 (G0006) uses Remote Desktop Protocol (T1076)"
},
{
"meta": {
"source-uuid": "24478001-2eb3-4b06-a02e-96b3d61d27ec",
"target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e"
},
"uuid": "a1f198ef-af69-4c0f-b3ed-0b47ad6167fe",
"value": "Multilayer Encryption Mitigation (T1079) mitigates Multilayer Encryption (T1079)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "3e09a5ce-a6a0-4f03-8c23-a7ebb4dfd74c",
"value": "BADNEWS (S0128) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "aea8401e-774e-47b1-86ac-220cacd11a3c",
"value": "FIN6 (G0037) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
"uuid": "865a5b25-6908-4ad9-a81d-33f3cf48e357",
"value": "RTM (S0148) uses Custom Command and Control Protocol (T1094)"
},
{
"meta": {
"source-uuid": "0998045d-f96e-4284-95ce-3c8219707486",
"target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df"
},
"uuid": "bbe37d7e-ad35-4c74-a57c-9a398ef6b1be",
"value": "SEASHARPEE (S0185) uses Web Shell (T1100)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "6b5c6fc2-615a-46fc-80a4-9ab332159722",
"value": "Threat Group-3390 (G0027) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "4e9c5234-65e9-4b4a-bc13-891e7aed84b2",
"value": "Shamoon (S0140) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "98852860-145c-40f0-86af-b32dd61fa008",
"value": "APT34 (G0057) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "56e40368-38a7-4415-9ebc-8c84694bc7d6",
"value": "Lslsass (S0121) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "c95c8b5c-b431-43c9-9557-f494805e2502",
"target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88"
},
"uuid": "35572bdc-c7a2-442b-8d9a-7691317b6982",
"value": "Software Packing Mitigation (T1045) mitigates Software Packing (T1045)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "51dea151-0898-4a45-967c-3ebee0420484"
},
"uuid": "496e66ff-2c9f-454c-af36-49c7dc098493",
"value": "Dragonfly (G0035) uses Remote Desktop Protocol (T1076)"
},
{
"meta": {
"source-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2",
"target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df"
},
"uuid": "660d09ce-8722-42b3-8503-911dff37bf22",
"value": "ASPXSpy (S0073) uses Web Shell (T1100)"
},
{
"meta": {
"source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "df5bee66-b840-405e-b9d5-2e0ced2e6808",
"value": "Sykipot (S0018) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69"
},
"uuid": "8793b289-4b74-4119-8561-a9ad27dacdff",
"value": "BBSRAT (S0127) uses Component Object Model Hijacking (T1122)"
},
{
"meta": {
"source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "0efa0a7a-545d-49e2-b0c4-0e251226404a",
"value": "Sowbug (G0054) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "c9703cd3-141c-43a0-a926-380082be5d04"
},
"uuid": "d691e305-8ce5-40cd-a648-b0dcab329e69",
"value": "BRONZE BUTLER (G0060) uses schtasks (S0111)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "da734f6c-de0d-44f1-9521-6607b800ad43",
"value": "Patchwork (G0040) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "bfdffca9-6418-486d-833f-84f3920fcb71",
"value": "HALFBAKED (S0151) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "b9fe8dd4-a3c9-4e58-9a74-937e4de677a8",
"value": "Derusbi (S0021) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647",
"target-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24"
},
"uuid": "3f780c76-b5d5-43f9-b4f2-048106f00894",
"value": "PittyTiger (G0011) uses gh0st (S0032)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "699ac754-3f3e-46de-9b2a-5ea450ef47fd",
"value": "Helminth (S0170) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f"
},
"uuid": "59b95288-b954-4118-9a88-8e2ad85a1265",
"value": "Dragonfly (G0035) uses Email Collection (T1114)"
},
{
"meta": {
"source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "be31bf6d-ce4f-4620-8940-445f35ff90a7",
"value": "POSHSPY (S0150) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "9eefeafd-aca1-4e4c-8d29-ea6f9154808a",
"value": "Turla (G0010) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f"
},
"uuid": "bcb8ac03-4f58-4cd8-af58-c3df991c8af5",
"value": "CosmicDuke (S0050) uses Email Collection (T1114)"
},
{
"meta": {
"source-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "27102940-8ec1-42ad-98e5-57dc24b572eb",
"value": "PsExec (S0029) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "82826722-4278-438e-a8d0-5bd9fd117b2b",
"value": "DownPaper (S0186) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "2174c465-8855-4c92-a683-97eb0eba9f7c",
"value": "BRONZE BUTLER (G0060) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "216ab163-818b-4303-beb6-a743b90c98bf",
"value": "Prikormka (S0113) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "a732c265-07f0-4e9b-a42c-0df6277e5b27",
"value": "Carbanak (G0008) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "f696324d-7fb4-44ca-82dd-3385b55fbb80",
"value": "Elise (S0081) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "a3eca9d0-bc4b-48a8-801d-9aaa757bfe72",
"value": "HAMMERTOSS (S0037) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b"
},
"uuid": "0a6ec458-f9f7-4e51-b0eb-4fd915a48a6b",
"value": "admin@338 (G0018) uses LOWBALL (S0042)"
},
{
"meta": {
"source-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830",
"target-uuid": "1ce03c65-5946-4ac9-9d4d-66db87e024bd"
},
"uuid": "b1334535-019a-4d6a-88c1-8bb6741f152b",
"value": "meek (S0175) uses Domain Fronting (T1172)"
},
{
"meta": {
"source-uuid": "f108215f-3487-489d-be8b-80e346d32518",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "3b31b258-d3e0-4acc-9c20-de870baa64a0",
"value": "Komplex (S0162) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3"
},
"uuid": "235fe6f1-66d1-4cf4-adb9-3bc7f081144a",
"value": "Deep Panda (G0009) uses Mivast (S0080)"
},
{
"meta": {
"source-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f",
"target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4"
},
"uuid": "baabf444-1748-472f-b991-7a5b25e4e1bb",
"value": "Reg (S0075) uses Modify Registry (T1112)"
},
{
"meta": {
"source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
"target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
"uuid": "3a6c13d3-6589-4d33-9848-88e3409be0cc",
"value": "Volgmer (S0180) uses Custom Command and Control Protocol (T1094)"
},
{
"meta": {
"source-uuid": "effb83a0-ead1-4b36-b7f6-b7bdf9c4616e",
"target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4"
},
"uuid": "0aac9510-f48a-4b28-ae0e-c6facc1635ae",
"value": "Replication Through Removable Media Mitigation (T1091) mitigates Replication Through Removable Media (T1091)"
},
{
"meta": {
"source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "d7bb00a0-fbe6-4622-84ed-be32ff5d8561",
"value": "DownPaper (S0186) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "6b1c1b38-0448-4114-99eb-23aae85ada52",
"value": "APT28 (G0007) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466"
},
"uuid": "033d168d-8348-47ad-af48-d297dc0d1dbb",
"value": "Cobalt Strike (S0154) uses Scheduled Transfer (T1029)"
},
{
"meta": {
"source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "3126c7fa-02eb-475f-a474-26d4d6af7a67",
"value": "ZLib (S0086) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "4527c528-8377-4349-ae5c-95c04cabd3d4",
"value": "H1N1 (S0132) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "2d704e56-e689-4011-b989-bf4e025a8727",
"target-uuid": "06780952-177c-4247-b978-79c357fb311f"
},
"uuid": "352d3d80-3a5f-454b-8190-fbac20979fc7",
"value": "Plist Modification Mitigation (T1150) mitigates Plist Modification (T1150)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"uuid": "7e46e7c8-e48a-4860-bbcd-224a2d12284a",
"value": "FIN5 (G0053) uses PsExec (S0029)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "1d808f62-cf63-4063-9727-ff6132514c22"
},
"uuid": "4a687e50-e6b7-41df-93b1-6fed7db10f60",
"value": "APT1 (G0006) uses WEBC2 (S0109)"
},
{
"meta": {
"source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "a08dadbf-6f68-415f-9daa-f84571af83a2",
"value": "ChChes (S0144) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "938a71e3-a9dc-4ad9-b1c4-b15d75967b8d",
"value": "Duqu (S0038) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "95b21e05-610e-47bf-a4b1-9d4b398e6c13",
"value": "Helminth (S0170) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "514e7371-a344-4de7-8ec3-3aa42b801d52",
"target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91"
},
"uuid": "389854e8-32d1-406c-ab58-2ee2918bf7ed",
"value": "Multi-Stage Channels Mitigation (T1104) mitigates Multi-Stage Channels (T1104)"
},
{
"meta": {
"source-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "96076f66-3ad6-4e54-b816-c9c3f90fa43a",
"value": "Ixeshe (S0015) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "ac008435-af58-4f77-988a-c9b96c5920f5",
"target-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d"
},
"uuid": "06a8b931-7881-4e8b-a970-c430379279ca",
"value": "NTFS Extended Attributes Mitigation (T1096) mitigates NTFS Extended Attributes (T1096)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec"
},
"uuid": "00ae99d1-db02-4007-8669-04d7fc4c1390",
"value": "USBStealer (S0136) uses Data from Removable Media (T1025)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "56c927c5-f64e-4b31-9a14-7ce78fd1c8a1",
"value": "APT3 (G0022) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830"
},
"uuid": "43d85ed6-223e-4402-bd29-be10a872359d",
"value": "PowerDuke (S0139) uses Application Window Discovery (T1010)"
},
{
"meta": {
"source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "32ee78b3-58de-4de5-bc3d-34ea8dc90ca3",
"value": "SHOTPUT (S0063) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24",
"target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69"
},
"uuid": "ad696f42-0631-43fb-893b-a5616f14f93f",
"value": "gh0st (S0032) uses Indicator Removal on Host (T1070)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "2d4d634d-ed13-462a-916b-94798546ec6c",
"value": "Elise (S0081) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "fa2c0697-0d47-4ee9-b5bf-845ac3453c3a",
"value": "Nidiran (S0118) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "da8a87d2-946d-4c34-9a30-709058b98996",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "403863dd-5b73-4987-9397-e8c5b25041cc",
"value": "Input Capture Mitigation (T1056) mitigates Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "4c94f67d-6662-44ea-be75-ded8b2dbfa00",
"value": "Net (S0039) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "801f139f-1361-4d79-965e-078787f8ec36",
"value": "AutoIt backdoor (S0129) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "162a051d-a551-4b8c-875a-75264768e541",
"value": "MoonWind (S0149) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"uuid": "ba1a4084-a74f-44d6-bafe-7a09ee959270",
"value": "APT29 (G0016) uses PsExec (S0029)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be"
},
"uuid": "c5a7cf46-a3ab-4d33-a43f-012c0c5fdf63",
"value": "Shamoon (S0140) uses Bypass User Account Control (T1088)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "1451c4a3-5dc6-4744-8120-197f3a3134c1",
"value": "Duqu (S0038) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839"
},
"uuid": "e0033e57-8839-42b9-8515-46e9c7dca966",
"value": "APT32 (G0050) uses Exploitation of Vulnerability (T1068)"
},
{
"meta": {
"source-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a",
"target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810"
},
"uuid": "97ff5931-f27f-4774-b595-312f5771f91a",
"value": "SHIPSHAPE (S0028) uses Shortcut Modification (T1023)"
},
{
"meta": {
"source-uuid": "dc43c2fe-355e-4a79-9570-3267b0992784",
"target-uuid": "aa8bfbc9-78dc-41a4-a03b-7453e0fdccda"
},
"uuid": "c24f1b29-ee7b-4fe6-89be-6b733888a4e6",
"value": "Dylib Hijacking Mitigation (T1157) mitigates Dylib Hijacking (T1157)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "85ca1e00-24c4-403e-8aff-9890f91e9b78",
"value": "Emissary (S0082) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "ea964313-8f60-4cff-800c-2ea49e2c19d7",
"value": "Misdat (S0083) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "aeda6707-50e2-47e2-833a-18e4a5d73e88",
"value": "Mis-Type (S0084) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "6e24d8d1-7376-493f-a85c-75448c80efed",
"value": "CozyCar (S0046) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "fe229513-0cd9-4e9a-a333-2748ef03dfbc",
"value": "USBStealer (S0136) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "e7b5511a-3528-48d1-9224-6c5ff88b3825",
"value": "Winnti (S0141) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "16f144e4-c780-4ed2-98b4-55d14e2dfa44",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "f1000a93-e87d-4acf-b71d-73c3bb05fd75",
"value": "System Owner/User Discovery Mitigation (T1033) mitigates System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"target-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0"
},
"uuid": "c6ceeb68-5d8e-4105-a20a-cce2b3ef48f0",
"value": "Putter Panda (G0024) uses httpclient (S0068)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "7e7d5aa9-6860-44fe-88b9-22a6b36162e2",
"value": "APT32 (G0050) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88"
},
"uuid": "ff4e1b0e-eea2-4329-aecc-e5353be8c1f4",
"value": "APT29 (G0016) uses Software Packing (T1045)"
},
{
"meta": {
"source-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "5e840479-61c1-44f5-8cb8-0e61ffe12b89",
"value": "Taidoor (S0011) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "c3cf2312-3aab-4aaf-86e6-ab3505430482",
"target-uuid": "18d4ab39-12ed-4a16-9fdb-ae311bba4a0f"
},
"uuid": "f388c949-b692-4863-8e3b-7c1fc21a5fbd",
"value": "Rc.common Mitigation (T1163) mitigates Rc.common (T1163)"
},
{
"meta": {
"source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "c0223316-4b0b-461e-8947-01c0f5baeef2",
"value": "XAgentOSX (S0161) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "760be456-6b72-4b86-b5aa-3297aa89bc4d",
"value": "FALLCHILL (S0181) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"uuid": "77f9936d-1ba7-42a8-879d-1a6e90156366",
"value": "Ke3chang (G0004) uses Net (S0039)"
},
{
"meta": {
"source-uuid": "c61fee9f-16fb-4f8c-bbf0-869093fcd4a6",
"target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48"
},
"uuid": "dd315296-ffee-4f1b-aef7-2d914c458fd2",
"value": "Access Token Manipulation Mitigation (T1134) mitigates Access Token Manipulation (T1134)"
},
{
"meta": {
"source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "315aab88-9b01-4a70-8f8c-173a3f29e79c",
"value": "SHOTPUT (S0063) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839"
},
"uuid": "63f0007e-833e-4d6a-b79e-873525979f40",
"value": "CosmicDuke (S0050) uses Exploitation of Vulnerability (T1068)"
},
{
"meta": {
"source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "70edcba2-e777-4ced-a52d-5dfc3965211c",
"value": "POSHSPY (S0150) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "0040fdbd-ec7e-49b3-b715-c8c91e08666b",
"value": "Emissary (S0082) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "6fdaef62-c4da-488a-a07d-c8fca2c98d85",
"value": "MobileOrder (S0079) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"target-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4"
},
"uuid": "8ab176f0-009f-49e9-ba4b-f476c33697f4",
"value": "Carbanak (G0008) uses Carbanak (S0030)"
},
{
"meta": {
"source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "a3251b26-7012-4f26-9c5d-1fb9d69b8569",
"value": "HTTPBrowser (S0070) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "5c4e0ddb-57a1-440f-82ab-146847c99be8",
"value": "SOUNDBITE (S0157) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "6b39985b-2e2f-4d54-9211-aef4d94b318f",
"value": "OnionDuke (S0052) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "544b0346-29ad-41e1-a808-501bb4193f47"
},
"uuid": "c1fd6ce6-26e7-49a7-abff-a64fd0fc8a35",
"value": "Cobalt Strike (S0154) uses Man in the Browser (T1185)"
},
{
"meta": {
"source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "e8cb4430-db05-4029-b011-926a2ba17a4c",
"value": "Winnti Group (G0044) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "fcbe8424-eb3e-4794-b76d-e743f5a49b8b",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "b274a57d-9d27-4e33-b6dc-15e007805838",
"value": "Data Encoding Mitigation (T1132) mitigates Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "bb3c1098-d654-4620-bf40-694386d28921",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "090813dc-b370-42e1-a211-4d9e3247968a",
"value": "FakeM (S0076) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"uuid": "f6d23c6b-01c8-4bea-9bc6-2c66fbbbd3ae",
"value": "BRONZE BUTLER (G0060) uses Net (S0039)"
},
{
"meta": {
"source-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "27afb647-85a1-4e89-8762-c6c7d04bc1c5",
"value": "pngdowner (S0067) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "12904c83-67ad-430f-96ae-20e9081c2b5d",
"value": "ADVSTORESHELL (S0045) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "2c417522-9fa6-4f95-b9d6-062c9c2401b5",
"value": "Cobalt Strike (S0154) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324"
},
"uuid": "00c88cab-5cb9-492a-8dce-8eab92213bc3",
"value": "OilRig (G0049) uses ISMInjector (S0189)"
},
{
"meta": {
"source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "28f655e0-ac0b-41bc-baaf-9a9987469fe9",
"value": "MobileOrder (S0079) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c"
},
"uuid": "ec99ea0b-1020-4ccc-bdc8-d545a4d3ccf6",
"value": "APT34 (G0057) uses Deobfuscate/Decode Files or Information (T1140)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a"
},
"uuid": "da1a5240-bbd7-4e91-9dee-9b14df6cffe2",
"value": "BlackEnergy (S0089) uses File System Permissions Weakness (T1044)"
},
{
"meta": {
"source-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "37ad61e7-6520-47d0-81ae-f3d129b49ac1",
"value": "OnionDuke (S0052) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68",
"target-uuid": "7d751199-05fa-4a72-920f-85df4506c76c"
},
"uuid": "92e4cc06-5708-4486-92cc-0d25d9a755d4",
"value": "Tor (S0183) uses Multi-hop Proxy (T1188)"
},
{
"meta": {
"source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
"target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec"
},
"uuid": "9ab576ed-2ba0-4fc5-87fc-2011a7cd183d",
"value": "Crimson (S0115) uses Data from Removable Media (T1025)"
},
{
"meta": {
"source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "bb2ba4b6-d96a-4d66-ac13-aa657108b363",
"value": "Sys10 (S0060) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "ab109b93-76a9-46da-8934-58751125fd1e",
"value": "OSInfo (S0165) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "8336111f-565e-4294-8b18-182c26da2421",
"value": "OSInfo (S0165) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "5d0263d9-ddd3-4195-96ae-e340caef9e0e",
"value": "JHUHUGIT (S0044) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "9fef204f-163a-4c9d-b9b1-8a168074063a",
"value": "admin@338 (G0018) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "32218bd0-d598-4560-9a70-ab7d5c92f986",
"value": "WINDSHIELD (S0155) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "e7a0b7a4-b49b-46b9-9bfa-5db0a87dd09e",
"value": "SeaDuke (S0053) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "ba2ec548-fb75-4b8c-88d6-d91a77a943cf",
"target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"uuid": "a2ee3987-f7c9-41ce-8aca-fae8e8c2ef9a",
"value": "Windows Management Instrumentation Mitigation (T1047) mitigates Windows Management Instrumentation (T1047)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88"
},
"uuid": "df6bc111-0e49-4e61-b38a-ee79cf682d09",
"value": "Cobalt Strike (S0154) uses Network Service Scanning (T1046)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a"
},
"uuid": "d329d311-422b-4144-9212-aa7da4dc273a",
"value": "OilRig (G0049) uses Redundant Access (T1108)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "e8ce10b4-3b00-40c1-983a-1d87ff9a68ee",
"value": "OilRig (G0049) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654",
"target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839"
},
"uuid": "dbccbeab-26c9-476e-b529-c193f9796cbc",
"value": "Wingbird (S0176) uses Exploitation of Vulnerability (T1068)"
},
{
"meta": {
"source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "a2faf818-d21d-40a5-ad02-a3b1b2ee5d58",
"value": "Derusbi (S0021) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "ec6a8fde-702a-4e38-a37b-428a8ca10b18",
"value": "APT28 (G0007) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b"
},
"uuid": "a2c9bae6-15aa-4ce0-8f4d-01b8fc32a36d",
"value": "FIN5 (G0053) uses FLIPSIDE (S0173)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "6f8cef32-d057-40f8-be52-62d86b1049e6",
"value": "SeaDuke (S0053) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "70f713e8-f4f6-483c-9ec1-524a3aee2d8e",
"value": "APT34 (G0057) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "b4795040-fe94-429a-9853-f30c09ba05aa",
"value": "HALFBAKED (S0151) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "a1dc7c15-bd44-43b3-a32b-8e4ea9856758",
"value": "Backdoor.Oldrea (S0093) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "6e6828ca-7567-4302-8ed7-fa5821dc5bbc",
"value": "Threat Group-3390 (G0027) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "4caf9f0d-dfe9-48ce-9b6e-812577e09711",
"value": "Crimson (S0115) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "a02da835-676d-47df-86c6-547a7d29dbae",
"value": "MobileOrder (S0079) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "930175b1-0f2f-4f0b-99ad-13a4b304cc29",
"value": "Dragonfly (G0035) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "4189f5b4-4c57-452a-a3fb-da5988804feb",
"value": "Lazarus Group (G0032) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529"
},
"uuid": "cb69217e-f063-4093-bcf0-f051ecd42e25",
"value": "APT28 (G0007) uses Network Sniffing (T1040)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "7ac10827-9bf6-4d60-aa16-9f2d2930b373",
"value": "Magic Hound (G0059) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "765e3b13-60f4-4b34-b03f-0d8e738b0add",
"value": "CHOPSTICK (S0023) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "8ef27cd6-3909-4174-b57c-3dbe3061a6dd",
"value": "PowerDuke (S0139) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
"uuid": "e873321b-0d76-4cd6-bc46-8231cfcdeba0",
"value": "Cobalt Strike (S0154) uses Custom Command and Control Protocol (T1094)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "2c586158-d02b-468a-bee8-04e1bde320e1",
"value": "BlackEnergy (S0089) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090"
},
"uuid": "dff84383-c4c5-4974-a33d-9e43526abf49",
"value": "FIN5 (G0053) uses RawPOS (S0169)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "0ca1948b-476c-4ff5-a792-f3790250bdc1",
"value": "APT3 (G0022) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
},
"uuid": "fda1acb3-8e87-4fff-ae19-7e6a2ff9d6c3",
"value": "BRONZE BUTLER (G0060) uses gsecdump (S0008)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "d1222ff7-b93c-40a7-99bd-217d795d8d58",
"value": "Remsec (S0125) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"uuid": "b6f70ba6-bff1-4b40-a418-356e7b6efa27",
"value": "APT1 (G0006) uses Net (S0039)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "f146a331-3595-46be-abef-518708e34def",
"value": "Lazarus Group (G0032) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
},
"uuid": "35ac37f9-7484-4fe4-8b5e-9381600ee01b",
"value": "APT34 (G0057) uses Systeminfo (S0096)"
},
{
"meta": {
"source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "2e367a09-1d94-4ea4-984c-a592b769fffa",
"value": "WinMM (S0059) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "53b3b027-bed3-480c-9101-1247047d0fe6",
"target-uuid": "51dea151-0898-4a45-967c-3ebee0420484"
},
"uuid": "1d0bbeb7-5477-4321-81cd-ef66607d7972",
"value": "Remote Desktop Protocol Mitigation (T1076) mitigates Remote Desktop Protocol (T1076)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "7adaf2f3-52f2-40aa-b1ae-2fd2f05d9d56",
"value": "Prikormka (S0113) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1"
},
"uuid": "af74c0ec-0bbe-4538-a3a3-1e967afd3d51",
"value": "RTM (S0148) uses Install Root Certificate (T1130)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "820c50f3-65e8-4a3a-a71a-e079ae8badad",
"value": "Remsec (S0125) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb"
},
"uuid": "d924c061-9ee2-45c2-9ea4-491a2d3f50a5",
"value": "APT3 (G0022) uses SHOTPUT (S0063)"
},
{
"meta": {
"source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
"target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4"
},
"uuid": "5b2682dc-f64d-482b-8fc4-132dad2727d9",
"value": "H1N1 (S0132) uses Replication Through Removable Media (T1091)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "a1684fef-eca9-418a-ab48-b9aad4101c6c",
"value": "BRONZE BUTLER (G0060) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810"
},
"uuid": "cfc64939-1c2c-4bc0-bfac-3492667b1bcd",
"value": "SeaDuke (S0053) uses Shortcut Modification (T1023)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "1ca68d88-a287-4c48-a4f8-68611eceb445",
"value": "RTM (S0148) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4"
},
"uuid": "a71256aa-a2e3-447c-ba4e-004ba4f062b2",
"value": "ADVSTORESHELL (S0045) uses Modify Registry (T1112)"
},
{
"meta": {
"source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"target-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47"
},
"uuid": "e232f720-ab39-43f4-b419-ae8de115c5e6",
"value": "FIN7 (G0046) uses TEXTMATE (S0146)"
},
{
"meta": {
"source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "512879fe-8433-4c78-9345-009ed5168078",
"value": "netsh (S0108) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"uuid": "d0f797ce-9176-4b74-8d64-fad4e1bdef4f",
"value": "Carbanak (G0008) uses PsExec (S0029)"
},
{
"meta": {
"source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"target-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0"
},
"uuid": "51afbe4e-c5cd-4acd-b4e1-ff7877b78b9e",
"value": "FIN7 (G0046) uses Dynamic Data Exchange (T1173)"
},
{
"meta": {
"source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "a61cf8cf-87f1-4061-ae9d-31e8162bdfef",
"value": "Mis-Type (S0084) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "289e01df-60e6-4eee-830e-9d742ac10c86",
"value": "Threat Group-1314 (G0028) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "97ea3b82-58ba-4a3e-8e6d-367755f83fa6",
"value": "FIN6 (G0037) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "86b2980a-dd9f-4553-8f65-69f75f0f4332",
"value": "Helminth (S0170) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "a901eaf4-7cbe-43c2-9c03-7d716357edc9",
"value": "menuPass (G0045) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481",
"target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce"
},
"uuid": "2cfa6113-1995-494a-b767-61d3f371e0ea",
"value": "Sys10 (S0060) uses Permission Groups Discovery (T1069)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"uuid": "0c0b4142-96e7-440b-a01f-f2bda05649b1",
"value": "BlackEnergy (S0089) uses Windows Management Instrumentation (T1047)"
},
{
"meta": {
"source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "7fe49f05-8f96-4fc2-bc5b-b2eea59efca3",
"value": "Sykipot (S0018) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "453914ae-8d76-4796-b507-dafc33adf005",
"value": "4H RAT (S0065) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "e9011839-ca57-434d-a0cc-007594247110",
"value": "Felismus (S0171) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "8f6701a2-91cc-449e-98e1-e83bd2f7317c",
"value": "APT3 (G0022) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "0d4e8cb8-c265-449a-b010-f4614135572f",
"value": "H1N1 (S0132) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "fe786b29-e621-48e2-84b5-aed35e6930fe",
"value": "Wingbird (S0176) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4"
},
"uuid": "40a8f80d-5497-4218-849c-3c0b63796641",
"value": "CHOPSTICK (S0023) uses Modify Registry (T1112)"
},
{
"meta": {
"source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "b149adfe-547f-4cd4-af4a-ea7018a203c1",
"value": "Trojan.Karagany (S0094) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "487d67d7-b697-4de4-abde-decee8b17c44",
"value": "T9000 (S0098) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "7a1e7afa-7052-4e47-8725-66e485efda43",
"value": "Unknown Logger (S0130) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c"
},
"uuid": "5033a0a2-ef95-4ec6-b5ac-d7cfbd7be9f0",
"value": "Prikormka (S0113) uses Credentials in Files (T1081)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "e39b5b63-b29a-4322-9dca-8bca7dedf474",
"value": "Dragonfly (G0035) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "e025dccd-ead3-44d8-af26-f2c3b27667f5",
"value": "Cobalt Strike (S0154) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "f4188b9b-c2fe-41b7-96e0-e28d99671b9d",
"value": "BRONZE BUTLER (G0060) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392"
},
"uuid": "d26a9de1-0ec7-41dd-94fe-21a51bedf37f",
"value": "Cobalt Strike (S0154) uses Service Execution (T1035)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "39076217-a5bf-4b1b-b085-8dbf7ba92265",
"value": "Dragonfly (G0035) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "80aab758-d3fc-4380-b114-e552bdace832",
"value": "BACKSPACE (S0031) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"target-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4"
},
"uuid": "7577e14c-ceba-4646-98ce-41e7fa9ae851",
"value": "FIN7 (G0046) uses Carbanak (S0030)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "14135aaa-6080-48c1-8a08-d6ee9bb15c3d",
"value": "Elise (S0081) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "10cc3288-d06c-456c-bc0e-b10a8c5abeaa",
"value": "APT28 (G0007) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e"
},
"uuid": "42897880-fe55-4f54-a42c-f85ba19fb39a",
"value": "BRONZE BUTLER (G0060) uses cmd (S0106)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d"
},
"uuid": "7ca1b40d-d1de-48ab-b8ad-023ad9877def",
"value": "Lazarus Group (G0032) uses Bootkit (T1067)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "5c8fba10-9d8a-4257-a458-8f58efc8d912",
"value": "Ke3chang (G0004) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "fdf9f632-03ce-4e8c-88bf-3798bb7f5ef4",
"value": "Felismus (S0171) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "79f0712b-2cb1-47df-8ea1-26fb1502a831",
"value": "BADNEWS (S0128) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "c952f284-e529-481f-97fb-7a6e14c25ccf",
"value": "Putter Panda (G0024) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e"
},
"uuid": "1593ae11-0bb5-4e16-804a-1383eb0cced5",
"value": "APT29 (G0016) uses OnionDuke (S0052)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619"
},
"uuid": "b990e235-dcf4-48c7-800d-b8a10a62eda4",
"value": "Threat Group-3390 (G0027) uses Automated Collection (T1119)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "98908617-068d-4b6e-bcba-ad213c137b1e",
"value": "APT32 (G0050) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411",
"target-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54"
},
"uuid": "3cdc74fc-a291-4253-98b4-ca33e021914a",
"value": "Molerats (G0021) uses DustySky (S0062)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "59543467-938a-4528-961d-a539f0a5618b",
"value": "Gazer (S0168) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"uuid": "7193ed4c-7169-46fa-9294-d74d912510d0",
"value": "menuPass (G0045) uses Net (S0039)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67"
},
"uuid": "f0b3c919-bf39-4bc9-9488-5f30d5407c54",
"value": "APT3 (G0022) uses Create Account (T1136)"
},
{
"meta": {
"source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "d72da887-5684-47ac-958a-84b3e8b59c0b",
"value": "Nidiran (S0118) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "73f5c564-53b1-48bc-8cab-32fa4a608672",
"value": "certutil (S0160) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "bc9cfe76-2d64-4901-8e9e-c69d046cdfaa",
"value": "APT3 (G0022) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "9a05a8cc-8d3c-46a5-947e-bebed2ab1c5a",
"value": "ADVSTORESHELL (S0045) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "a0d8db1d-a731-4428-8209-c07175f4b1fe",
"target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
"uuid": "bde4d54d-16d7-4a07-a35a-9f0cc6956be2",
"value": "Uncommonly Used Port Mitigation (T1065) mitigates Uncommonly Used Port (T1065)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "ec4d07a2-8c8b-4df8-bb9e-b8c3e23d8dc5",
"value": "BRONZE BUTLER (G0060) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67"
},
"uuid": "7185fe1c-1565-4175-bc7e-539ff704f4cb",
"value": "Net (S0039) uses Create Account (T1136)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "897dec92-49a8-4edd-8ed2-8082f134e42b",
"value": "APT3 (G0022) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "ae1ee1dc-6017-4177-b34c-70db166a939e",
"value": "JHUHUGIT (S0044) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c"
},
"uuid": "595be2e7-9f2a-4d5a-b23d-8e4822ae6199",
"value": "BRONZE BUTLER (G0060) uses Data from Network Shared Drive (T1039)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "2d8cdbf3-1be2-4e64-ba18-f8b65fcbae8f",
"value": "Helminth (S0170) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"target-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d"
},
"uuid": "3e5cf341-4707-4de3-bb06-43530ee3e90f",
"value": "Mimikatz (S0002) uses SID-History Injection (T1178)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077"
},
"uuid": "6b38f460-e309-4ab1-bbc9-bd0bb30f4af9",
"value": "PowerDuke (S0139) uses System Time Discovery (T1124)"
},
{
"meta": {
"source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "101867a2-149c-4088-a90f-7af4b86e5013",
"value": "CHOPSTICK (S0023) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "d9f4b5fa-2a39-4bdf-b40a-ea998933cd6d",
"target-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf"
},
"uuid": "e24bd0ff-bc9e-4d26-84ea-008acb4975a1",
"value": "Video Capture Mitigation (T1125) mitigates Video Capture (T1125)"
},
{
"meta": {
"source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7",
"target-uuid": "bb3c1098-d654-4620-bf40-694386d28921"
},
"uuid": "e577372f-c3c9-4e12-9bc6-3f6a1faec0ac",
"value": "Scarlet Mimic (G0029) uses FakeM (S0076)"
},
{
"meta": {
"source-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "fce7fac2-91da-4903-95dc-fb54650c0859",
"value": "PHOREAL (S0158) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
"target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48"
},
"uuid": "93d83b03-8367-4655-84a5-9abaee885700",
"value": "SslMM (S0058) uses Access Token Manipulation (T1134)"
},
{
"meta": {
"source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "b3973baa-0185-45a1-934d-2b29f742a2df",
"value": "XTunnel (S0117) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "a802d52a-01f4-44c8-b80d-d2c746e1e31d",
"value": "ChChes (S0144) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421"
},
"uuid": "af0b0bfb-1a1e-4a06-b9e9-adeda7b6ad81",
"value": "Naikon (G0019) uses SslMM (S0058)"
},
{
"meta": {
"source-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "31ec568c-53c7-4dfb-8bfb-bfb7addca7ee",
"value": "Net (S0039) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40",
"target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
"uuid": "05604d66-735a-4369-bc31-c7915bb3f2e0",
"value": "Group5 (G0043) uses Uncommonly Used Port (T1065)"
},
{
"meta": {
"source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "c79d7110-46bb-4b6d-a256-87bd1b6379a3",
"value": "H1N1 (S0132) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "61827309-9071-416b-aedf-7f82f224db2e",
"value": "NETEAGLE (S0034) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "1923a47b-5a48-44e6-883f-ca23a96fea46",
"value": "JHUHUGIT (S0044) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "2b2cdb6b-c23c-4792-8cfb-8c4d9279a186",
"value": "BUBBLEWRAP (S0043) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700"
},
"uuid": "ab83d817-57b8-4970-afc6-fbd70c6e3760",
"value": "FIN5 (G0053) uses pwdump (S0006)"
},
{
"meta": {
"source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "d93265a6-1f92-472b-9e47-48b7863d8171",
"value": "Sowbug (G0054) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "932fa199-f4c0-4c39-bb30-a412607ee299",
"value": "CozyCar (S0046) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "2dfbcf5d-8563-440c-bd9c-0cfc15059bd5",
"value": "Shamoon (S0140) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
"target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be"
},
"uuid": "3efe41c1-48be-48fc-90d8-5ae70df3cd97",
"value": "Sakula (S0074) uses Bypass User Account Control (T1088)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "0d43f3a7-70ed-4d04-857e-3a9fbce86cfb",
"value": "JHUHUGIT (S0044) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "f33725f4-cce5-4868-b494-d73419c76bdf",
"value": "DustySky (S0062) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983",
"target-uuid": "92a78814-b191-47ca-909c-1ccfe3777414"
},
"uuid": "b38cfcfd-b8e3-4a9c-ade9-8a8bfeb04694",
"value": "Threat Group-1314 (G0028) uses Third-party Software (T1072)"
},
{
"meta": {
"source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "4afcb9c9-e490-446b-97b1-1c151974242f",
"value": "TINYTYPHON (S0131) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4",
"target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
"uuid": "cfccba1b-5aa0-46ef-b668-d9f7e25b53ae",
"value": "MobileOrder (S0079) uses Uncommonly Used Port (T1065)"
},
{
"meta": {
"source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"target-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc"
},
"uuid": "47835d17-73e1-427f-85b0-b55b610fa9ad",
"value": "Putter Panda (G0024) uses 4H RAT (S0065)"
},
{
"meta": {
"source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "ecca0af0-1549-4068-b01d-bab711c491c5",
"value": "Reaver (S0172) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "8278fc85-24af-4f8a-9b82-3f233f18f5a6",
"value": "Mivast (S0080) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "c2bd7b04-b090-478a-8e83-6b4656c14bb0",
"value": "Dragonfly (G0035) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830"
},
"uuid": "170e2f76-5b6a-4eee-8ea4-d1171368b4a9",
"value": "Lazarus Group (G0032) uses Application Window Discovery (T1010)"
},
{
"meta": {
"source-uuid": "9ab7de33-99b2-4d8d-8cf3-182fa0015cc2",
"target-uuid": "03259939-0b57-482f-8eb5-87c0e0d54334"
},
"uuid": "87f4c47d-b94d-4a1e-9c4b-be671a99e6f0",
"value": "Logon Scripts Mitigation (T1037) mitigates Logon Scripts (T1037)"
},
{
"meta": {
"source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "66bec558-ff92-42ff-a8c1-5b47d071d606",
"value": "Hi-Zor (S0087) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "96797ece-5783-4d34-a399-32496c8705ac",
"value": "APT3 (G0022) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "fad2a504-6e00-4892-bf88-b49d6d18788c",
"value": "Axiom (G0001) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "acca43ee-1e88-4d39-a953-7626173a89b2",
"value": "Helminth (S0170) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
"target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09"
},
"uuid": "5c34be50-c7be-40c2-80bb-f3bc7db5cdd7",
"value": "Sakula (S0074) uses DLL Side-Loading (T1073)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "fcfb3ce0-01a0-4f92-8e18-b323202d095d",
"value": "APT3 (G0022) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "380db9ad-f6ad-4988-8a28-b773313f07b7",
"value": "HTTPBrowser (S0070) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69",
"target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff"
},
"uuid": "1dc42b4c-4a93-4fc6-bad3-b5498ad500b1",
"value": "Pass-The-Hash Toolkit (S0122) uses Pass the Hash (T1075)"
},
{
"meta": {
"source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "d6d66a6f-dbc8-4d7b-b3fc-634f2765429a",
"value": "Sowbug (G0054) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810"
},
"uuid": "7ec988a7-712a-45ae-b6b3-db26a6515b80",
"value": "Gazer (S0168) uses Shortcut Modification (T1023)"
},
{
"meta": {
"source-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "57a1f1a8-f1c0-4b7c-b5b4-f283a278833c",
"value": "pwdump (S0006) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "ce212487-1291-4fe6-9f0b-f697516a7824",
"value": "APT32 (G0050) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "44273d72-b0d9-42ee-9e8e-53d1b39f0651",
"value": "menuPass (G0045) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "5391ece4-8866-415d-9b5e-8dc5944f612a",
"target-uuid": "45d84c8b-c1e2-474d-a14d-69b5de0a2bc0"
},
"uuid": "fb5e24e6-58f1-4ef0-9094-147319487f15",
"value": "Source Mitigation (T1153) mitigates Source (T1153)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "a5a63d5c-acf7-4720-866d-fcf6e576a58f",
"value": "Ke3chang (G0004) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "c6358f18-fc64-46f5-8939-66e5258dd83d",
"value": "Threat Group-1314 (G0028) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "d5e96a35-7b0b-4c6a-9533-d63ecbda563e",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "1b27cec5-241a-4c2e-a3db-e9cea241496c",
"value": "HTRAN (S0040) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"uuid": "9c8fa95a-cbbe-4ef6-999d-21b4080b54f6",
"value": "FIN6 (G0037) uses PsExec (S0029)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"uuid": "04203d88-5fe1-4e63-be65-51a17705716b",
"value": "menuPass (G0045) uses Windows Management Instrumentation (T1047)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "d36e83a0-5370-4d78-862d-4dbe8921709d",
"value": "BRONZE BUTLER (G0060) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"target-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b"
},
"uuid": "14b393f2-6d67-4d4f-8f88-75c8b421c4e2",
"value": "PlugX (S0013) uses Trusted Developer Utilities (T1127)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "6dc0543b-1a60-4e9a-9527-595220854f53",
"value": "Cobalt Strike (S0154) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "aa243e70-fba4-4f8a-8b5e-1ac826eac593",
"value": "Cobalt Strike (S0154) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "aabb13d6-a73b-42aa-8014-696b94ff2416",
"value": "POWRUNER (S0184) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "e6cafa6a-22ce-49f7-8136-dc5a51c3aaeb",
"value": "Lazarus Group (G0032) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "073cc04d-ac46-4f5a-85d7-83a91ecd6a19",
"target-uuid": "c0df6533-30ee-4a4a-9c6d-17af5abdf0b2"
},
"uuid": "daca6956-64b8-468f-aa64-0ce4a4f7ad28",
"value": "Setuid and Setgid Mitigation (T1166) mitigates Setuid and Setgid (T1166)"
},
{
"meta": {
"source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a",
"target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec"
},
"uuid": "e30a790b-8f09-4bdc-8116-275d00880333",
"value": "FLASHFLOOD (S0036) uses Data from Removable Media (T1025)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e"
},
"uuid": "bb8fd9d4-4362-40c6-ab09-f05f843c2cef",
"value": "APT32 (G0050) uses PHOREAL (S0158)"
},
{
"meta": {
"source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "98a9bef7-8aff-4cbb-958b-14cb72954b8a",
"value": "ZLib (S0086) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9",
"target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643"
},
"uuid": "062ebca3-abf7-449a-ad84-f04a3cada4dd",
"value": "Equation (G0020) uses Peripheral Device Discovery (T1120)"
},
{
"meta": {
"source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "6cf42ee6-a064-4d8a-99d4-8aa0f878ae2a",
"value": "DownPaper (S0186) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "41edf1d6-15a7-4da5-9bfd-ebee9d53f71e",
"value": "CloudDuke (S0054) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
"target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529"
},
"uuid": "9c012fcf-876b-4101-aa28-6af8b00a51d2",
"value": "Responder (S0174) uses Network Sniffing (T1040)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549"
},
"uuid": "2b97e16e-8c39-4e5e-ad90-15c10f15d923",
"value": "USBStealer (S0136) uses Exfiltration Over Physical Medium (T1052)"
},
{
"meta": {
"source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "c8bceb4a-0cf2-43c9-9729-20ed706c4c72",
"value": "Pteranodon (S0147) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "8d976244-6d4e-443a-98c0-52fe1d94c388",
"value": "hcdLoader (S0071) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"uuid": "acc40539-13a0-4577-a862-e348962bf0fc",
"value": "Pteranodon (S0147) uses Exfiltration Over Command and Control Channel (T1041)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "500130c0-d049-4e67-9bcc-d60a5f6dfd4c",
"value": "Lazarus Group (G0032) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c"
},
"uuid": "aec49e52-c54e-45be-a476-70aa0dc42cfb",
"value": "BlackEnergy (S0089) uses Credentials in Files (T1081)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "6a1693a7-1e85-48b6-9097-11339a987099",
"value": "Threat Group-3390 (G0027) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "654d9e83-9501-4de8-8828-1a1ebf36bc8f",
"value": "HTTPBrowser (S0070) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "22301618-a676-4d94-975a-2a56e5a7f919",
"value": "CozyCar (S0046) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "af66e48f-3232-4f78-ad3e-5a404f7ae3a1",
"value": "Derusbi (S0021) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4"
},
"uuid": "720c211e-2219-496d-8a34-c3f37dfbe5bf",
"value": "APT28 (G0007) uses HIDEDRV (S0135)"
},
{
"meta": {
"source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "3a66ff23-3dcc-45b9-821a-8d6527b6e242",
"value": "POWERSOURCE (S0145) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
"target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec"
},
"uuid": "6d87588e-2202-4616-a536-e43a2606721b",
"value": "Rover (S0090) uses Data from Removable Media (T1025)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776"
},
"uuid": "0a8ee649-e907-4a73-8513-3019b2d771a0",
"value": "Lazarus Group (G0032) uses Exfiltration Over Alternative Protocol (T1048)"
},
{
"meta": {
"source-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "a9bd68ed-2602-4225-838e-2d9b7f8761b4",
"value": "Carbanak (S0030) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "b42378e0-f147-496f-992a-26a49705395b",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "b41c9b77-536b-49bc-8cb9-a873aa121002",
"value": "PoisonIvy (S0012) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f"
},
"uuid": "76333b56-47b1-40c6-9223-c4cf6673362f",
"value": "SeaDuke (S0053) uses Email Collection (T1114)"
},
{
"meta": {
"source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "e6f69552-fe0e-4b40-ad20-4410048277e6",
"value": "ChChes (S0144) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
"uuid": "4477e350-645d-40de-8de7-7a6e1680c2e0",
"value": "APT32 (G0050) uses Custom Command and Control Protocol (T1094)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "290a1ceb-68e1-42ae-be81-f474038aaa05",
"value": "Prikormka (S0113) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f"
},
"uuid": "49404706-aa42-4914-a273-2eeb217e6477",
"value": "OilRig (G0049) uses Reg (S0075)"
},
{
"meta": {
"source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "f5fee3da-a3ef-4a81-a70c-9660ab1fb3d6",
"value": "XAgentOSX (S0161) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "ab7faed6-3c50-4b04-a31b-ac2c933a51ef",
"value": "HTTPBrowser (S0070) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "dad229e7-fcc6-4c1d-99c3-47d54fbc6892",
"value": "CosmicDuke (S0050) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "2b4a8be2-8403-43d4-addd-79c504e3dec8",
"value": "Remsec (S0125) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "aaca7907-7a43-4ebb-bd2b-bf7f497d9134",
"value": "Hi-Zor (S0087) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "ab7eb363-c775-4065-a80d-1b324f22d0b8",
"value": "Ke3chang (G0004) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce"
},
"uuid": "d39e3775-9221-4020-b826-edc111e36c7c",
"value": "OilRig (G0049) uses Permission Groups Discovery (T1069)"
},
{
"meta": {
"source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a",
"target-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a"
},
"uuid": "dc4e54ed-ca71-4dd1-a61e-714222c0c76d",
"value": "CopyKittens (G0052) uses TDTESS (S0164)"
},
{
"meta": {
"source-uuid": "0a9c51e0-825d-4b9b-969d-ce86ed8ce3c3",
"target-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0"
},
"uuid": "c56de8bc-ad9e-415a-8840-ae294ed4f88a",
"value": "Power Loader (S0177) uses Extra Window Memory Injection (T1181)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "88896f55-5606-4b21-8616-e7965a863dd8",
"value": "Lazarus Group (G0032) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43",
"target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91"
},
"uuid": "25ad5783-c7fe-4715-b4ce-c03b36ccdfa8",
"value": "BLACKCOFFEE (S0069) uses Multi-Stage Channels (T1104)"
},
{
"meta": {
"source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d",
"target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"uuid": "cb2d2f2d-face-430b-995d-c9bd35db5b90",
"value": "Suckfly (G0039) uses Code Signing (T1116)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69"
},
"uuid": "54d3eadf-0363-47d1-b51d-a16d6a99c42e",
"value": "APT28 (G0007) uses Component Object Model Hijacking (T1122)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "0c03f2b4-a752-4d74-9c26-5306132a3329",
"value": "OilRig (G0049) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "b03aafb3-dc03-4e12-9354-69a579b60aaf",
"value": "Dust Storm (G0031) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "f73df541-6b55-42d1-aec3-53660fda1508",
"value": "Gamaredon Group (G0047) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "8765dd7e-33cc-4040-927d-bf0aa16d3d79",
"value": "OSInfo (S0165) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "d6204645-83ff-4b26-a011-9b58bab2d597",
"value": "Daserf (S0187) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "684feec3-f9ba-4049-9d8f-52d52f3e0e40",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "98bdcea2-1c8d-4a65-b75d-075a00d6e87c",
"value": "System Network Configuration Discovery Mitigation (T1016) mitigates System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d",
"target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c"
},
"uuid": "a6e4853a-78a6-4c88-a7c5-58793d3e4dcd",
"value": "pngdowner (S0067) uses Credentials in Files (T1081)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"uuid": "9267fe42-6290-4342-8024-38d703db4376",
"value": "BACKSPACE (S0031) uses Exfiltration Over Command and Control Channel (T1041)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "a67d4b9b-0c8f-41d8-a7f2-6d4c61fcb1ea",
"value": "USBStealer (S0136) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "eaa06586-e33e-4e4c-91ca-76935c22e012",
"value": "Ke3chang (G0004) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "8c553311-0baa-4146-997a-f79acef3d831",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "35ec37ba-44aa-49b1-9379-3f6070554c62",
"value": "RARSTONE (S0055) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "81b183bc-de6a-457c-a3f3-a1168e8456f1",
"value": "Misdat (S0083) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "6d51e34d-d2ee-41aa-9ec7-dc74c84ebe9f",
"value": "RedLeaves (S0153) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "d219ed2b-2877-450f-9a69-a30f36497d14",
"value": "Gazer (S0168) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "0640214c-95af-4c04-a574-2a1ba6dda00b",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "b003a96b-81f7-436c-99a6-a25323f759ac",
"value": "Query Registry Mitigation (T1012) mitigates Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "0cbc1f3f-7a32-4056-bfa6-25186ac5e6a4",
"value": "StreamEx (S0142) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "b98c506f-3dd3-45c1-b81a-3e23bcfe6198",
"value": "Regin (S0019) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "6f884bda-0c39-4d3b-97e3-29ae9099fa45",
"value": "Threat Group-3390 (G0027) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "cb0ebed2-4cac-437b-b5b2-37ee716af3f0",
"value": "CozyCar (S0046) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "8c553311-0baa-4146-997a-f79acef3d831"
},
"uuid": "7dba7706-128e-43a7-a240-6d456c9003a2",
"value": "Naikon (G0019) uses RARSTONE (S0055)"
},
{
"meta": {
"source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "b25f5d90-f6cc-47e9-89f1-5527886bf536",
"value": "RawPOS (S0169) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
"target-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131"
},
"uuid": "0ec4a49c-0adc-41fb-afc2-e99f1e7c5200",
"value": "Dust Storm (G0031) uses S-Type (S0085)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "6610332d-86a5-46dc-a0a1-31c2fe31f164",
"value": "RedLeaves (S0153) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "242f3da3-4425-4d11-8f5c-b842886da966",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "935971d6-0af2-4683-971a-9acb523733fe",
"value": "Windows Credential Editor (S0005) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "bb8149a2-fdda-4c3a-9e02-f530c4ee7962",
"value": "GLOOXMAIL (S0026) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a",
"target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"uuid": "e8e4b87c-3d30-4627-8060-5b5116d057fc",
"value": "KOMPROGO (S0156) uses Windows Management Instrumentation (T1047)"
},
{
"meta": {
"source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "1082a68e-549b-47d5-9eb3-e719f01ce42b",
"value": "H1N1 (S0132) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
},
"uuid": "301de16e-3829-4fb0-b217-dcdfca7398c9",
"value": "Ke3chang (G0004) uses Systeminfo (S0096)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091"
},
"uuid": "7e221899-d90a-4c9a-8ea4-77110c45f0f9",
"value": "Lazarus Group (G0032) uses Multiband Communication (T1026)"
},
{
"meta": {
"source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "6613ed52-5c6c-43f2-bd0c-9809769cb022",
"value": "4H RAT (S0065) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "35697909-4c19-4799-a5ac-3153750619f8",
"value": "Volgmer (S0180) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7",
"target-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913"
},
"uuid": "8859897c-66f5-4754-8cb8-2c6e6b8b8e2e",
"value": "Lotus Blossom (G0030) uses Elise (S0081)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "4ee54acd-fc04-43c2-8cf6-2200a802d0b9",
"value": "Remsec (S0125) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "809b79cd-be78-4597-88d1-5496d1d9993a",
"target-uuid": "b53dbcc6-147d-48bb-9df4-bcb8bb808ff6"
},
"uuid": "d17c02f0-bd1f-4c16-8fe7-28d347407f2e",
"value": "Trap Mitigation (T1154) mitigates Trap (T1154)"
},
{
"meta": {
"source-uuid": "0472af99-f25c-4abe-9fce-010fa3450e72",
"target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c"
},
"uuid": "5a491b91-739f-498b-b8f2-b14aaea07893",
"value": "Credentials in Files Mitigation (T1081) mitigates Credentials in Files (T1081)"
},
{
"meta": {
"source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "b3bc844c-bebf-4756-8d33-6e16ca4ee6a1",
"value": "BBSRAT (S0127) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
"target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c"
},
"uuid": "b9e2fac9-fc1a-4e13-ac68-1a5796b04d72",
"value": "XAgentOSX (S0161) uses Credentials in Files (T1081)"
},
{
"meta": {
"source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e",
"target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f"
},
"uuid": "cc495391-9abd-4df1-8ad7-ec8d84feaeb9",
"value": "Sowbug (G0054) uses Network Share Discovery (T1135)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce"
},
"uuid": "e590aaaa-40fd-4f61-93f3-f2d6daee65a4",
"value": "APT3 (G0022) uses Permission Groups Discovery (T1069)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"uuid": "d295beee-439c-44f9-9908-4cb194331de9",
"value": "Deep Panda (G0009) uses Windows Management Instrumentation (T1047)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "03fc71a1-c589-4396-b5c7-70dfde49c55c",
"value": "Duqu (S0038) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "51dea151-0898-4a45-967c-3ebee0420484"
},
"uuid": "bd78bfa6-f30e-4429-ac06-0039d553a69d",
"value": "menuPass (G0045) uses Remote Desktop Protocol (T1076)"
},
{
"meta": {
"source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "f9773935-853e-4d5e-9345-9587fd77340d",
"value": "DustySky (S0062) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "74859e2a-7a8f-4b87-b75c-7286b3de685c",
"value": "FIN7 (G0046) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "f43ab4db-5dea-4a1f-977a-f5d779330193",
"value": "Deep Panda (G0009) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b",
"target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967"
},
"uuid": "8b5d4742-35a6-4ab7-993c-e20831ab0020",
"value": "Janicab (S0163) uses Audio Capture (T1123)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "edaa004e-8239-40d8-a4f0-8849c4f0e87f",
"value": "JHUHUGIT (S0044) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "753f9861-f0b8-4467-ac5e-4457bd350095",
"value": "TINYTYPHON (S0131) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "5a6942dc-eab7-4f45-b5fa-6149774e2acc",
"value": "menuPass (G0045) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09"
},
"uuid": "6b19a5ae-3f6a-4950-94da-22d94477d5d2",
"value": "BBSRAT (S0127) uses DLL Side-Loading (T1073)"
},
{
"meta": {
"source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519",
"target-uuid": "46944654-fcc1-4f63-9dad-628102376586"
},
"uuid": "f4f5b6a4-26d5-4352-a25d-001a51a0a121",
"value": "Downdelph (S0134) uses DLL Search Order Hijacking (T1038)"
},
{
"meta": {
"source-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "e3b79cfa-6ea8-4e7a-85f8-9862702d466a",
"value": "FLIPSIDE (S0173) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "fe0aeb41-1a51-4152-8467-628256ea6adf",
"target-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b"
},
"uuid": "812b36a3-ed93-4b45-95c3-39a9ac9c36f5",
"value": "Modify Existing Service Mitigation (T1031) mitigates Modify Existing Service (T1031)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11"
},
"uuid": "e38e741c-a7ef-420a-911a-1d2cf6abf49d",
"value": "admin@338 (G0018) uses ipconfig (S0100)"
},
{
"meta": {
"source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "47a95ac1-e37a-40ea-bf1e-e99ff4483998",
"value": "Matroyshka (S0167) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "fbae4191-679a-45b2-8ebb-8adb5348f4d0",
"value": "CosmicDuke (S0050) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "68852bf2-c3cf-4d59-b1c1-f6af8fb61be6",
"value": "gh0st (S0032) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb"
},
"uuid": "d26b3aeb-972f-471e-ab59-dc1ee2aa532e",
"value": "APT28 (G0007) uses USBStealer (S0136)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "609d3d8c-1995-43ef-a102-a39d668a774d",
"value": "MoonWind (S0149) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "bd8aaa70-710d-45a7-bb43-6b2e37f7c797",
"value": "RedLeaves (S0153) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "9c7a9bd0-4f52-4c10-8e79-3b6e72d431d1",
"value": "Downdelph (S0134) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647",
"target-uuid": "b42378e0-f147-496f-992a-26a49705395b"
},
"uuid": "8d65162b-650d-4a38-9c19-cc6c8e85a2e9",
"value": "PittyTiger (G0011) uses PoisonIvy (S0012)"
},
{
"meta": {
"source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "3ebad12d-fd33-4289-93dc-1f5af5e90b66",
"value": "FLASHFLOOD (S0036) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "84d633a4-dd93-40ca-8510-40238c021931",
"target-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93"
},
"uuid": "36adf5c8-2426-41e1-807d-f4d7958b9d54",
"value": "Hidden Files and Directories Mitigation (T1158) mitigates Hidden Files and Directories (T1158)"
},
{
"meta": {
"source-uuid": "54246e2e-683f-4bf2-be4c-d7d5a60e7d22",
"target-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0"
},
"uuid": "126bfb52-654a-4056-be93-37a06f8d6a32",
"value": "LLMNR/NBT-NS Poisoning Mitigation (T1171) mitigates LLMNR/NBT-NS Poisoning (T1171)"
},
{
"meta": {
"source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "731710ae-a6b9-47b7-b8b2-8526ce60be2f",
"value": "CHOPSTICK (S0023) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "b42378e0-f147-496f-992a-26a49705395b"
},
"uuid": "7b355dcf-9a9f-43b3-9989-128f5171b5c3",
"value": "admin@338 (G0018) uses PoisonIvy (S0012)"
},
{
"meta": {
"source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "a4a49b56-e220-4a81-a0da-43b63c012cfe",
"value": "CozyCar (S0046) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c"
},
"uuid": "028c3adf-4182-4250-9642-2ce5c448f710",
"value": "Mimikatz (S0002) uses Credentials in Files (T1081)"
},
{
"meta": {
"source-uuid": "8b880b41-5139-4807-baa9-309690218719",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "23df6015-0167-481c-84aa-3d15d3e38a85",
"value": "SPACESHIP (S0035) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "4d3e4232-1330-45a9-9e90-9914eed276a5",
"value": "Stealth Falcon (G0038) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "789cf81d-bfc9-4c1a-a34a-57e41981894a",
"value": "PowerDuke (S0139) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "c476a0da-44fd-4492-86ae-407aabab3735",
"value": "Matroyshka (S0167) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "c48f6a1b-1599-4e82-a7b6-1f7b5186e99e",
"value": "BlackEnergy (S0089) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "e0cf8a56-e8e1-43b0-9efc-f167d1cf21de",
"value": "POWRUNER (S0184) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
},
"uuid": "bd2a23f7-88cd-47d2-b30e-9356d0204a8e",
"value": "Turla (G0010) uses Tasklist (S0057)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "9e587add-08b7-4ecb-a40a-664b9cff1d0f",
"value": "Remsec (S0125) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "68bbad6c-1685-4275-bd36-b885a64caf6d",
"value": "Elise (S0081) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47"
},
"uuid": "2a220ca3-88f4-40eb-8041-184c412950d4",
"value": "Naikon (G0019) uses Ping (S0097)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "147d2e66-25de-42ea-8592-eb51333f595c",
"value": "BlackEnergy (S0089) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "24ea53e3-a51f-4c4a-b3de-2e1d09ed69e8",
"value": "PowerDuke (S0139) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "aaa92b37-f96c-4a0a-859c-b1cb6faeb13d",
"target-uuid": "a6525aec-acc4-47fe-92f9-b9b4de4b9228"
},
"uuid": "0bc1693e-d481-46d7-bd62-3ed6884986d2",
"value": "Graphical User Interface Mitigation (T1061) mitigates Graphical User Interface (T1061)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd"
},
"uuid": "0b36c1d0-d016-4c12-bf61-6dc14b29c7e0",
"value": "Threat Group-3390 (G0027) uses Data Transfer Size Limits (T1030)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966"
},
"uuid": "6ed5961a-224a-419b-b696-8962813158f2",
"value": "FIN6 (G0037) uses Windows Credential Editor (S0005)"
},
{
"meta": {
"source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "4f08676f-51c1-4cb5-94a7-08922e4886c6",
"value": "Hi-Zor (S0087) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd"
},
"uuid": "c74f0442-88c6-4f2b-abb1-c2f269a93d69",
"value": "Dragonfly (G0035) uses Brute Force (T1110)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "5c84d301-b6d1-4af8-9c25-1260e05fa924",
"value": "MoonWind (S0149) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "43a63e7a-d673-47c0-9af5-76dcd5a5d9b8",
"value": "4H RAT (S0065) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "9f1c680d-042e-4291-bf9c-85c51120aa8b",
"value": "Volgmer (S0180) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09"
},
"uuid": "d4d07662-749c-4116-a83c-e4045eddad43",
"value": "menuPass (G0045) uses DLL Side-Loading (T1073)"
},
{
"meta": {
"source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "3a241a6c-11ee-4abc-a551-b5d4e594aad4",
"value": "OLDBAIT (S0138) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "291b7fbf-5b5f-460a-8009-cadb383b3262",
"value": "HTTPBrowser (S0070) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643"
},
"uuid": "d30d8fa0-7f24-41e5-ae8d-e4449e88d2f0",
"value": "Gamaredon Group (G0047) uses Peripheral Device Discovery (T1120)"
},
{
"meta": {
"source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "fcc12c1f-1a46-49f4-a872-99cb97968bf0",
"value": "Agent.btz (S0092) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "4f170666-7edb-4489-85c2-9affa28a72e0",
"target-uuid": "01df3350-ce05-4bdf-bdf8-0a919a66d4a8"
},
"uuid": "a48d44d2-a84c-45dc-9a59-2bc21f2f2301",
"value": ".bash_profile and .bashrc Mitigation (T1156) mitigates .bash_profile and .bashrc (T1156)"
},
{
"meta": {
"source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "4887f5b0-45ed-4848-a984-4e72263e33d8",
"value": "Felismus (S0171) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643"
},
"uuid": "f7740e3c-c143-40b7-a8da-e797f5d74b50",
"value": "USBStealer (S0136) uses Peripheral Device Discovery (T1120)"
},
{
"meta": {
"source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "4af1ec66-5007-49df-8a10-df2c8ed7edc8",
"value": "BBSRAT (S0127) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "48042284-2fde-43f0-a3dc-f64e9f16bd77",
"value": "APT3 (G0022) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "e27e75c2-5734-4602-8a32-c56bb50f890b",
"value": "SNUGRIDE (S0159) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "0f3af4de-b1cc-4cc2-9eb7-9aa46cdebfcd",
"value": "Duqu (S0038) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "305ecc72-e820-44cb-ab52-593ccca814ff",
"value": "Kasidet (S0088) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
"target-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a"
},
"uuid": "a18071ad-fe4f-4014-ad9a-1b0a66df3eab",
"value": "APT30 (G0013) uses FLASHFLOOD (S0036)"
},
{
"meta": {
"source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "98d3455f-49cc-4539-ba35-4b11bec0ddcd",
"value": "Reaver (S0172) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "9a5b7194-88e0-4579-b82f-e3c27b8cca80",
"target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67"
},
"uuid": "7b88fc6b-32c0-4c3d-9ea3-505543c7f374",
"value": "Create Account Mitigation (T1136) mitigates Create Account (T1136)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "3f954be4-205c-4cec-92f9-36715e204a49",
"value": "Patchwork (G0040) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "7636484c-adc5-45d4-9bfe-c3e062fbc4a0",
"target-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148"
},
"uuid": "e9b0af76-f6b1-43b0-ac0e-ea23582f575b",
"value": "Charming Kitten (G0058) uses DownPaper (S0186)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643"
},
"uuid": "7cac6ccb-d070-47da-8ebf-4034b0fddb7c",
"value": "BlackEnergy (S0089) uses Peripheral Device Discovery (T1120)"
},
{
"meta": {
"source-uuid": "c5e9cb46-aced-466c-85ea-7db5572ad9ec",
"target-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3"
},
"uuid": "d92b5b68-4c3e-436f-a922-997467831409",
"value": "Trojan.Mebromi (S0001) uses System Firmware (T1019)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "cc705bf0-ba29-443e-9cd5-aef247505210",
"value": "APT3 (G0022) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "4d7add6f-ebd5-477f-9958-a5176835da2e",
"value": "CosmicDuke (S0050) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "308855d1-078b-47ad-8d2a-8f9b2713ffb5",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "243bf0fe-68eb-4d82-bbbf-d551611a0cd8",
"value": "Windows Admin Shares Mitigation (T1077) mitigates Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "d8e375a3-f455-4c66-bc63-251f320ec8b1",
"value": "OilRig (G0049) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "8b36d944-f274-4d46-9acd-dbba6927ce7a",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "9213f7ac-c548-4139-950b-5481a94570f9",
"value": "Registry Run Keys / Start Folder Mitigation (T1060) mitigates Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "3d97f57c-2a7c-4626-8b05-9d345047d3ad",
"value": "PlugX (S0013) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "8ac07a3f-9468-47a3-8ecc-c432f80e03f4",
"value": "APT3 (G0022) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "8b3f374c-9f56-4493-8b85-72d0750d0c59",
"value": "FIN10 (G0051) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "8b880b41-5139-4807-baa9-309690218719",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "9e214d5b-7d46-4135-bc42-4caab16b39d8",
"value": "SPACESHIP (S0035) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "3acdd018-80a0-4005-bab9-0cf89acfa43a",
"value": "PinchDuke (S0048) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a",
"target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"uuid": "f6915cfa-4c11-4830-bcd8-aa648596b895",
"value": "CopyKittens (G0052) uses Code Signing (T1116)"
},
{
"meta": {
"source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a",
"target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a"
},
"uuid": "3f327394-55be-4dac-8e79-93c49be0426a",
"value": "3PARA RAT (S0066) uses Redundant Access (T1108)"
},
{
"meta": {
"source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "c63c7dc5-e374-4bf0-9839-0f940ac6d46c",
"value": "Gamaredon Group (G0047) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966"
},
"uuid": "432f40d2-5309-4cc1-9544-2943233c3c2c",
"value": "FIN5 (G0053) uses Windows Credential Editor (S0005)"
},
{
"meta": {
"source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "4e5dff55-c686-4fa6-bad1-caa8507083d9",
"value": "Sakula (S0074) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "e71903c4-a7af-4317-adf0-10f76d3d4e15",
"value": "APT28 (G0007) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283"
},
"uuid": "7909f5a6-3924-4259-aedd-2e48123f563a",
"value": "APT1 (G0006) uses CALENDAR (S0025)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "2af3c673-c0c6-4246-aacc-984eb370e7b9",
"value": "FIN5 (G0053) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"target-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf"
},
"uuid": "e5a2a20c-1ef7-49a9-a9fa-2b89231793b8",
"value": "T9000 (S0098) uses Video Capture (T1125)"
},
{
"meta": {
"source-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe",
"target-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41"
},
"uuid": "cb4af413-9bd7-4f1a-a693-57d11ffccbf5",
"value": "Cherry Picker (S0107) uses AppInit DLLs (T1103)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670"
},
"uuid": "cc2099fb-4785-4884-b274-4f3e8a3b8d99",
"value": "ADVSTORESHELL (S0045) uses Execution through API (T1106)"
},
{
"meta": {
"source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
"target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88"
},
"uuid": "2f507d82-1df4-4c9c-804a-2e6060944142",
"value": "Daserf (S0187) uses Software Packing (T1045)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "4eec017c-8bf2-4eda-8c92-15926fc7e5aa",
"value": "Lazarus Group (G0032) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec"
},
"uuid": "ff61ebde-befe-488a-89d0-dc4c49e60d59",
"value": "CosmicDuke (S0050) uses Data from Removable Media (T1025)"
},
{
"meta": {
"source-uuid": "cfc2d2fc-14ff-495f-bd99-585be47b804f",
"target-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566"
},
"uuid": "a38d4ac5-1d3d-4a2f-9493-ff3e2a4669b8",
"value": "Application Shimming Mitigation (T1138) mitigates Application Shimming (T1138)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "675f24e0-c445-4eb3-a191-16fb181f6e30",
"value": "Magic Hound (G0059) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "f3d0c735-330f-43c2-8e8e-51bcfa51e8c3",
"target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
"uuid": "647032ac-0432-4785-9d50-06b9970bcbcb",
"value": "Custom Command and Control Protocol Mitigation (T1094) mitigates Custom Command and Control Protocol (T1094)"
},
{
"meta": {
"source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "63a7bbf6-bb2e-41e7-8893-c3f7f207a7a7",
"value": "XAgentOSX (S0161) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "a8e6ca7b-5d75-429a-b8f8-de97d5c277b3",
"value": "Net Crawler (S0056) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91"
},
"uuid": "a6962782-1942-42f5-a627-f205376e2ec2",
"value": "BACKSPACE (S0031) uses Multi-Stage Channels (T1104)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "c7823efd-005f-49ad-94cf-ebc44a87abed",
"value": "APT1 (G0006) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba"
},
"uuid": "f16c18f0-c5ac-4ea2-bfd0-222e63c09018",
"value": "menuPass (G0045) uses Remote Services (T1021)"
},
{
"meta": {
"source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b",
"target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"uuid": "ac3b6751-e615-44f6-a086-0c236742d8fd",
"value": "Psylo (S0078) uses Exfiltration Over Command and Control Channel (T1041)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "51dea151-0898-4a45-967c-3ebee0420484"
},
"uuid": "d2858dfa-504f-416d-8801-41a1a9561f22",
"value": "APT3 (G0022) uses Remote Desktop Protocol (T1076)"
},
{
"meta": {
"source-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "abb4a85a-d98a-46f7-965b-48d9f88fe9b6",
"value": "RemoteCMD (S0166) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "a4c59c09-2abd-4c49-8156-0ccc9214b66e",
"value": "Magic Hound (G0059) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "9f653750-2ee6-4d00-906b-c71f1d217288",
"value": "Felismus (S0171) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"target-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f"
},
"uuid": "49d09bc3-cdc0-479b-8516-f64bff9b6757",
"value": "FIN7 (G0046) uses HALFBAKED (S0151)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "6fb6c639-cefa-4c7f-af89-26cb5fcd4030",
"value": "Ke3chang (G0004) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b"
},
"uuid": "8119ee71-e017-4ba0-9aeb-a14c46f64f1a",
"value": "Naikon (G0019) uses HDoor (S0061)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "73da57b5-e64f-44ee-85f7-d294c21fb534",
"value": "Stealth Falcon (G0038) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "1b141c9e-a679-40c7-ad7b-ac40ac586471",
"value": "admin@338 (G0018) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "9cef6fec-e4eb-49eb-85db-880138f335bd",
"value": "Rover (S0090) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "d8a5e73d-fe56-42d7-a53d-09a90c21308b",
"value": "OSInfo (S0165) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6"
},
"uuid": "3ae8d262-d2f8-4fa5-adb4-e379d43b9c37",
"value": "APT29 (G0016) uses GeminiDuke (S0049)"
},
{
"meta": {
"source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "198d7156-eff4-4a6e-8e59-ab8a656f77a8",
"value": "Crimson (S0115) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "2e5039ef-913f-4808-9685-32f64f4dbf49",
"value": "Wingbird (S0176) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "bb3c1098-d654-4620-bf40-694386d28921",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "4b6bee9b-469e-48ce-84fa-5322de03470a",
"value": "FakeM (S0076) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab",
"target-uuid": "519630c5-f03f-4882-825c-3af924935817"
},
"uuid": "0c143634-89e1-47a0-9044-4ca39ccff76a",
"value": "XTunnel (S0117) uses Binary Padding (T1009)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "5b69fc3c-1bf7-4092-be94-755790ccf41f",
"value": "Helminth (S0170) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810"
},
"uuid": "3537c31f-bd6f-4cad-97ac-4ec3d8a9478b",
"value": "Helminth (S0170) uses Shortcut Modification (T1023)"
},
{
"meta": {
"source-uuid": "4664b683-f578-434f-919b-1c1aad2a1111",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "28189361-4cd2-4925-a095-d7ebd07ebd57",
"value": "netstat (S0104) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "084ac639-2502-4020-8938-65352349acbb",
"value": "Volgmer (S0180) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "03ab3120-4c6e-4de2-982a-fe22d466f748",
"value": "USBStealer (S0136) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411",
"target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"uuid": "361cbd71-b178-44d0-9802-78a310938bad",
"value": "Molerats (G0021) uses Code Signing (T1116)"
},
{
"meta": {
"source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "329678a6-eb6b-499b-90a8-059d1cf1a35f",
"value": "SslMM (S0058) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "d77a4123-3d46-4317-8921-f6eb8c34c585",
"value": "PinchDuke (S0048) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "b6ae274b-f0b3-4694-ab8d-37e0c62cff35",
"value": "Backdoor.Oldrea (S0093) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "1c677f35-b73b-47bc-b162-1fd036a38def",
"value": "PowerDuke (S0139) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "78f237da-f58b-4849-b2ee-cf1f3f7a1a42",
"value": "Threat Group-3390 (G0027) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b"
},
"uuid": "05e05236-1635-48d7-8ee3-33319c01c815",
"value": "Winnti Group (G0044) uses Rootkit (T1014)"
},
{
"meta": {
"source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "ce9dbe5b-1b16-41d6-a7af-a2a1b33c4552",
"value": "Daserf (S0187) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "1c7b9a1b-e874-4881-884a-e3c3d1fd8aed",
"value": "Cleaver (G0003) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "37c94531-1e56-4640-93fd-e9fd65da4f80",
"value": "Darkhotel (G0012) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324",
"target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c"
},
"uuid": "566d783a-2d86-4b9a-8ca0-5013de5f7fb4",
"value": "ISMInjector (S0189) uses Deobfuscate/Decode Files or Information (T1140)"
},
{
"meta": {
"source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
"target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810"
},
"uuid": "79ecf1f6-a17d-4374-a84c-811669e39261",
"value": "SslMM (S0058) uses Shortcut Modification (T1023)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef"
},
"uuid": "c612eb88-d7e0-46cc-a9bc-d0da2977ff00",
"value": "USBStealer (S0136) uses Communication Through Removable Media (T1092)"
},
{
"meta": {
"source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "b2b873cd-8618-426e-9cae-9e6755acafad",
"value": "EvilGrab (S0152) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "a403648d-4c23-46bd-9688-1face1407b42",
"value": "SOUNDBITE (S0157) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "fa155ccc-b9db-48f6-bb1a-a367596668ad",
"value": "BRONZE BUTLER (G0060) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "69c1806d-e6ae-4c11-bce6-8fbebd8bbee5",
"value": "netsh (S0108) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
"uuid": "e7379230-882e-4b5c-bee1-629e9028e97f",
"value": "APT3 (G0022) uses Uncommonly Used Port (T1065)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "b4c7e12f-6921-4007-ab15-595969bf9eca",
"value": "POWRUNER (S0184) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "2892eada-7633-4428-80e0-0e965d5faf5c",
"value": "DustySky (S0062) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9"
},
"uuid": "49957d89-7449-476a-b542-d7811a86c230",
"value": "Cleaver (G0003) uses TinyZBot (S0004)"
},
{
"meta": {
"source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "1b3cc0cb-de43-405b-bfa5-f0bececabf8c",
"value": "GeminiDuke (S0049) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "f02f0a58-a76b-4966-8717-8a9b40b07e81",
"value": "SNUGRIDE (S0159) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "c7e6d4a6-8d99-4134-848a-f4f712eb4316",
"value": "Ke3chang (G0004) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "3076f49e-0db2-4652-a07d-653027aeef1e",
"value": "Remsec (S0125) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "3d602fec-cf94-4aa4-a4d9-cad286e6881f",
"value": "FIN10 (G0051) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "f81df2c8-1edd-4734-a1c9-cca6e4c56607",
"value": "Kasidet (S0088) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "5a84dc36-df0d-4053-9b7c-f0c388a57283",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "2244e21e-b7f6-476f-8f58-67db772f9736",
"value": "CALENDAR (S0025) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "73171e71-b769-41ff-874a-ff76da43541f",
"value": "Emissary (S0082) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "51d06864-d5de-4286-b2bb-561a8d2c4d49",
"value": "APT28 (G0007) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3"
},
"uuid": "b9f4c6ef-d0bd-4651-9445-4705e1fd85f2",
"value": "Axiom (G0001) uses Accessibility Features (T1015)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "4de2ac9b-4e51-4d73-8fe3-d7d1659778b8",
"value": "Stealth Falcon (G0038) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "e90717f3-fad2-4978-be15-7dfb647d034d",
"value": "Rover (S0090) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "5f00edf9-fcfc-4514-8d06-bc69f91f9260",
"value": "APT32 (G0050) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39",
"target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549"
},
"uuid": "8b96fb11-8b54-4bed-9e6c-cd93b29c5c20",
"value": "Agent.btz (S0092) uses Exfiltration Over Physical Medium (T1052)"
},
{
"meta": {
"source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "b077d81d-0449-493f-9b93-23dc0fb0b62d",
"value": "FIN7 (G0046) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "af4d45e1-1aa4-444c-b176-31df7aaf9374",
"value": "TDTESS (S0164) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "dc10e96f-1d3c-4ab9-8df6-acdc8238ec6c",
"value": "APT28 (G0007) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "96e239be-ad99-49eb-b127-3007b8c1bec9",
"target-uuid": "10d5f3b7-6be6-4da5-9a77-0f1e2bbfcc44"
},
"uuid": "51006a56-a1fa-4467-b930-6488de0d32bd",
"value": "Equation (G0020) uses Component Firmware (T1109)"
},
{
"meta": {
"source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "d7d3cf5c-e541-4639-95c6-8cdea60b084d",
"value": "cmd (S0106) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df"
},
"uuid": "a7180b8e-c580-49ab-bbfb-e56e8ab48823",
"value": "APT29 (G0016) uses CloudDuke (S0054)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "51dea151-0898-4a45-967c-3ebee0420484"
},
"uuid": "c79796c1-88d6-4cd8-95d3-4f81d3755859",
"value": "Lazarus Group (G0032) uses Remote Desktop Protocol (T1076)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"uuid": "51372934-2c81-4db7-aa38-cbb173698cc2",
"value": "menuPass (G0045) uses Mimikatz (S0002)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "5909e6e9-c620-4278-9bdc-113f09e5799b",
"value": "Cobalt Strike (S0154) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "58882b0d-0f4a-4e12-b8c1-f43c53fd96f4",
"value": "Carbanak (G0008) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "53d7b242-3ed6-4281-9829-e25d425e28fe",
"value": "BlackEnergy (S0089) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
"uuid": "35b912d8-bf46-4dec-b2eb-c48c0056af6e",
"value": "Magic Hound (G0059) uses Uncommonly Used Port (T1065)"
},
{
"meta": {
"source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "c008b7f3-0507-4987-a7e4-8c4d57cb4ca5",
"value": "DustySky (S0062) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "b60dcc78-83b0-4fe2-b874-6f22f99b6087",
"value": "Magic Hound (G0059) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "5301c007-7c00-4b4d-b355-864db8de052f",
"value": "CORESHELL (S0137) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69"
},
"uuid": "5bda4ebe-cd21-469e-9495-952df7254f17",
"value": "APT29 (G0016) uses Indicator Removal on Host (T1070)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a"
},
"uuid": "da3a85c7-7590-48b1-8a22-2f8b00060f83",
"value": "APT29 (G0016) uses PowerDuke (S0139)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88"
},
"uuid": "ef1cdbe7-29c9-4be9-a3f7-96e5b7bae031",
"value": "APT3 (G0022) uses Software Packing (T1045)"
},
{
"meta": {
"source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "09e8b282-61ee-4107-94f5-d03e28199fe9",
"value": "S-Type (S0085) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "d5dce4b9-f1fa-4c03-aff9-ce177246cb64",
"target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392"
},
"uuid": "87131e3c-9d73-4910-a56d-f917d6660a7d",
"value": "Service Execution Mitigation (T1035) mitigates Service Execution (T1035)"
},
{
"meta": {
"source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "a79ff150-e765-4303-9668-ff553d6000cd",
"value": "Sakula (S0074) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "8beb37e3-5cf0-4229-ae27-186a37133521",
"value": "BBSRAT (S0127) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "290c4e3b-00be-411f-b0c8-919e85e08a49",
"value": "Prikormka (S0113) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70",
"target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df"
},
"uuid": "bea7bd3c-1251-4858-8957-a6dc3bb840d2",
"value": "China Chopper (S0020) uses Web Shell (T1100)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "e465e173-04d8-4a2b-8953-a2fa3b44aec0",
"value": "PowerDuke (S0139) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "95805281-96b1-49ea-95ee-9d654178c5c3",
"value": "BRONZE BUTLER (G0060) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "ace4daee-f914-4707-be75-843f16da2edf",
"target-uuid": "44dca04b-808d-46ca-b25f-d85236d4b9f8"
},
"uuid": "9952a93f-d009-48e5-a618-8e8f97a55685",
"value": "Bash History Mitigation (T1139) mitigates Bash History (T1139)"
},
{
"meta": {
"source-uuid": "b143dfa4-e944-43ff-8429-bfffc308c517",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "cf859589-38ac-4152-b206-08740ccf503b",
"value": "Taidoor (S0011) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "1c0711c8-2a73-48a1-893d-ff88bcd23824",
"target-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466"
},
"uuid": "130275cb-368e-4168-a4bf-60b39566bc50",
"value": "Scheduled Transfer Mitigation (T1029) mitigates Scheduled Transfer (T1029)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"uuid": "259a5116-2492-4d7b-b300-1cf9b8c79f00",
"value": "Helminth (S0170) uses Code Signing (T1116)"
},
{
"meta": {
"source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "0649f7fd-3aa1-4646-a7a4-2334088c6c74",
"value": "T9000 (S0098) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "745106bb-3641-488e-ae1c-547cd6ea9b7a",
"value": "cmd (S0106) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5"
},
"uuid": "614c18a5-2cee-48ac-898d-e1b85a91e44d",
"value": "Threat Group-3390 (G0027) uses OwaAuth (S0072)"
},
{
"meta": {
"source-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "fb60b027-facd-4be2-b8b2-0fb9351ea235",
"value": "cmd (S0106) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "1f972385-7f1c-4cbd-a071-951973e6d229",
"value": "MiniDuke (S0051) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392"
},
"uuid": "73a53379-746e-46db-b101-1fc45df5e458",
"value": "Shamoon (S0140) uses Service Execution (T1035)"
},
{
"meta": {
"source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
"target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4"
},
"uuid": "00b0af92-df59-4d56-ac3e-18f6f1f72957",
"value": "Flame (S0143) uses Replication Through Removable Media (T1091)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d"
},
"uuid": "fa9a8640-75e5-458c-99c0-e5e85aa32a77",
"value": "Dragonfly (G0035) uses Trojan.Karagany (S0094)"
},
{
"meta": {
"source-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565",
"target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776"
},
"uuid": "ac3ee298-bef0-4a52-9050-3dcef1701408",
"value": "FTP (S0095) uses Exfiltration Over Alternative Protocol (T1048)"
},
{
"meta": {
"source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "2fa20fad-4ede-42f4-8ce5-7f5a6ce83ed8",
"value": "CHOPSTICK (S0023) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "82384148-90fd-4bfa-a734-e9c8b37b584f",
"value": "Carbanak (S0030) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "b2203c59-4089-4ee4-bfe1-28fa25f0dbfe",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "171380bf-41ff-43da-86fe-c131f5f7b97b",
"value": "Cherry Picker (S0107) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21"
},
"uuid": "f64acb43-91b8-431a-ad0a-ad22afe5851a",
"value": "Duqu (S0038) uses Process Hollowing (T1093)"
},
{
"meta": {
"source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "e45cdf20-e182-4346-8c98-a48575282ae6",
"value": "Kasidet (S0088) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "1f764874-0e08-4799-9487-a9e12c499c13",
"value": "FIN6 (G0037) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "ec418d1b-4963-439f-b055-f914737ef362",
"target-uuid": "f792d02f-813d-402b-86a5-ab98cb391d3b"
},
"uuid": "0ac55ad4-0f16-416e-bf88-67ee1aad85ab",
"value": "InstallUtil Mitigation (T1118) mitigates InstallUtil (T1118)"
},
{
"meta": {
"source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "7fd4fe68-0f2a-485c-9b10-6847428ef5da",
"value": "Derusbi (S0021) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69"
},
"uuid": "988cb889-b385-4e8f-be06-7d41c4da0dd7",
"value": "JHUHUGIT (S0044) uses Component Object Model Hijacking (T1122)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "12ea66f1-566a-404f-a948-f76b9047710e",
"value": "menuPass (G0045) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "d078f862-c090-4e79-808b-ff69887a920c",
"value": "POWRUNER (S0184) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"target-uuid": "6c174520-beea-43d9-aac6-28fb77f3e446"
},
"uuid": "41f04732-8fdc-4b2f-9e22-7b78ff650e5d",
"value": "Mimikatz (S0002) uses Security Support Provider (T1101)"
},
{
"meta": {
"source-uuid": "402e92cd-5608-4f4b-9a34-a2c962e4bcd7",
"target-uuid": "e99ec083-abdd-48de-ad87-4dbf6f8ba2a4"
},
"uuid": "a6a8e3e4-faa7-4c9f-9460-fabbbc8c844c",
"value": "Launch Daemon Mitigation (T1160) mitigates Launch Daemon (T1160)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "e25b4146-2f52-4c5b-a1f8-3e868e767f84",
"value": "FIN5 (G0053) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "56db6ccc-433d-4411-8383-c3fd7053e2c8",
"target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670"
},
"uuid": "678be242-66fd-40b8-bbf1-24c3dda77895",
"value": "Execution through API Mitigation (T1106) mitigates Execution through API (T1106)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68"
},
"uuid": "bd5b6f31-2248-4af8-8e8e-e3273aaa57e4",
"value": "APT29 (G0016) uses Tor (S0183)"
},
{
"meta": {
"source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "35f02c40-d46f-44fa-8ba2-5106357494b4",
"value": "FALLCHILL (S0181) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "9b2356e1-6544-40a7-a694-8ac36a1da1b7",
"value": "Ping (S0097) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719"
},
"uuid": "89363ca8-1cf3-4c40-972c-6e2787a05b43",
"value": "APT28 (G0007) uses Responder (S0174)"
},
{
"meta": {
"source-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "5365d764-76fa-49ce-b76b-d0344322b037",
"value": "Reg (S0075) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "c33c2a0f-eb88-43ef-be7b-6311bef2da3d",
"value": "RedLeaves (S0153) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "0d63f3cf-bace-4210-9b76-199c5cdb8764",
"value": "Stealth Falcon (G0038) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "2892b9ee-ca9f-4723-b332-0dc6e843a8ae"
},
"uuid": "b4f8c479-aab5-481d-aa04-922677da108a",
"value": "Gazer (S0168) uses Screensaver (T1180)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "4d82bac6-ec9d-4f4b-a471-169728a830a4",
"value": "APT3 (G0022) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "d3234cf8-0ef7-4447-ae3a-9624f3229265",
"value": "XTunnel (S0117) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "26968975-5f01-4b4b-9cdc-ef3b76710304",
"value": "4H RAT (S0065) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "86461465-cb29-4fc9-8fa8-8956c0f94536",
"value": "Dust Storm (G0031) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71"
},
"uuid": "9f62c4e4-02d4-497b-8039-cc4e816386a5",
"value": "Lazarus Group (G0032) uses netsh (S0108)"
},
{
"meta": {
"source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "60137eb6-ed8c-41ce-bf75-6b45cdafe751",
"value": "Derusbi (S0021) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "106aae81-fab1-42b3-97b0-4f0c1d67c896",
"value": "Emissary (S0082) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "e5efa7ca-3e2a-4f08-ac2c-f5f317c9caf7",
"value": "USBStealer (S0136) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656",
"target-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8"
},
"uuid": "edea5971-fc27-4637-8de9-aabcd50784a7",
"value": "Strider (G0041) uses Remsec (S0125)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "1a028242-1896-4867-a691-c97867f1663d",
"value": "Elise (S0081) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "5d2ca571-9e66-4949-b3a1-978c47398b18",
"value": "Derusbi (S0021) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "0061f7aa-fe4e-41e5-8ebf-e9f526bda08f",
"value": "TDTESS (S0164) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "dbf13cc5-f61b-41fd-96fa-d0bac20549bc",
"value": "Duqu (S0038) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
"target-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b"
},
"uuid": "96a09c57-4848-464e-8649-142152c91db9",
"value": "Volgmer (S0180) uses Modify Existing Service (T1031)"
},
{
"meta": {
"source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077"
},
"uuid": "0d2a66c5-fb8e-4cbb-9526-579b5c9c881c",
"value": "T9000 (S0098) uses System Time Discovery (T1124)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88"
},
"uuid": "0d889b2d-eda4-45dc-99bf-c530b7d4b05f",
"value": "menuPass (G0045) uses Network Service Scanning (T1046)"
},
{
"meta": {
"source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
"target-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49"
},
"uuid": "2b6da092-7380-4bd3-bd4c-f136a5b9b4cc",
"value": "Sykipot (S0018) uses Two-Factor Authentication Interception (T1111)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "16cb7ede-b431-4711-bcb1-91bc925663e5",
"value": "BACKSPACE (S0031) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79"
},
"uuid": "07f83a39-8bb0-44f1-9c81-7291ba10dd03",
"value": "Gazer (S0168) uses Winlogon Helper DLL (T1004)"
},
{
"meta": {
"source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "fea6e347-95f5-4d97-8781-4cc15d6b5b0c",
"value": "Sys10 (S0060) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "2e44b66a-0f81-4f60-94aa-c450556bc243",
"value": "ChChes (S0144) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "09266cb7-26b3-4959-bcff-a91e309b5588",
"value": "Helminth (S0170) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "b3831788-f18f-4315-997e-275e425c0d31",
"value": "RemoteCMD (S0166) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "11874e26-e692-43da-bb54-760e51a4714f",
"value": "S-Type (S0085) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "40c5a024-37db-478b-b90f-27f184bf8f60",
"value": "Tasklist (S0057) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "74e84133-f84a-469a-bfd7-1a514af2f15e",
"value": "T9000 (S0098) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "bb784f1f-fb42-4587-9fe2-9dd5c8dffa5c",
"value": "Magic Hound (G0059) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e"
},
"uuid": "845482a1-a062-407d-a83e-90d883d1d91b",
"value": "menuPass (G0045) uses ChChes (S0144)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565"
},
"uuid": "35a9c64c-c305-46bf-a216-c8bb1b051614",
"value": "Turla (G0010) uses ComRAT (S0126)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "b2dbbb46-9659-4277-8753-c469c4bfe409",
"value": "Threat Group-3390 (G0027) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2"
},
"uuid": "75d04175-c43d-46cd-be08-5f4c91f767ed",
"value": "APT28 (G0007) uses JHUHUGIT (S0044)"
},
{
"meta": {
"source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "53ad6525-7888-4651-bd43-c010b489ccc0",
"value": "RawPOS (S0169) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "c5da001c-2c17-4e83-8e5c-21863ead4bd9",
"value": "Patchwork (G0040) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec"
},
"uuid": "788e8246-d835-42c6-b8b4-7efad31e4a84",
"value": "Gamaredon Group (G0047) uses Data from Removable Media (T1025)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "c987dc63-ef3d-43aa-9344-bd9fd528c55d",
"value": "Elise (S0081) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654",
"target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09"
},
"uuid": "1bbb499c-81c8-4e94-8305-86b199e8298b",
"value": "Wingbird (S0176) uses DLL Side-Loading (T1073)"
},
{
"meta": {
"source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"target-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d"
},
"uuid": "0cde085d-12ca-4cde-a99c-c37d63d7dc2e",
"value": "Putter Panda (G0024) uses pngdowner (S0067)"
},
{
"meta": {
"source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "5dd257c0-c2cb-422a-9991-93ff667c5ad6",
"value": "FALLCHILL (S0181) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "fdb1ae84-7b00-4d3d-b7dc-c774beef6425",
"target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27"
},
"uuid": "bb55d7e7-28af-4efd-8384-289f1a8b173e",
"value": "Account Manipulation Mitigation (T1098) mitigates Account Manipulation (T1098)"
},
{
"meta": {
"source-uuid": "f2cb6ce2-188d-4162-8feb-594f949b13dd",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "8bbb18a7-5eab-4832-beac-f52f30b54862",
"value": "Scheduled Task Mitigation (T1053) mitigates Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "39590383-ba69-4d8f-9520-e893cd4ebcdf",
"value": "FIN5 (G0053) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "d021d378-a5ff-4020-972c-cc9152e824b0",
"value": "Darkhotel (G0012) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "0e58b447-7b3e-404c-b8e5-003734c34574",
"value": "MoonWind (S0149) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "32a470e7-4bbc-43e8-ae8e-09b382dd441f",
"value": "Tasklist (S0057) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88"
},
"uuid": "13d8aec7-3e49-41f8-b57c-475cdc0d9632",
"value": "Threat Group-3390 (G0027) uses Network Service Scanning (T1046)"
},
{
"meta": {
"source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "5e2e672a-02d4-4510-a629-942d44a558f1",
"value": "DustySky (S0062) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "d3c8d1a9-9413-4633-9cbf-4bc34bb5054d",
"value": "ADVSTORESHELL (S0045) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "48f662fe-1ba2-4c19-b782-dd06d9fb67fa",
"value": "APT28 (G0007) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78",
"target-uuid": "6faf650d-bf31-4eb4-802d-1000cf38efaf"
},
"uuid": "6782d7bb-5e81-4656-9445-fbd6ae1f2bdb",
"value": "EvilGrab (S0152) uses Video Capture (T1125)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164"
},
"uuid": "02462741-4148-48b3-881b-1b813ce62fcc",
"value": "APT29 (G0016) uses PinchDuke (S0048)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"uuid": "a36263d1-d109-4c94-930a-6be1e9615527",
"value": "admin@338 (G0018) uses Net (S0039)"
},
{
"meta": {
"source-uuid": "16dd03c6-0dfb-4d77-89cd-9ff3ee6e533d",
"target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967"
},
"uuid": "06cd0498-7ebb-41e6-9399-c43c82487540",
"value": "Audio Capture Mitigation (T1123) mitigates Audio Capture (T1123)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "b1e7f787-2d43-442b-8bd1-4fa064f089b2",
"value": "Threat Group-3390 (G0027) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"uuid": "f28627be-fddd-455c-b001-abddaaa29fa7",
"value": "Winnti Group (G0044) uses Code Signing (T1116)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "8f269f6c-9e8b-4296-ab47-2f60c9156b58",
"value": "APT28 (G0007) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "92c901ce-5edb-417f-8af5-d569203e241c",
"value": "ChChes (S0144) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "ad50f322-18b6-43c7-bf6b-f77f4932fdad",
"value": "DustySky (S0062) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "bf8ae26c-c28c-4de7-a3e2-ad1a2851c1c0",
"value": "CallMe (S0077) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "fe4ed27a-6d45-4e6a-bbc0-7ebe15a38046",
"value": "RTM (S0148) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d",
"target-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe"
},
"uuid": "01b924d7-42dd-412f-a9af-cabcb46512ea",
"value": "Suckfly (G0039) uses Nidiran (S0118)"
},
{
"meta": {
"source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "92fb7408-1638-43b7-95a3-0cfeebd7624d",
"value": "RawPOS (S0169) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "e104cf3c-a802-4e06-8abc-6293cea9492f",
"value": "menuPass (G0045) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "24503815-4ac5-4d57-9e95-ebeb84e0c11b",
"value": "Daserf (S0187) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "13204383-a747-4f7f-a75c-858ddc76beab",
"value": "WinMM (S0059) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
"target-uuid": "51ea26b1-ff1e-4faa-b1a0-1114cd298c87"
},
"uuid": "2858ec3b-5814-4515-9dda-f8009fbf4cd3",
"value": "Flame (S0143) uses Exfiltration Over Other Network Medium (T1011)"
},
{
"meta": {
"source-uuid": "8c553311-0baa-4146-997a-f79acef3d831",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "345c6135-7557-4292-8214-66618ba17edd",
"value": "RARSTONE (S0055) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "3b9e7ec8-8b10-4fe4-87b3-38b7710dbbb9",
"value": "Sakula (S0074) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "efa98949-4b58-4407-8fa2-366c06dc2ed9",
"value": "BlackEnergy (S0089) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "44908b0a-993a-4339-b30f-f0f1a64c0753",
"value": "Pteranodon (S0147) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "9779ccbc-c376-4a6e-a43f-56a782892302",
"value": "OilRig (G0049) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"uuid": "94b4648a-4108-468c-be51-cca365fd97ac",
"value": "Stealth Falcon (G0038) uses Windows Management Instrumentation (T1047)"
},
{
"meta": {
"source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704",
"target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392"
},
"uuid": "9453d60b-4f3f-494f-985d-e29094ef8945",
"value": "Net Crawler (S0056) uses Service Execution (T1035)"
},
{
"meta": {
"source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "3ebc8829-f260-4d75-817a-cd23a4ebb194",
"value": "HAMMERTOSS (S0037) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "51a03c8a-1983-4bdd-b326-78ec67f86f06",
"value": "Trojan.Karagany (S0094) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "ae61abba-14fb-4d4e-9f8e-a3b18500b449",
"value": "Lazarus Group (G0032) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "bde913a9-9895-4414-b79a-3156159033aa",
"value": "Ke3chang (G0004) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "bdde6ad0-b6eb-4e3a-80e4-8a9db6a9570d",
"value": "TinyZBot (S0004) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "ea40711b-461d-4629-b1fd-5f020b1f3257",
"value": "APT1 (G0006) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "76e75bfe-b72c-471b-9a26-eab5ed04a812",
"value": "ELMER (S0064) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "61d02387-351a-453e-a575-160a9abc3e04",
"target-uuid": "6a3be63a-64c5-4678-a036-03ff8fc35300"
},
"uuid": "9064fd2e-4e0a-44e4-8bde-6e6c4cf8495f",
"value": "Re-opened Applications Mitigation (T1164) mitigates Re-opened Applications (T1164)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce"
},
"uuid": "7d047513-5fbf-4d9e-8a5d-54317123e34c",
"value": "admin@338 (G0018) uses Permission Groups Discovery (T1069)"
},
{
"meta": {
"source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "9b1709f3-5062-42f1-82d9-191e66e1d14a",
"value": "Nidiran (S0118) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be"
},
"uuid": "fdcda836-4a21-45d2-8269-31b82aa3c08e",
"value": "APT29 (G0016) uses Bypass User Account Control (T1088)"
},
{
"meta": {
"source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "91d4c776-c259-46b0-b511-b344ca027009",
"value": "CozyCar (S0046) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776"
},
"uuid": "70495f42-0a81-485c-8f30-c75af61f1c6a",
"value": "OilRig (G0049) uses Exfiltration Over Alternative Protocol (T1048)"
},
{
"meta": {
"source-uuid": "82fbc58b-171d-4a2d-9a20-c6b2a716bd08",
"target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"uuid": "f9ca3697-51a1-494b-8a61-06e516f29860",
"value": "Code Signing Mitigation (T1116) mitigates Code Signing (T1116)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "fada6223-ba24-4c26-aa89-3998f07604f9",
"value": "Prikormka (S0113) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "a1fe7df1-7c20-422e-8e86-042cd11b3501",
"value": "APT28 (G0007) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643"
},
"uuid": "56d023cf-4390-40d9-afc6-cb0d40b4cdd1",
"value": "APT28 (G0007) uses Peripheral Device Discovery (T1120)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "e42eef1a-107e-40a3-9227-45621e277ff3",
"value": "Lazarus Group (G0032) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "5c816fc0-c4e3-47ef-8193-ef88eabdfc7e",
"value": "admin@338 (G0018) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "72fe5021-bace-41e4-9cc6-73af415225ac",
"value": "MoonWind (S0149) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
"target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce"
},
"uuid": "f36a8899-940f-4c8f-924d-eef2f056744d",
"value": "dsquery (S0105) uses Permission Groups Discovery (T1069)"
},
{
"meta": {
"source-uuid": "e0703d4f-3972-424a-8277-84004817e024",
"target-uuid": "c4ad009b-6e13-4419-8d21-918a1652de02"
},
"uuid": "f132ff40-9e9d-49b8-a47d-832a21e1e56d",
"value": "Path Interception Mitigation (T1034) mitigates Path Interception (T1034)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "df207207-01b2-456b-9dc4-7afd5ffeeb46",
"value": "Prikormka (S0113) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808"
},
"uuid": "2db640ab-413b-4c49-9842-3bf190c5e184",
"value": "APT29 (G0016) uses POSHSPY (S0150)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "089efdf8-b07a-4cda-aa5d-e60f9501ffd1",
"value": "BRONZE BUTLER (G0060) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "4a4a5d60-ec17-49a2-b651-ea8918410fc2",
"value": "JHUHUGIT (S0044) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529"
},
"uuid": "fcfe071b-e527-44e9-9970-9243a354f563",
"value": "Regin (S0019) uses Network Sniffing (T1040)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "3f14994e-149d-4cca-85b8-eec0964120d3",
"value": "BACKSPACE (S0031) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "49c7a467-98ce-4764-af86-c950ed951d13",
"value": "Helminth (S0170) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd"
},
"uuid": "412b7fbf-bc21-4373-9f2c-5f0a26482536",
"value": "Threat Group-3390 (G0027) uses PlugX (S0013)"
},
{
"meta": {
"source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "95a1ac52-e022-4c81-96cc-b7b39ca776d3",
"value": "Kasidet (S0088) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff"
},
"uuid": "6b83bc1e-edfc-4c6a-961f-d3757ae6a234",
"value": "Mimikatz (S0002) uses Pass the Hash (T1075)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "05076bd4-e4cb-4234-90ae-c7ce45feb41f",
"value": "Dragonfly (G0035) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b",
"target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"uuid": "fb3b8f32-0991-4d05-a80d-a4736372ad2a",
"value": "Janicab (S0163) uses Code Signing (T1116)"
},
{
"meta": {
"source-uuid": "77fd4d73-6b79-4593-82e7-e4a439cc7604",
"target-uuid": "04ef4356-8926-45e2-9441-634b6f3dcecb"
},
"uuid": "918956f2-db79-4721-8741-3b461a280e51",
"value": "LC_LOAD_DYLIB Addition Mitigation (T1161) mitigates LC_LOAD_DYLIB Addition (T1161)"
},
{
"meta": {
"source-uuid": "d0fcf37a-b6c4-4745-9c43-4fcdb8bfc88e",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "4b12c645-96fc-45ac-b515-8333d6e254ef",
"value": "Data Obfuscation Mitigation (T1001) mitigates Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "a90da496-b460-47e8-92e7-cc36eb00bd9a",
"target-uuid": "215190a9-9f02-4e83-bb5f-e0589965a302"
},
"uuid": "f4aaf7ec-7ff1-4519-bd93-3eaf3074d11f",
"value": "Regsvcs/Regasm Mitigation (T1121) mitigates Regsvcs/Regasm (T1121)"
},
{
"meta": {
"source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "fbfc610a-5355-40fc-b5a1-059e89a1eb8d",
"value": "SslMM (S0058) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "deb7df24-689e-4e4e-909f-a270241ab65a",
"value": "Gazer (S0168) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654",
"target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392"
},
"uuid": "91ca1017-0b33-4fa1-a61f-b3dae24c7e40",
"value": "Wingbird (S0176) uses Service Execution (T1035)"
},
{
"meta": {
"source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8",
"target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce"
},
"uuid": "bc85f8f4-5d65-484c-af82-6adbe42083d9",
"value": "OSInfo (S0165) uses Permission Groups Discovery (T1069)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
"uuid": "7aa43cd7-ada3-49c9-8dc7-9492fa22c7d8",
"value": "Lazarus Group (G0032) uses Uncommonly Used Port (T1065)"
},
{
"meta": {
"source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643"
},
"uuid": "ea93ff11-939f-449a-a222-4273d9fc9f3c",
"value": "T9000 (S0098) uses Peripheral Device Discovery (T1120)"
},
{
"meta": {
"source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "e3909a5f-ebfb-48e1-b0fc-5737217a994b",
"value": "DownPaper (S0186) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "6139509a-709b-4ef4-81fb-25b9a35e2c60",
"value": "Volgmer (S0180) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "7138c1e4-6791-424b-adc1-5b4c7d5e3cca",
"value": "Naikon (G0019) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "92e6d080-ca3f-4f95-bc45-172a32c4e502",
"target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839"
},
"uuid": "d2a028a0-3c4f-4984-be51-80dbcf93a1a9",
"value": "Exploitation of Vulnerability Mitigation (T1068) mitigates Exploitation of Vulnerability (T1068)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff"
},
"uuid": "3b35fec9-ee0d-4c2d-9936-0aa06ad6a49a",
"value": "APT1 (G0006) uses Pass the Hash (T1075)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "b26eb7d2-1147-4c2b-a1eb-4a457e081e22",
"value": "Cobalt Strike (S0154) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"uuid": "35419603-7bc2-40f6-8e5d-4e7a8f13ebb7",
"value": "POWRUNER (S0184) uses Windows Management Instrumentation (T1047)"
},
{
"meta": {
"source-uuid": "92c28497-2820-445e-9f3e-a03dd77dc0c8",
"target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"uuid": "cd38481c-7c23-4e72-b1b4-056830f5f7f3",
"value": "Exfiltration Over Command and Control Channel Mitigation (T1041) mitigates Exfiltration Over Command and Control Channel (T1041)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "4eeaf8a9-c86b-4954-a663-9555fb406466"
},
"uuid": "5eb253cb-2e81-4f51-bd0e-d1734283491c",
"value": "ADVSTORESHELL (S0045) uses Scheduled Transfer (T1029)"
},
{
"meta": {
"source-uuid": "8b880b41-5139-4807-baa9-309690218719",
"target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810"
},
"uuid": "8a48e090-ab8c-414e-b559-7a0437c92850",
"value": "SPACESHIP (S0035) uses Shortcut Modification (T1023)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "1782bb6e-7a06-4dfb-96f5-dd671d8a02d5",
"value": "MoonWind (S0149) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "9f618c0f-79b8-4990-a02b-6e3187b14033",
"value": "Sowbug (G0054) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "b136d088-a829-432c-ac26-5529c26d4c7e",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "b4228f64-bc0c-47a5-a3d8-d9aabdf66bfc",
"value": "OnionDuke (S0052) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "56fac514-4461-4d8c-93a0-d12cade25169",
"value": "Prikormka (S0113) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "fc1ec654-af35-4a7d-b2f6-54b4d8378cfb",
"value": "APT34 (G0057) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "5d397a8d-2195-440d-a0f5-bbf6c3e8f6e4",
"value": "ADVSTORESHELL (S0045) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "59d4e54d-66b8-4603-b189-ba67160da44d",
"value": "Pisloader (S0124) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "04e4f0d1-32a9-4d64-a733-3316b0bf2740",
"value": "CozyCar (S0046) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "dc187ed1-3987-4575-b1af-dc150e4329f8",
"value": "Agent.btz (S0092) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "17bc0957-1509-4faf-bb51-a6a9e1959978",
"value": "Magic Hound (G0059) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "c75cc595-79d7-4a77-9647-d2323aad93d0",
"value": "SNUGRIDE (S0159) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "fe8a320f-e5e5-4503-8c3a-5c21b628a61d",
"value": "Threat Group-3390 (G0027) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"target-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236"
},
"uuid": "95842c88-c596-44c7-a16e-40d98e2457cc",
"value": "APT18 (G0026) uses Pisloader (S0124)"
},
{
"meta": {
"source-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "42dc03ec-03fb-4bf0-8f5f-e90d1aacd6e7",
"value": "KOMPROGO (S0156) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "cbc4c186-028e-4a24-93ff-5f2bb7edd98a",
"value": "Pisloader (S0124) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "4a9f7553-b3ee-405b-9c81-f487b4bed868",
"value": "Flame (S0143) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "016dc21c-ade9-43cc-9d88-a0c4c0891ccc",
"value": "USBStealer (S0136) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "539f8bc3-3fb4-43af-8918-9a65239cdff6",
"value": "Carbanak (G0008) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "954961e4-0bf5-496e-b200-e63d99c006de",
"value": "CHOPSTICK (S0023) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "ed283e07-a029-4d23-aa8f-55f92abb5203",
"value": "APT3 (G0022) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"uuid": "c354bbc0-74c4-4805-b6e6-f33f49272f86",
"value": "Gazer (S0168) uses Code Signing (T1116)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "e30c24d3-d440-4395-88b3-3192a02c4364",
"value": "OilRig (G0049) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "beb45abb-11e8-4aef-9778-1f9ac249784f",
"target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be"
},
"uuid": "483a70b9-eae9-4d5f-925c-95c2dd7b9fa5",
"value": "Bypass User Account Control Mitigation (T1088) mitigates Bypass User Account Control (T1088)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "a3de3705-8085-4992-9b90-1cb8ef532b5c",
"value": "APT28 (G0007) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "d13aaa09-5465-4439-b100-444242601a98",
"value": "Cobalt Strike (S0154) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f",
"target-uuid": "519630c5-f03f-4882-825c-3af924935817"
},
"uuid": "83cfa11e-f221-4dc4-b184-943c2c7f4562",
"value": "Moafee (G0002) uses Binary Padding (T1009)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "746b0def-62c8-438d-b5ec-aa6b7dbfb860",
"value": "Stealth Falcon (G0038) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "19c33297-1efd-4489-b09c-a4230ce194f4",
"value": "Sys10 (S0060) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a"
},
"uuid": "13f986d2-949b-42c8-bd4b-b8a833b9d5de",
"value": "APT3 (G0022) uses Redundant Access (T1108)"
},
{
"meta": {
"source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "33c8fb30-3515-4582-ad29-34fa0d7e15e5",
"value": "FIN10 (G0051) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "8b880b41-5139-4807-baa9-309690218719",
"target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549"
},
"uuid": "04e2c418-8f6c-453c-8e17-4d3aeec0f755",
"value": "SPACESHIP (S0035) uses Exfiltration Over Physical Medium (T1052)"
},
{
"meta": {
"source-uuid": "cdecc44a-1dbf-4c1f-881c-f21e3f47272a",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "ab637576-5bf9-423f-b5e8-6d1ac26bbb5c",
"value": "Remote File Copy Mitigation (T1105) mitigates Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6"
},
"uuid": "fb6ffb5c-5405-4515-a120-7a34414933ea",
"value": "OilRig (G0049) uses Indicator Removal from Tools (T1066)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "4ac3f9d6-73e6-49d0-a49a-329eca1f5a3a",
"value": "Duqu (S0038) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "7d751199-05fa-4a72-920f-85df4506c76c"
},
"uuid": "54188543-7746-4158-9a9f-5556bb99ec7a",
"value": "APT29 (G0016) uses Multi-hop Proxy (T1188)"
},
{
"meta": {
"source-uuid": "88b7dbc2-32d3-4e31-af2f-3fc24e1582d7",
"target-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1"
},
"uuid": "764b5d56-83a1-4c8d-824a-2021c7fe8052",
"value": "Lotus Blossom (G0030) uses Emissary (S0082)"
},
{
"meta": {
"source-uuid": "c88151a5-fe3f-4773-8147-d801587065a4",
"target-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61"
},
"uuid": "e1275bcd-0462-4f79-b18f-2132b0bb74ec",
"value": "Application Deployment Software Mitigation (T1017) mitigates Application Deployment Software (T1017)"
},
{
"meta": {
"source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9",
"target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810"
},
"uuid": "8ce2219f-6c25-46a2-8215-a78871e2773a",
"value": "TinyZBot (S0004) uses Shortcut Modification (T1023)"
},
{
"meta": {
"source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "087721ee-6643-4453-8a76-8768ced7e506",
"value": "Backdoor.Oldrea (S0093) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a"
},
"uuid": "4fab8d06-e6fb-472f-91ee-f2fd29ef444e",
"value": "Deep Panda (G0009) uses Regsvr32 (T1117)"
},
{
"meta": {
"source-uuid": "383caaa3-c46a-4f61-b2e3-653eb132f0e7",
"target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f"
},
"uuid": "42ab2855-fe9b-4ed2-bef7-db3a9dcf5a89",
"value": "Email Collection Mitigation (T1114) mitigates Email Collection (T1114)"
},
{
"meta": {
"source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "47415cec-25f8-4425-9125-157e1637a687",
"value": "Matroyshka (S0167) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077"
},
"uuid": "4c3890f0-378d-4cef-8db7-0258161ff3f7",
"value": "RTM (S0148) uses System Time Discovery (T1124)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "0db8a021-2f3a-41cc-abc6-d8723c7e802b",
"value": "PowerDuke (S0139) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "fc67e15c-ae09-45e1-925f-8a6b0e8ca4ab",
"value": "Janicab (S0163) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "7aee8ea0-0baa-4232-b379-5d9ce98352cf",
"target-uuid": "66f73398-8394-4711-85e5-34c8540b22a5"
},
"uuid": "9692d2b6-c933-4c1a-8ea0-1f0babfeeec9",
"value": "Hooking Mitigation (T1179) mitigates Hooking (T1179)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86"
},
"uuid": "66a3ab46-abcb-4234-a786-638044cfc50e",
"value": "Deep Panda (G0009) uses StreamEx (S0142)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "e32b53b5-b112-483a-8d95-56bf3f43671f",
"value": "CosmicDuke (S0050) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "2d090e9d-f9fb-4f73-99df-0e17a7489adb",
"value": "H1N1 (S0132) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839"
},
"uuid": "976202db-cdfa-4c4e-bc09-9b3cad90e6fb",
"value": "JHUHUGIT (S0044) uses Exploitation of Vulnerability (T1068)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "5a3a31fe-5a8f-48e1-bff0-a753e5b1be70"
},
"uuid": "71daf1fe-a979-4cbc-bb0d-4e2d6c79274a",
"value": "Threat Group-3390 (G0027) uses China Chopper (S0020)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "bd745d11-93d8-45db-8a68-08a52383375a",
"value": "Lazarus Group (G0032) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "30489451-5886-4c46-90c9-0dff9adc5252"
},
"uuid": "5c0645e4-f0c7-4bb4-bedb-29a96a472fe0",
"value": "Turla (G0010) uses Arp (S0099)"
},
{
"meta": {
"source-uuid": "12c13879-b7bd-4bc5-8def-aacec386d432",
"target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a"
},
"uuid": "0727c98a-b7e0-45ba-a20e-632d394ef422",
"value": "Regsvr32 Mitigation (T1117) mitigates Regsvr32 (T1117)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472"
},
"uuid": "24013fde-5ce7-4995-9d9f-d2ced31b9d9a",
"value": "APT28 (G0007) uses CHOPSTICK (S0023)"
},
{
"meta": {
"source-uuid": "33f76731-b840-446f-bee0-53687dad24d9",
"target-uuid": "62166220-e498-410f-a90a-19d4339d4e99"
},
"uuid": "3e9d8f68-a9c6-4be7-9639-56b64d4f600a",
"value": "Image File Execution Options Injection Mitigation (T1183) mitigates Image File Execution Options Injection (T1183)"
},
{
"meta": {
"source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"target-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360"
},
"uuid": "e9612cb1-79a5-4987-aa83-b84aa7fa050f",
"value": "APT18 (G0026) uses HTTPBrowser (S0070)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "854a3a7e-09a7-4523-ac7f-d625a0b50b6b",
"value": "Cobalt Strike (S0154) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
"target-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2"
},
"uuid": "581f8dd6-edd4-467b-a3d5-3177870b0264",
"value": "netsh (S0108) uses Netsh Helper DLL (T1128)"
},
{
"meta": {
"source-uuid": "51b37302-b844-4c08-ac98-ae6955ed1f55",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "366214ea-29b0-458a-a852-7a76420783d2",
"value": "Screen Capture Mitigation (T1113) mitigates Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3"
},
"uuid": "a92197a8-ec5c-4366-92af-f45078a3bfd7",
"value": "APT3 (G0022) uses Accessibility Features (T1015)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "bcdbb8dc-87e5-4f29-8ff2-d660e53015cb",
"value": "SeaDuke (S0053) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839"
},
"uuid": "b942cd55-6fed-49a1-ba05-af23836b518f",
"value": "Cobalt Strike (S0154) uses Exploitation of Vulnerability (T1068)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d"
},
"uuid": "ab6a19e4-ce00-46cd-ae83-0798471e4a4a",
"value": "Threat Group-3390 (G0027) uses External Remote Services (T1133)"
},
{
"meta": {
"source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
"target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9"
},
"uuid": "59261bc8-0220-4e37-8018-7a3618a5dd1b",
"value": "Rover (S0090) uses Automated Exfiltration (T1020)"
},
{
"meta": {
"source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "6cfd1f0f-0355-4b1a-af29-84ed992bbb71",
"value": "TINYTYPHON (S0131) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "5b3d2b2f-73f4-4fef-9cb9-b11db3eb4c4f",
"value": "httpclient (S0068) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be"
},
"uuid": "d16d59aa-f056-4cc7-9f67-0e80db9cdacb",
"value": "Patchwork (G0040) uses Bypass User Account Control (T1088)"
},
{
"meta": {
"source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "a713d0d3-2897-4da2-995f-df3a40f04b29",
"value": "NETEAGLE (S0034) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "1df7df54-c4c1-49f0-a0c3-11102db44f2c",
"value": "Patchwork (G0040) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "b4b71687-5aed-4cde-ba59-c37bb5231878",
"value": "ELMER (S0064) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "16a8ac85-a06f-460f-ad22-910167bd7332",
"target-uuid": "519630c5-f03f-4882-825c-3af924935817"
},
"uuid": "1a3de27b-377c-4390-9911-2da8aaa705e3",
"value": "Binary Padding Mitigation (T1009) mitigates Binary Padding (T1009)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "b77b563c-34bb-4fb8-86a3-3694338f7b47"
},
"uuid": "e5f75ae0-45f5-48b8-938f-f0d9e17e53eb",
"value": "menuPass (G0045) uses Ping (S0097)"
},
{
"meta": {
"source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "2eb985a1-e73e-4554-8638-2e6f27690ec0",
"value": "Sykipot (S0018) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "c7420523-7dc0-4118-a075-93f9c0268627",
"value": "HAMMERTOSS (S0037) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "b4e77f71-970a-4b24-938f-0d50ecea1969",
"value": "Misdat (S0083) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "b82f51f9-74a0-43e1-b3c6-63df3a90c9eb",
"value": "BBSRAT (S0127) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "a0c55c8d-6192-4faa-a5a2-1742fb5815a0",
"value": "Suckfly (G0039) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "259b878f-147e-443b-8360-aabc00cf6d73",
"value": "HTTPBrowser (S0070) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111"
},
"uuid": "5744b31d-6633-44ca-8170-17489fec124c",
"value": "OilRig (G0049) uses netstat (S0104)"
},
{
"meta": {
"source-uuid": "691c60e2-273d-4d56-9ce6-b67e0f8719ad",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "84bc4ba8-ab0e-4c60-92ed-26496a831611",
"value": "Truvasys (S0178) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "9b8ff36d-ff96-460a-b5cf-d369e7f598d9",
"value": "RedLeaves (S0153) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd"
},
"uuid": "5682d524-80f0-4fd8-9960-6f54eeafce96",
"value": "Turla (G0010) uses Brute Force (T1110)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "39791d22-fec7-4459-8321-c9aa824d5fc1",
"value": "BRONZE BUTLER (G0060) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "896cd1de-ffa7-4f69-a981-2859cc756601",
"value": "CopyKittens (G0052) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
},
"uuid": "f2d601c9-8cc7-4425-b76f-fbc9997b55fd",
"value": "Naikon (G0019) uses Tasklist (S0057)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "62f9aa2c-b0c1-4028-a2b8-c436e30ace4b",
"value": "PowerDuke (S0139) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "11ed82c1-88af-4c23-860e-185505389288",
"value": "XAgentOSX (S0161) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "8904bd95-4844-4fe4-b6b6-47e4a4f8d85d",
"value": "SslMM (S0058) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "3e9f8875-d2f7-4380-a578-84393bd3b025",
"target-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39"
},
"uuid": "d35b9e63-a236-47f4-9fa8-d04719858115",
"value": "Windows Remote Management Mitigation (T1028) mitigates Windows Remote Management (T1028)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "3ef6a3fb-0d59-4ba5-b2d0-dc32d547b74f",
"value": "FIN5 (G0053) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "25e53928-6f33-49b7-baee-8180578286f6",
"target-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3"
},
"uuid": "ab524992-5666-466b-8c12-ec79b269901b",
"value": "System Firmware Mitigation (T1019) mitigates System Firmware (T1019)"
},
{
"meta": {
"source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "d04d6101-f6f6-42a2-8679-351956b75228",
"value": "POWERSOURCE (S0145) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "11247a95-272b-4ae2-8dae-2cd049328734",
"value": "Remsec (S0125) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "1035fe41-56b9-4966-bf3b-109ae950c908",
"value": "MoonWind (S0149) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776"
},
"uuid": "3d4dabc2-3bee-409a-a05d-e107677cfdc7",
"value": "CosmicDuke (S0050) uses Exfiltration Over Alternative Protocol (T1048)"
},
{
"meta": {
"source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "37804b22-63b4-4b24-846e-6541688d9213",
"value": "OwaAuth (S0072) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "c8db7b65-563d-47ba-9e06-cabdbade47e9",
"value": "Ke3chang (G0004) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "e333cf16-5bfa-453e-8e6a-3a4c63d6bfcc",
"target-uuid": "53bfc8bf-8f76-4cd7-8958-49a884ddb3ee"
},
"uuid": "d9ae86e6-377b-45d5-b32c-89776fd7755c",
"value": "Launchctl Mitigation (T1152) mitigates Launchctl (T1152)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f"
},
"uuid": "e603a78c-ecbc-46b2-95cc-08251c1faea9",
"value": "APT34 (G0057) uses Reg (S0075)"
},
{
"meta": {
"source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
"target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f"
},
"uuid": "98abda72-4760-4e8c-ab6c-5ed080868cfc",
"value": "Backdoor.Oldrea (S0093) uses Email Collection (T1114)"
},
{
"meta": {
"source-uuid": "2497ac92-e751-4391-82c6-1b86e34d0294",
"target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9"
},
"uuid": "b8306976-370f-403d-9983-fe3327c00709",
"value": "Automated Exfiltration Mitigation (T1020) mitigates Automated Exfiltration (T1020)"
},
{
"meta": {
"source-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "3ac3a282-e1be-45f8-8974-0a94e5d43644",
"value": "BISCUIT (S0017) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "b7601a08-a52d-4daa-acb9-2f5e3392b6c3",
"value": "ZLib (S0086) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "f72d9605-eea6-4ed4-8502-231d4c21431f",
"value": "Elise (S0081) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "b052a076-6d4e-49f5-95ac-16264ef05b1d",
"value": "HTTPBrowser (S0070) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "c5fa4766-4468-4afd-9b5f-5ce4f443729d",
"value": "Prikormka (S0113) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "b9b0e376-f249-432f-a0d3-dfa259b4757a",
"value": "BUBBLEWRAP (S0043) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "8c553311-0baa-4146-997a-f79acef3d831",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "22a75bbf-5490-40cb-bdb7-a0eda5e95d21",
"value": "RARSTONE (S0055) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "28b27852-4125-4639-a07b-0b97dfdb650a",
"value": "APT1 (G0006) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "ea4c3651-b2a3-418e-8d3b-3c8075b988ef",
"value": "BUBBLEWRAP (S0043) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "40772ec1-2f25-425f-aad5-635f64ba8fd2",
"value": "DustySky (S0062) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "db91e39d-daa4-4f9c-a7a6-be67eba712d2",
"value": "APT32 (G0050) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "ce4707f0-d5b8-4dd6-b5ab-cf1483dd236f",
"value": "Pisloader (S0124) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "3c630128-27ba-4c71-b09a-c9ac39e7acac",
"value": "Shamoon (S0140) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "aeff5887-8f9e-48d5-a523-9b395e2ce80a",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "ef79ec2f-fd7f-4f0b-851c-d215693987be",
"value": "Credential Dumping Mitigation (T1003) mitigates Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "720cc0d6-9285-425b-bda2-3bdd59b4ea8f",
"value": "Volgmer (S0180) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "5efe685d-66a6-4f1f-8779-4aae5db859d0",
"value": "PowerDuke (S0139) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df"
},
"uuid": "44f230bb-b59a-4f30-8203-5e5ffd9796f5",
"value": "Deep Panda (G0009) uses Web Shell (T1100)"
},
{
"meta": {
"source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "d7699bcf-5732-40f5-a715-d430b00b043e",
"value": "Mivast (S0080) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "60198640-1e5a-4b8e-9a69-5f275f7e0e68",
"value": "OSInfo (S0165) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839"
},
"uuid": "cce31baa-5862-4df5-806f-15aaa7410fa5",
"value": "APT28 (G0007) uses Exploitation of Vulnerability (T1068)"
},
{
"meta": {
"source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "27a64a3a-62cb-4c1b-adfc-5070e2f1e744",
"value": "Hi-Zor (S0087) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "752db800-ea54-4e7a-b4c1-2a0292350ea7",
"target-uuid": "7d751199-05fa-4a72-920f-85df4506c76c"
},
"uuid": "4ce0f95f-577c-4a02-a355-328cf376ceba",
"value": "Multi-hop Proxy Mitigation (T1188) mitigates Multi-hop Proxy (T1188)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "bdee01a7-16cb-417e-8d9b-c98afd445bbc",
"value": "Duqu (S0038) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd"
},
"uuid": "1334cbe3-8613-4279-9a1f-58781c2656a4",
"value": "APT3 (G0022) uses Brute Force (T1110)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "4b45b720-a606-4c52-a28a-2ef298f9b42f",
"value": "FIN6 (G0037) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619"
},
"uuid": "7a892ca0-f915-4dc1-817a-cdcfb6777f28",
"value": "USBStealer (S0136) uses Automated Collection (T1119)"
},
{
"meta": {
"source-uuid": "12cba7de-0a22-4a56-b51e-c514c67c3b43",
"target-uuid": "ce73ea43-8e77-47ba-9c11-5e9c9c58b9ff"
},
"uuid": "0fe893d6-a52f-4828-a792-eeb6a3e4f979",
"value": "Hidden Users Mitigation (T1147) mitigates Hidden Users (T1147)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "a73f9ed3-7f51-4709-a63f-f5ef59aa25cf",
"value": "Threat Group-3390 (G0027) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "0bd9fd2b-e2f7-48f1-8988-31c041691585",
"value": "Trojan.Karagany (S0094) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4",
"target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88"
},
"uuid": "229e8b6e-6c16-406a-8def-7588aaae4fcb",
"value": "Uroburos (S0022) uses Software Packing (T1045)"
},
{
"meta": {
"source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "f6cb3957-be7f-41bf-ad44-3dfbd7a5dfe2",
"value": "Reaver (S0172) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "059f8b03-59f9-45da-9c12-862f50e5fe45",
"value": "FIN10 (G0051) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "5576c38e-6b03-4ea9-8936-60eeddb749a7",
"value": "StreamEx (S0142) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670"
},
"uuid": "deafd60c-af1a-40eb-bc43-287b37553fae",
"value": "PlugX (S0013) uses Execution through API (T1106)"
},
{
"meta": {
"source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300",
"target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be"
},
"uuid": "5cd8b8a9-fd11-4405-8369-b12398b94def",
"value": "AutoIt backdoor (S0129) uses Bypass User Account Control (T1088)"
},
{
"meta": {
"source-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077"
},
"uuid": "12455fe5-42dd-420e-839e-8a96886488f7",
"value": "Net (S0039) uses System Time Discovery (T1124)"
},
{
"meta": {
"source-uuid": "910482b1-6749-4934-abcb-3e34d58294fc",
"target-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7"
},
"uuid": "65a4317d-86b2-40c1-9d27-a067bcc2ad80",
"value": "Distributed Component Object Model Mitigation (T1175) mitigates Distributed Component Object Model (T1175)"
},
{
"meta": {
"source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "f29a3a93-e697-4d6f-8087-eec72856bae5",
"value": "CHOPSTICK (S0023) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "20c7d1a2-be94-4f58-83a9-7eb9e05c4449",
"value": "FIN6 (G0037) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "33630ee4-24dc-4339-b29f-3d8b39e7daae",
"value": "SHOTPUT (S0063) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "1f7b17e9-9ad3-42dd-ab92-e3afe752247b",
"value": "FIN7 (G0046) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27"
},
"uuid": "6e641c36-188b-480e-b177-e412cd000b34",
"value": "Mimikatz (S0002) uses Account Manipulation (T1098)"
},
{
"meta": {
"source-uuid": "89f63ae4-f229-4a5c-95ad-6f22ed2b5c49",
"target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27"
},
"uuid": "f76355cb-9aa5-403c-aae4-8faed799ac31",
"value": "Skeleton Key (S0007) uses Account Manipulation (T1098)"
},
{
"meta": {
"source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "92b34cc0-b059-4294-824f-bb92298f3ae6",
"value": "Daserf (S0187) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
},
"uuid": "6e366a30-cf75-4a47-855f-91a006014ada",
"value": "APT1 (G0006) uses gsecdump (S0008)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39"
},
"uuid": "ab9b78cc-2b83-4074-beeb-0af4aad906d3",
"value": "APT32 (G0050) uses Cobalt Strike (S0154)"
},
{
"meta": {
"source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
"target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643"
},
"uuid": "6c8303dd-6ecc-47ea-abd6-6d5b2e557d96",
"value": "XAgentOSX (S0161) uses Peripheral Device Discovery (T1120)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "0d328be7-85d2-4558-a4e3-cc5ce8bc7e2e",
"value": "ADVSTORESHELL (S0045) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "e7baabf7-9300-432d-aa78-000ac099d4d3",
"value": "Wingbird (S0176) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09"
},
"uuid": "99c0cda4-91b1-4845-9891-9a4b89c128f9",
"value": "APT3 (G0022) uses DLL Side-Loading (T1073)"
},
{
"meta": {
"source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "5b650388-4ab3-4c56-a69e-df7eba7f0756",
"value": "Hi-Zor (S0087) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "5ea36f9f-f5b6-4494-be0a-061058d6b1f1",
"value": "APT28 (G0007) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "12cc7738-bb90-4e77-a96d-8e4f312e07d4",
"value": "LOWBALL (S0042) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "a7cb0193-e854-4361-b1a1-fc4e68354c59",
"value": "Derusbi (S0021) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "3f02c07f-663f-4c54-b7e0-c2b2dbe82335",
"value": "ZLib (S0086) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "75b383eb-5483-4c44-a721-ee1cffa6edb7",
"value": "FIN10 (G0051) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee"
},
"uuid": "eeae630c-0c58-4397-90fb-05f5b60b720f",
"value": "APT29 (G0016) uses CosmicDuke (S0050)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "f4865a5c-c17c-408a-94de-2feac0d006fd",
"value": "Cobalt Strike (S0154) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "7c3b845e-56ca-4580-b060-a3fa42b86a86",
"value": "Duqu (S0038) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "ea6289bb-c974-4e4c-bdc4-1c3211a6d1d4",
"value": "Emissary (S0082) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "2fe9c7cf-44aa-495b-bde6-80cbfc4fbed9",
"value": "Regin (S0019) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "47f611f4-b9f0-42ef-9629-ee4a56e737ed",
"value": "WINDSHIELD (S0155) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "782da600-bc3b-4dae-89d1-4a79522bed02",
"value": "Stealth Falcon (G0038) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "5c84cfe2-a395-47c6-831a-4491f8585a00",
"value": "Prikormka (S0113) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "05352dad-ecbb-477c-a05c-5eb3d67ae9ae",
"value": "FTP (S0095) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff"
},
"uuid": "5de21fc4-c460-4da4-9dc4-2acdd54640a8",
"value": "APT29 (G0016) uses Pass the Hash (T1075)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "24bce281-7858-4a42-bfd6-601800fb63f7",
"value": "Remsec (S0125) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839"
},
"uuid": "131fde9c-7a83-4603-9c1e-c41f815fb14c",
"value": "Remsec (S0125) uses Exploitation of Vulnerability (T1068)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c"
},
"uuid": "7243a679-467e-4c31-b413-547016b9c3ad",
"value": "APT29 (G0016) uses MiniDuke (S0051)"
},
{
"meta": {
"source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"target-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe"
},
"uuid": "1c5b8ff2-400a-4e0f-a819-3cc8f1bc76b8",
"value": "Mimikatz (S0002) uses Private Keys (T1145)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700"
},
"uuid": "4aa62b6b-7441-4ece-9cb0-2a5bcb46f966",
"value": "menuPass (G0045) uses pwdump (S0006)"
},
{
"meta": {
"source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324",
"target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21"
},
"uuid": "b1df64c9-782d-4452-8c4a-5ef933503c13",
"value": "ISMInjector (S0189) uses Process Hollowing (T1093)"
},
{
"meta": {
"source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383",
"target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4"
},
"uuid": "5bad7b38-36b5-4208-9895-e4a113c511a3",
"value": "Darkhotel (G0012) uses Replication Through Removable Media (T1091)"
},
{
"meta": {
"source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "8e82a523-fc73-4f3b-98dc-3b1e7199cd93",
"value": "OLDBAIT (S0138) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c"
},
"uuid": "46f301cd-8ae3-431a-931b-df4bb4fee271",
"value": "Remsec (S0125) uses Password Filter DLL (T1174)"
},
{
"meta": {
"source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "9fe01f98-e0b3-4749-b9a6-eb10c216c548",
"value": "BLACKCOFFEE (S0069) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b"
},
"uuid": "cf467be5-c162-4763-801b-32cb57a514ef",
"value": "APT1 (G0006) uses xCmd (S0123)"
},
{
"meta": {
"source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "1b4ee147-dc39-43d2-b468-fcd308e6cbae",
"value": "StreamEx (S0142) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "c0905059-1f3c-414c-8027-b8ec2e4b3c89",
"value": "Duqu (S0038) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "23bff3ce-021c-4e7a-9aee-60fd40bc7c6c",
"target-uuid": "9e80ddfb-ce32-4961-a778-ca6a10cfae72"
},
"uuid": "2e5931ef-cc28-49e8-b0c1-7705227ee5cf",
"value": "Sudo Mitigation (T1169) mitigates Sudo (T1169)"
},
{
"meta": {
"source-uuid": "7c1796c7-9fc3-4c3e-9416-527295bf5d95",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "a34d1e30-dcf5-4743-93e5-e4834e980f0f",
"value": "Commonly Used Port Mitigation (T1043) mitigates Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "35ae6625-8563-493c-8950-1230bd0fd122",
"value": "Pteranodon (S0147) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "1f99a883-e78f-423d-9837-2b5ebb14fe63",
"value": "Matroyshka (S0167) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "1b45f3b5-b7a4-4424-a8ff-1b1f1c1a55d9",
"value": "Threat Group-3390 (G0027) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "f3bbff8f-5f4b-40aa-a55f-e3880a582868",
"value": "KOMPROGO (S0156) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce"
},
"uuid": "533deac3-2f27-4256-bb11-7d68d8824d47",
"value": "POWRUNER (S0184) uses Permission Groups Discovery (T1069)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab"
},
"uuid": "92c68b65-18b8-44e9-a368-692048ba9611",
"value": "APT28 (G0007) uses XTunnel (S0117)"
},
{
"meta": {
"source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
"target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88"
},
"uuid": "98aeed7c-e88b-4c5b-8e8e-21ee3534abe9",
"value": "H1N1 (S0132) uses Software Packing (T1045)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "4da943df-a7dc-499f-a8b7-ca8d298d8ff6",
"value": "admin@338 (G0018) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360"
},
"uuid": "75c3b5f6-a0ca-4afc-baad-ef19ed4317b3",
"value": "Threat Group-3390 (G0027) uses HTTPBrowser (S0070)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091"
},
"uuid": "290c0a54-2702-4d6e-97db-1eafa9a7a1f3",
"value": "Cobalt Strike (S0154) uses Multiband Communication (T1026)"
},
{
"meta": {
"source-uuid": "0e5bdf42-a7f7-4d16-a074-4915bd262f80",
"target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776"
},
"uuid": "6f991c49-462a-4cb8-8096-15c77f7ccace",
"value": "Exfiltration Over Alternative Protocol Mitigation (T1048) mitigates Exfiltration Over Alternative Protocol (T1048)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "5697b245-d888-40ab-af72-9236c6daa273",
"value": "BACKSPACE (S0031) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "e64a09d0-4205-4aca-8acb-f6926233d107",
"value": "Prikormka (S0113) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "a83992e1-5be5-433e-b3f1-d9ccde98c9ca",
"value": "OwaAuth (S0072) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "b2c5d3ca-b43a-4888-ad8d-e2d43497bf85",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "04ba0d26-d931-423e-a3de-713892c0af97",
"value": "P2P ZeuS (S0016) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "a8aac75d-ef58-4dda-97a8-9584a6a6baaf",
"value": "Wingbird (S0176) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c"
},
"uuid": "02a7ea5c-695c-4932-9160-6e0441789670",
"value": "SeaDuke (S0053) uses Pass the Ticket (T1097)"
},
{
"meta": {
"source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "3bf633d0-5578-4e3a-a599-52f3946f6623",
"value": "Reaver (S0172) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"uuid": "e1592867-e02f-4c1f-a9f2-1c60e25a1301",
"value": "Stealth Falcon (G0038) uses Exfiltration Over Command and Control Channel (T1041)"
},
{
"meta": {
"source-uuid": "a13e35cc-8c90-4d77-a965-5461042c1612",
"target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810"
},
"uuid": "2482623f-65a7-4da5-8cb2-64279319e3dc",
"value": "Shortcut Modification Mitigation (T1023) mitigates Shortcut Modification (T1023)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "f5a175ba-ed26-44f8-9828-c2aa0e1f7d86",
"value": "BlackEnergy (S0089) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "f0d218a3-9f7b-4f21-aa4a-34dc25f05b61",
"value": "netsh (S0108) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "f0b00a47-9d63-4d05-b771-022a21a4ed06",
"value": "PowerDuke (S0139) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "9cf37d0b-a23d-4514-961d-94d1cc6e2bef",
"value": "Prikormka (S0113) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "c93bb2b9-bd22-4e14-b884-2141168387b2",
"value": "Pteranodon (S0147) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "5f055076-79d1-44e8-95cb-43fc515df2f6",
"value": "Lazarus Group (G0032) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "108a1655-faba-4016-a276-c224665cb5c4",
"value": "gsecdump (S0008) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "0c78e3a7-45c5-454f-8905-a831fbede841",
"value": "FIN6 (G0037) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "991c16bd-c17b-479a-8f45-385467323c0a",
"value": "BACKSPACE (S0031) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "4689b9fb-dca4-473e-831b-34717ad50c97",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "91af9744-413c-4e9c-bfdb-a9ca167e9bb5",
"value": "Web Service Mitigation (T1102) mitigates Web Service (T1102)"
},
{
"meta": {
"source-uuid": "800bdfba-6d66-480f-9f45-15845c05cb5d",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "7985b09e-9241-489c-a0f2-45a6f5c782f1",
"value": "pngdowner (S0067) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"uuid": "ab51525b-93c6-4ea8-bd83-b9547f1317bb",
"value": "APT29 (G0016) uses Windows Management Instrumentation (T1047)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "a2a31eb7-0b22-416c-b12d-e52e5f37f8b8",
"value": "BADNEWS (S0128) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "e2b4bcf2-58a6-49ed-bc72-21226ff419bd",
"value": "TDTESS (S0164) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "d45f03a8-790a-4f90-b956-cd7e5b8886bf",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "3c3f26b3-d676-4e17-adca-2a8ea4643148",
"value": "Valid Accounts Mitigation (T1078) mitigates Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"uuid": "cd79beea-20ee-4b4f-aad1-5cc34d27398c",
"value": "Turla (G0010) uses Net (S0039)"
},
{
"meta": {
"source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "c1421d39-cb5d-4bac-a931-9c641066c0fd",
"value": "Sykipot (S0018) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "c11ac61d-50f4-444f-85d8-6f006067f0de",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "c954a1f5-c925-4c5c-ad64-62545dfbe383",
"value": "route (S0103) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "9066dcee-7c80-429c-a5cc-77458e891349",
"value": "menuPass (G0045) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46"
},
"uuid": "96235e56-e55a-4146-a9a6-956f8f1f7dcf",
"value": "APT34 (G0057) uses POWRUNER (S0184)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "9b7bf5d9-23a0-4190-80c0-b27b906bafcc",
"value": "APT3 (G0022) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "56d858ef-2d62-4aa9-b050-699de9b048e9",
"value": "MobileOrder (S0079) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"uuid": "64a17aba-5182-4666-bd37-dafa9d835fe8",
"value": "Lazarus Group (G0032) uses Windows Management Instrumentation (T1047)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "23dca74f-2b3e-46c0-b7a3-9d9eab932f58",
"value": "Cobalt Strike (S0154) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "519630c5-f03f-4882-825c-3af924935817"
},
"uuid": "d200ba08-8179-495e-a854-9b13be5c0f93",
"value": "Emissary (S0082) uses Binary Padding (T1009)"
},
{
"meta": {
"source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "e20b57e5-c010-4b9e-a04e-660daa8b5c87",
"value": "Sowbug (G0054) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "6deeb486-90c3-4279-8549-17c81ea2466b",
"value": "Elise (S0081) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6"
},
"uuid": "febbf503-d7e5-4896-90b9-35b6a811b19b",
"value": "APT3 (G0022) uses Indicator Removal from Tools (T1066)"
},
{
"meta": {
"source-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "2902ccff-873a-4ebc-bdf4-caaae629ae9d",
"value": "Volgmer (S0180) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "23b6a0f5-fa95-46f9-a6f3-4549c5e45ec8",
"target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88"
},
"uuid": "047ee6d3-1b85-4a0f-96a6-6ead4be43548",
"value": "Night Dragon (G0014) uses Software Packing (T1045)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c"
},
"uuid": "3e7c9978-4db1-4ee1-ae27-640acee5a543",
"value": "CosmicDuke (S0050) uses Data from Network Shared Drive (T1039)"
},
{
"meta": {
"source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "a56aafe6-4a54-4ce5-b927-8b56826b3445",
"value": "Matroyshka (S0167) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e",
"target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c"
},
"uuid": "5f3eb1ae-782e-4e49-8e1e-650f3e5a1139",
"value": "Sowbug (G0054) uses Data from Network Shared Drive (T1039)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"uuid": "3fb836b7-41cf-40d1-bd56-14e45e6bbd02",
"value": "OilRig (G0049) uses Net (S0039)"
},
{
"meta": {
"source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654",
"target-uuid": "6e6845c2-347a-4a6f-a2d1-b74a18ebd352"
},
"uuid": "019eb3cf-35df-4109-a006-1b91331866c3",
"value": "Wingbird (S0176) uses LSASS Driver (T1177)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "2fb450c6-e236-4b81-b5ac-a9d4be0cf167",
"value": "Gazer (S0168) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "2c158663-599b-45a8-b946-6d545206428d",
"value": "Emissary (S0082) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "7f1c30eb-051f-4d1a-9d81-1ee46f7779c7",
"value": "Mis-Type (S0084) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "12daddcc-b964-485e-8c2d-10f554d78bcc",
"value": "OilRig (G0049) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "f108215f-3487-489d-be8b-80e346d32518",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "9a62c02a-e373-494e-af73-f8b3274e8c9b",
"value": "Komplex (S0162) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "aec0a948-428f-4327-b466-a0472da12928",
"value": "Threat Group-3390 (G0027) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "23061b40-a7b6-454f-8950-95d5ff80331c",
"target-uuid": "d519cfd5-f3a8-43a9-a846-ed0bb40672b1"
},
"uuid": "85bddba6-3848-4d2d-a4fa-4c4b71274a02",
"value": "Install Root Certificate Mitigation (T1130) mitigates Install Root Certificate (T1130)"
},
{
"meta": {
"source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "1ae1ce05-3db2-4a97-8e58-0ed3d65d9d22",
"value": "Carbanak (G0008) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "8b0e9de1-a7b0-479e-aee7-76f2549508c6",
"value": "BLACKCOFFEE (S0069) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "c085476e-1964-4d7f-86e1-d8657a7741e8",
"target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3"
},
"uuid": "1da0f3c7-d9e2-4379-a84c-782fc94a75d5",
"value": "Accessibility Features Mitigation (T1015) mitigates Accessibility Features (T1015)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "cf23bf4a-e003-4116-bbae-1ea6c558d565"
},
"uuid": "0ead6cee-20a4-46fb-a9c1-8686a776f455",
"value": "Naikon (G0019) uses FTP (S0095)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "b3a9c32f-c6d0-46d4-8936-dd4fec61d305",
"value": "Patchwork (G0040) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "2ade8c03-2395-4175-9a22-8541836f27cd",
"value": "ChChes (S0144) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "16043223-3846-4138-93d0-671339ba3646",
"value": "NETEAGLE (S0034) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "8d5d9206-a213-465d-b384-6152eb2796a0",
"value": "POSHSPY (S0150) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619"
},
"uuid": "11bc3d01-fc44-415c-b5a3-5576f5cb6057",
"value": "T9000 (S0098) uses Automated Collection (T1119)"
},
{
"meta": {
"source-uuid": "96913243-2b5e-4483-a65c-bb152ddd2f04",
"target-uuid": "46944654-fcc1-4f63-9dad-628102376586"
},
"uuid": "069e82d5-89f2-4477-a1f5-115be8ab040a",
"value": "DLL Search Order Hijacking Mitigation (T1038) mitigates DLL Search Order Hijacking (T1038)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "4a0887ab-3ec3-436a-b378-6e28847dfb1e",
"value": "APT29 (G0016) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2",
"target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4"
},
"uuid": "6592447f-31c8-46d0-8e88-47584fa301f0",
"value": "SOUNDBITE (S0157) uses Modify Registry (T1112)"
},
{
"meta": {
"source-uuid": "f9b3e5d9-7454-4b7d-bce6-27620e19924e",
"target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a"
},
"uuid": "9691a6a8-12d0-45a7-8217-11d1793234cb",
"value": "Redundant Access Mitigation (T1108) mitigates Redundant Access (T1108)"
},
{
"meta": {
"source-uuid": "c620e3a1-fff5-424f-abea-d2b0f3616f67",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "c28d6f10-431f-493c-8abd-918240c5c970",
"value": "System Information Discovery Mitigation (T1082) mitigates System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "3325e625-d76b-42df-b952-749dabb57517",
"value": "Turla (G0010) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "f4902ad9-b1bb-41ce-a448-55e2d9437503",
"value": "RedLeaves (S0153) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8",
"target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b"
},
"uuid": "89433640-bf49-48b3-9f26-76423cd36f77",
"value": "Hacking Team UEFI Rootkit (S0047) uses Rootkit (T1014)"
},
{
"meta": {
"source-uuid": "e547ed6a-f1ca-40df-8613-2ce27927f145",
"target-uuid": "e6415f09-df0e-48de-9aba-928c902b7549"
},
"uuid": "2083aef8-4d72-4bef-8cbc-33f2c5f4a176",
"value": "Exfiltration Over Physical Medium Mitigation (T1052) mitigates Exfiltration Over Physical Medium (T1052)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "be20faa9-64bf-4a65-86c2-dc12f5695d22",
"value": "Cobalt Strike (S0154) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4"
},
"uuid": "6a87ff58-10b1-4fbc-a633-d7d8a34d1b29",
"value": "Turla (G0010) uses Uroburos (S0022)"
},
{
"meta": {
"source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"target-uuid": "95047f03-4811-4300-922e-1ba937d53a61"
},
"uuid": "a8122755-90fe-4b68-8fa1-55ed7be90931",
"value": "Axiom (G0001) uses Hikit (S0009)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "7f78df2e-e6e9-43f1-815b-58e4a10fc594",
"value": "APT29 (G0016) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "8d4effdd-6d91-473d-aa81-d121f1c77881",
"value": "SslMM (S0058) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "a2423ac3-94b4-4936-962b-06562115cb70",
"value": "Net (S0039) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "aeaa2f37-4014-4313-9fe2-8616b352a90c",
"value": "TinyZBot (S0004) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "617fe29d-ac48-4cd0-ae8c-19cf7cfdbedd",
"value": "NETEAGLE (S0034) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e"
},
"uuid": "ae1de9c5-6bc0-459a-b4ca-568139a5ee41",
"value": "OilRig (G0049) uses Helminth (S0170)"
},
{
"meta": {
"source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "33caa1a2-8465-47b9-89c4-94f4e9a899c7",
"value": "OwaAuth (S0072) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "35d35ecf-1326-4690-b105-23280e29c120",
"value": "CORESHELL (S0137) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "ade72dc6-559e-4a84-9024-1a862faec6a0",
"value": "FIN6 (G0037) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "7cbedb9a-666f-47eb-b70e-905bcf80940a",
"value": "BACKSPACE (S0031) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "e8d22ec6-2236-48de-954b-974d17492782",
"target-uuid": "dd43c543-bb85-4a6f-aa6e-160d90d06a49"
},
"uuid": "196a2d37-4b87-465d-8d92-2e614cda869c",
"value": "Two-Factor Authentication Interception Mitigation (T1111) mitigates Two-Factor Authentication Interception (T1111)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "aad1cfa0-0df0-4768-87c2-5e59da2c5e44",
"value": "RTM (S0148) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "d8a7ec97-b262-489d-bc4b-e2c7007f75bc",
"value": "Psylo (S0078) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "4c06e313-2cde-494c-a8dc-449649a1afa6",
"value": "Lazarus Group (G0032) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647",
"target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
},
"uuid": "7ed93170-2dba-4e59-b0f0-7c716c73bdc0",
"value": "PittyTiger (G0011) uses gsecdump (S0008)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "552ac18c-4fac-4cb0-aefc-811a10e1c320",
"value": "Lazarus Group (G0032) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
"target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619"
},
"uuid": "121a09bd-f603-4476-a149-a3cba52f268c",
"value": "Rover (S0090) uses Automated Collection (T1119)"
},
{
"meta": {
"source-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "062b1f19-2afb-4bdc-908e-99594ff114cf",
"value": "Epic (S0091) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "11ebf3ff-b184-4010-b238-951e041370db",
"value": "APT34 (G0057) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "37f94533-8fbe-48d2-bf4f-f825ad75ff98",
"value": "BlackEnergy (S0089) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4"
},
"uuid": "94b4de9a-1f83-4923-8d4b-e9bafdb1bef9",
"value": "RTM (S0148) uses Modify Registry (T1112)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "103f1ad4-feec-4be3-9da7-ee0b2503c318",
"value": "ADVSTORESHELL (S0045) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09"
},
"uuid": "283e242a-72d4-4b40-8905-888595c34919",
"value": "BADNEWS (S0128) uses DLL Side-Loading (T1073)"
},
{
"meta": {
"source-uuid": "979e6485-7a2f-42bd-ae96-4e622c3cd173",
"target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba"
},
"uuid": "2c0fe330-edcf-4519-a577-c3c9b086d60a",
"value": "Remote Services Mitigation (T1021) mitigates Remote Services (T1021)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "17629f20-194c-48cb-aa1c-b3da2b6f06ba",
"value": "CosmicDuke (S0050) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "4cc8afb8-86ab-4537-926f-3178975a7886",
"value": "menuPass (G0045) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "34d6a2ef-370e-4d21-a34b-6208b7c78f31",
"target-uuid": "c1a452f3-6499-4c12-b7e9-a6a0a102af76"
},
"uuid": "fcf18dc5-8ac0-4ae7-84b9-c47ebd468022",
"value": "Process Doppelgänging Mitigation (T1186) mitigates Process Doppelgänging (T1186)"
},
{
"meta": {
"source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "3264e1db-0f54-4049-a45c-3a03a24709aa",
"value": "XTunnel (S0117) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "d2d9a619-4379-4e15-9115-40ca9209f316",
"value": "Backdoor.Oldrea (S0093) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "51c5e624-d08e-4750-91f9-fdc98ec56552",
"value": "MoonWind (S0149) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "388606d3-f38f-45bf-885d-a9dc9df3c8a8",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "b35a5218-e64d-49b5-a37d-6390edddece6",
"value": "Disabling Security Tools Mitigation (T1089) mitigates Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "de840f88-b9d0-4f7e-b5c0-b666faa2d92f",
"value": "FIN6 (G0037) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "03c08ef9-80c7-4f20-b197-ad44f702f2e0",
"value": "Daserf (S0187) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "805f7ba3-a904-410c-b9fd-20356c595b19",
"value": "BBSRAT (S0127) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619"
},
"uuid": "a24299ed-9735-453c-bd13-66269b2d5d16",
"value": "OilRig (G0049) uses Automated Collection (T1119)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "343d285a-e910-487b-8e85-dc87cdb63be3",
"value": "APT29 (G0016) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
},
"uuid": "5c38fba7-20c6-4872-ad05-21f0f77e0820",
"value": "APT34 (G0057) uses Tasklist (S0057)"
},
{
"meta": {
"source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "2f68f61d-07e1-4181-a26c-93433f9f0db7",
"value": "CopyKittens (G0052) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "1b143de7-af2d-4991-9e2e-aa85a8d7d330",
"value": "APT28 (G0007) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "7331b11d-1d5e-4275-ba7e-a83ec4a59259",
"value": "CosmicDuke (S0050) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "d57dd9d9-d075-48c4-ae54-ed0aeae575de",
"value": "BRONZE BUTLER (G0060) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "ce424541-5cfa-4885-ad62-f3f70fa27099",
"value": "TDTESS (S0164) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "db8f1355-57f0-446d-a261-b168497b20c6",
"value": "BADNEWS (S0128) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "6bf4098c-7667-44df-bdaa-076b9099f851",
"value": "PlugX (S0013) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772",
"target-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca"
},
"uuid": "13aa912e-bb51-4293-a971-9179442d516a",
"value": "MONSOON (G0042) uses TINYTYPHON (S0131)"
},
{
"meta": {
"source-uuid": "00d7d21b-69d6-4797-88a2-c86f3fc97651",
"target-uuid": "b8c5c9dd-a662-479d-9428-ae745872537c"
},
"uuid": "af088283-7416-466d-86f3-8b55e6d698d4",
"value": "Password Filter DLL Mitigation (T1174) mitigates Password Filter DLL (T1174)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "a8f11c39-df96-451e-a93a-417512f82819",
"value": "RedLeaves (S0153) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "ecb5e830-b678-47a6-98a2-d4dbe162f09e",
"value": "PHOREAL (S0158) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "bcee7b05-89a6-41a5-b7aa-fce4da7ede9e",
"target-uuid": "c23b740b-a42b-47a1-aec2-9d48ddd547ff"
},
"uuid": "396287ea-36d9-4d84-bf22-af559eb20f58",
"value": "Pass the Hash Mitigation (T1075) mitigates Pass the Hash (T1075)"
},
{
"meta": {
"source-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "9f852541-3fc7-4036-9268-7bc6bfe94900",
"value": "EvilGrab (S0152) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "a766ce73-5583-48f3-b7c0-0bb43c6ef8c7",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "32ba984e-dbe9-4a8a-a1b7-16ba560d31d5",
"value": "Standard Cryptographic Protocol Mitigation (T1032) mitigates Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983",
"target-uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"uuid": "489e5386-b177-455f-a8b3-d3c6e7afb9b1",
"value": "Threat Group-1314 (G0028) uses Net (S0039)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643"
},
"uuid": "33e0178f-c9b2-43db-9e63-3e664ae6bef0",
"value": "Prikormka (S0113) uses Peripheral Device Discovery (T1120)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11"
},
"uuid": "72d6fe7e-ba33-4117-8153-64226f189ed2",
"value": "OilRig (G0049) uses ipconfig (S0100)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "1879905d-a4f6-43a7-aafe-a7e436e5c559",
"value": "Prikormka (S0113) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "0191f3d3-59d3-4fcc-bfff-5fbfa0675cfd",
"value": "SeaDuke (S0053) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "f28a20fd-d173-4603-807e-2cb3f51bdf04",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "b1ee5cba-d4e0-4af0-aa5c-5faacfdb0dbc",
"value": "Command-Line Interface Mitigation (T1059) mitigates Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
"target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e"
},
"uuid": "10c33088-630e-456d-ad0f-8a63be4d3946",
"value": "Sykipot (S0018) uses Multilayer Encryption (T1079)"
},
{
"meta": {
"source-uuid": "59140a2e-d117-4206-9b2c-2a8662bd9d46",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "bdba5fef-c560-4b8a-9ce5-616395a73841",
"value": "Taidoor (G0015) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "9de2308e-7bed-43a3-8e58-f194b3586700"
},
"uuid": "de979692-5ca5-4874-bfc8-91cea8697ef1",
"value": "APT1 (G0006) uses pwdump (S0006)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "6f448f20-0349-4132-80ec-d46e94d52426",
"value": "ADVSTORESHELL (S0045) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4"
},
"uuid": "337dc23f-d825-415d-886b-53c3457fbd56",
"value": "APT29 (G0016) uses Windows Management Instrumentation Event Subscription (T1084)"
},
{
"meta": {
"source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "50f39180-6e5a-476b-b18f-d4e09e83c9d9",
"value": "Pteranodon (S0147) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "de168dd4-3c59-4fa4-901a-911b1ee81a31",
"value": "BlackEnergy (S0089) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "7009ba4d-83d4-4851-9fbb-e09e28497765",
"target-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2"
},
"uuid": "66a16f64-8c0d-4647-8589-83ea8ef4fbd3",
"value": "Forced Authentication Mitigation (T1187) mitigates Forced Authentication (T1187)"
},
{
"meta": {
"source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "afa1f53f-abd9-4e57-b4e1-4e161dd34e9b",
"value": "POWERSOURCE (S0145) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4"
},
"uuid": "2dec6ce1-e459-4266-86d5-f336ab056f17",
"value": "BACKSPACE (S0031) uses Modify Registry (T1112)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704"
},
"uuid": "16fd44bf-405b-49c1-96d7-0cacb5d65e74",
"value": "Cleaver (G0003) uses Net Crawler (S0056)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "8087d99b-cc05-4e2a-abce-687eb726a9e7",
"value": "Magic Hound (G0059) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "3ded5760-4f2e-41f5-a2c5-f2b39eaf5733",
"value": "Shamoon (S0140) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "f44478f1-fdd7-4e84-8b96-60e6c6a10683",
"value": "Reaver (S0172) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "c4d77981-d2e4-4a12-8e52-5b7464cdc8fd",
"value": "POWRUNER (S0184) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2",
"target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830"
},
"uuid": "b640dfee-9502-4ffb-92e4-f153f8726383",
"value": "SOUNDBITE (S0157) uses Application Window Discovery (T1010)"
},
{
"meta": {
"source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "25cb2c8f-79d2-4157-8329-fb86caaca0c3",
"value": "LOWBALL (S0042) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
"target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4"
},
"uuid": "3eb29574-145d-4d4a-b4c6-e94b8a79781e",
"value": "DustySky (S0062) uses Replication Through Removable Media (T1091)"
},
{
"meta": {
"source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "9a7ff784-436b-40c5-bfb0-25e02e1d9940",
"value": "DustySky (S0062) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "82d8e990-c901-4aed-8596-cc002e7eb307",
"target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077"
},
"uuid": "c593abb1-54ce-4196-a11f-f1dd65fed9aa",
"value": "System Time Discovery Mitigation (T1124) mitigates System Time Discovery (T1124)"
},
{
"meta": {
"source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5",
"target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"uuid": "dbb1d0eb-c7ee-4794-80d4-66e6281cbc63",
"value": "CallMe (S0077) uses Exfiltration Over Command and Control Channel (T1041)"
},
{
"meta": {
"source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "e8d2c3f1-7c86-438c-bead-6a86f9a36463",
"value": "XTunnel (S0117) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "14b70990-48b0-482b-bd5a-3a99d9d9a653",
"value": "POWRUNER (S0184) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "fb9cf04b-ad28-472a-9ee3-a2e744e0e122",
"value": "ZLib (S0086) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "d43315b0-d708-4197-b3ed-0a0b1199e434",
"value": "3PARA RAT (S0066) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "a19c49aa-36fe-4c05-b817-23e1c7a7d085",
"target-uuid": "92a78814-b191-47ca-909c-1ccfe3777414"
},
"uuid": "82268341-e0a8-4937-8618-351e147daa0c",
"value": "Wiper (S0041) uses Third-party Software (T1072)"
},
{
"meta": {
"source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "2eaea386-ee0f-42c4-bca1-ce2d22062f98",
"value": "PlugX (S0013) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc"
},
"uuid": "eb9366d5-2bd1-4d0b-8f55-2305827c20d1",
"value": "APT34 (G0057) uses certutil (S0160)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "8c58cfe5-0b71-434c-939a-329b612d2337",
"value": "Lazarus Group (G0032) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "553dbb57-1174-494c-9cfd-dbc83ecc74f6",
"value": "USBStealer (S0136) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "0471088d-7b45-4fec-8946-ae5bf463286b",
"value": "Pteranodon (S0147) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71"
},
"uuid": "437dd20a-234f-430b-b9ee-4524e1e12aa9",
"value": "Naikon (G0019) uses netsh (S0108)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "86c9bd0f-4251-4103-9be5-65079750c495",
"value": "Shamoon (S0140) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "80c91478-ac87-434f-bee7-11f37aec4d74",
"target-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0"
},
"uuid": "8467ea5f-cb0d-4eb6-b524-8bfd01e58721",
"value": "Dynamic Data Exchange Mitigation (T1173) mitigates Dynamic Data Exchange (T1173)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "98b7d901-4ede-451f-bab8-3b2b37c56bfd",
"value": "Prikormka (S0113) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "5ebd97d4-1979-40b2-b38b-b6ed44a2f32f",
"value": "CloudDuke (S0054) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "fae44eea-caa7-42b7-a2e2-0c815ba81b9a",
"target-uuid": "04ee0cb7-dac3-4c6c-9387-4c6aa096f4cf"
},
"uuid": "edb697fa-d6b2-400a-acad-ccacc38c87c0",
"value": "Hidden Window Mitigation (T1143) mitigates Hidden Window (T1143)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "166326b3-6864-4667-aee9-4d7b24cc75d8",
"value": "OilRig (G0049) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4"
},
"uuid": "f653eb7d-7027-4161-9071-b52336bd4fbc",
"value": "SeaDuke (S0053) uses Windows Management Instrumentation Event Subscription (T1084)"
},
{
"meta": {
"source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "e68684df-28b4-4f06-b553-cacf14866605",
"value": "ChChes (S0144) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077"
},
"uuid": "77c63e89-71fe-47e3-babb-13e7722932ad",
"value": "MoonWind (S0149) uses System Time Discovery (T1124)"
},
{
"meta": {
"source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "fb0aef48-57f5-4331-acdd-25fdfdf1babb",
"value": "S-Type (S0085) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "266a5edd-1425-4ab1-88bf-a0d7897699eb",
"value": "Sakula (S0074) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "87ddc052-0933-4722-9fb2-4653c4a3663c",
"value": "APT3 (G0022) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "3a2d591a-f918-44b3-9e75-7520906b9aa3",
"value": "menuPass (G0045) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
"target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67"
},
"uuid": "7e55e411-230e-4d1a-a780-d07784ed2cd6",
"value": "Mis-Type (S0084) uses Create Account (T1136)"
},
{
"meta": {
"source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a"
},
"uuid": "4f3473a4-f5f5-43d8-a4ec-589763695942",
"value": "Derusbi (S0021) uses Regsvr32 (T1117)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "51dea151-0898-4a45-967c-3ebee0420484"
},
"uuid": "02b9b0b1-5e7d-42dd-ae8c-68d126a8c3cd",
"value": "APT34 (G0057) uses Remote Desktop Protocol (T1076)"
},
{
"meta": {
"source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "9b203f00-34db-475f-a28b-f5088d937f4e",
"value": "Sykipot (S0018) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "c35702f8-f13f-4851-9cfc-1eea526bd6e1",
"value": "PlugX (S0013) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643"
},
"uuid": "f9c7d0e1-135f-4e21-8251-3049bc24c18d",
"value": "BADNEWS (S0128) uses Peripheral Device Discovery (T1120)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec"
},
"uuid": "8e7ff07b-7a32-4ced-ac22-b523586dbde3",
"value": "Remsec (S0125) uses Data from Removable Media (T1025)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "6c0aae73-fe06-4aa3-8216-568d78747c6d",
"value": "BACKSPACE (S0031) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "34c4b497-00e3-415c-8e09-3b73667d9bbe",
"value": "HAMMERTOSS (S0037) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "dd89d8a2-257a-47f9-8b55-8011ca53007b",
"value": "T9000 (S0098) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
"target-uuid": "46944654-fcc1-4f63-9dad-628102376586"
},
"uuid": "1762fe5a-0810-4179-bfb0-16d965ffe055",
"value": "HTTPBrowser (S0070) uses DLL Search Order Hijacking (T1038)"
},
{
"meta": {
"source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "4a70e764-5c19-4c8e-97e4-486af893cbfc",
"value": "3PARA RAT (S0066) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "bd315928-0b74-491c-b526-ee5e1841842b",
"value": "Derusbi (S0021) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "9e9b9415-a7df-406b-b14d-92bfe6809fbe",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "438cae9c-cb03-4db9-ae59-24ed27147725",
"value": "Nidiran (S0118) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "0d989c2e-0207-4412-b52a-5d9bf9f96d18",
"value": "PlugX (S0013) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "9bc7f2ff-7ba1-42f4-9e96-2112e99ab12a",
"value": "ChChes (S0144) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "d6154157-fe69-4da3-8cc3-790eecf33f8c",
"value": "HALFBAKED (S0151) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "772bc7a8-a157-42cc-8728-d648e25c7fe7"
},
"uuid": "2b469307-a635-4392-a18f-ed1f24b3a684",
"value": "Cobalt Strike (S0154) uses Distributed Component Object Model (T1175)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "611cb6eb-efdb-4d74-b354-5064ab52bd34",
"value": "Duqu (S0038) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "03c0c586-50ed-45a7-95f4-f496d7eb5330",
"target-uuid": "086952c4-5b90-4185-b573-02bad8e11953"
},
"uuid": "94db2b6e-c01c-4aec-9229-4a6dcda3c6ee",
"value": "HISTCONTROL Mitigation (T1148) mitigates HISTCONTROL (T1148)"
},
{
"meta": {
"source-uuid": "102c3898-85e0-43ee-ae28-62a0a3ed9507",
"target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be"
},
"uuid": "ecd83e69-2eb1-4c2d-a01f-e42ea8f807f9",
"value": "UACMe (S0116) uses Bypass User Account Control (T1088)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "e68ff1c2-ef03-486b-96df-167a1652a97b",
"value": "Helminth (S0170) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "292b2a10-ebee-4fbb-b359-2eee16aa46ba",
"value": "CopyKittens (G0052) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba"
},
"uuid": "66eb9cc1-4eb4-4b84-8140-bd48da33e93d",
"value": "Cobalt Strike (S0154) uses Remote Services (T1021)"
},
{
"meta": {
"source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "82b679af-7408-4f41-8fc0-5b0cf5993726",
"value": "Suckfly (G0039) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "bbd29878-c16a-45ee-9785-78550f080d83",
"value": "menuPass (G0045) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4"
},
"uuid": "e3e841fa-b806-4c22-9f98-a97950b68931",
"value": "USBStealer (S0136) uses Replication Through Removable Media (T1091)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111"
},
"uuid": "1fe875f1-89b6-447b-9d96-63c0cebecb9b",
"value": "APT34 (G0057) uses netstat (S0104)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "38a72b32-dc04-493d-8b92-31174c32f3ed",
"value": "APT1 (G0006) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "86ebda8c-df0c-4d76-970b-27bf392606a7",
"value": "Gazer (S0168) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "6b11697f-be6c-4cd7-b445-4d277a8d7346",
"value": "Winnti (S0141) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "70a1cab8-dd98-4b82-9f7f-36294e3889c0",
"value": "Misdat (S0083) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "090a553a-b863-4214-aa3b-cf8ea7ba2d68",
"value": "ADVSTORESHELL (S0045) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "cd70a632-a961-4adb-aea9-9995ef8e2b54",
"value": "Matroyshka (S0167) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "272068a3-47e3-42d6-8772-71d39c1976c3",
"value": "Shamoon (S0140) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "f108215f-3487-489d-be8b-80e346d32518"
},
"uuid": "63841959-afe2-4cb0-a93e-d407eb1b8d66",
"value": "APT28 (G0007) uses Komplex (S0162)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "d7c5e4f4-cede-4a81-b46f-035b9e702e61",
"value": "BRONZE BUTLER (G0060) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "9dfb7899-20af-4eea-bfca-f608d885cb00",
"value": "Turla (G0010) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "c948f964-e26c-4226-9577-7b78b5bf271f",
"value": "APT3 (G0022) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a"
},
"uuid": "dc7cb17d-c3d3-4c3c-b79e-499cede49baa",
"value": "Threat Group-3390 (G0027) uses Network Share Connection Removal (T1126)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df"
},
"uuid": "2fbcd38e-0ec9-4f2d-823b-3654f108f3a3",
"value": "Dragonfly (G0035) uses Web Shell (T1100)"
},
{
"meta": {
"source-uuid": "4b998a71-7b8f-4dcc-8f3f-277f2e740271",
"target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6"
},
"uuid": "5978c8e0-8b60-4ad5-8fc9-9fa1ee4d7387",
"value": "Indicator Removal from Tools Mitigation (T1066) mitigates Indicator Removal from Tools (T1066)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "8ebab956-4440-4fd7-96ff-8da29e0f0b46",
"value": "Stealth Falcon (G0038) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "84fcda4b-e58e-4ecd-8366-77d464e043ee",
"value": "NETEAGLE (S0034) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "321544e0-902c-443e-adf9-d7e78f0e4d13",
"value": "Unknown Logger (S0130) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "8c9f23e6-2665-45b3-9c28-53a9335b16ce",
"value": "LOWBALL (S0042) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "b2cf6651-3f2c-4522-9360-dbc5c7af43c5",
"value": "Remsec (S0125) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "a19e86f8-1c0a-4fea-8407-23b73d615776"
},
"uuid": "1ce50a6a-5f0b-40ca-9a71-41369ae3fdcd",
"value": "Remsec (S0125) uses Exfiltration Over Alternative Protocol (T1048)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "2d840d1b-28d7-4387-86fd-6d3df8650171",
"value": "BRONZE BUTLER (G0060) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be"
},
"uuid": "054a22c3-f0ee-476a-b0cb-e3277c755032",
"value": "BlackEnergy (S0089) uses Bypass User Account Control (T1088)"
},
{
"meta": {
"source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "7fd6c479-00ae-478d-a29b-fc40619eea97",
"value": "BBSRAT (S0127) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e",
"target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830"
},
"uuid": "10c6cc56-a028-4c2a-b24e-38d97fb4ebb7",
"value": "NetTraveler (S0033) uses Application Window Discovery (T1010)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"uuid": "3cd8ef78-9d92-4e28-97ae-5bd6c698bfec",
"value": "Cleaver (G0003) uses PsExec (S0029)"
},
{
"meta": {
"source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "e6f5bde4-869f-4c9a-9414-11ea48386204",
"value": "CORESHELL (S0137) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b",
"target-uuid": "51dea151-0898-4a45-967c-3ebee0420484"
},
"uuid": "a48e7d01-012a-4336-9676-0f34e8501e22",
"value": "FIN10 (G0051) uses Remote Desktop Protocol (T1076)"
},
{
"meta": {
"source-uuid": "bb3c1098-d654-4620-bf40-694386d28921",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "bfd49393-75b6-4e67-af74-4bf3c87624b0",
"value": "FakeM (S0076) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "a1dd2dbd-1550-44bf-abcc-1a4c52e97719",
"target-uuid": "0dbf5f1b-a560-4d51-ac1b-d70caab3e1f0"
},
"uuid": "aef7fe44-f381-41d5-88af-f04135e3aeab",
"value": "Responder (S0174) uses LLMNR/NBT-NS Poisoning (T1171)"
},
{
"meta": {
"source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772",
"target-uuid": "e9595678-d269-469e-ae6b-75e49259de63"
},
"uuid": "238a7a2c-34db-4f43-a94b-4a6ad225129d",
"value": "MONSOON (G0042) uses BADNEWS (S0128)"
},
{
"meta": {
"source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "4438ba64-0cd2-46e9-8a67-c685bf9b404c",
"value": "Sykipot (S0018) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "0ea72cd5-ca30-46ba-bc04-378f701c658f",
"target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba"
},
"uuid": "7db7f665-6e29-4789-8a3d-d6cb8d0af31e",
"value": "GCMAN (G0036) uses Remote Services (T1021)"
},
{
"meta": {
"source-uuid": "0998045d-f96e-4284-95ce-3c8219707486",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "6d562520-86bb-4251-9431-a4958bec097c",
"value": "SEASHARPEE (S0185) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69"
},
"uuid": "596c4579-14ea-4c1f-9503-cf47693f18a8",
"value": "Dragonfly (G0035) uses Indicator Removal on Host (T1070)"
},
{
"meta": {
"source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "3b32f3be-5bdd-4de8-9e39-83b0b8c1e70f",
"value": "FALLCHILL (S0181) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "384c75e4-04e7-4ff8-9da6-0c8a03cb7a61",
"value": "Sakula (S0074) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "f6d23c00-158e-4e39-bf9b-f18344cd0151",
"value": "RTM (S0148) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "d75a3d1b-b536-4f15-a23c-f4bcc17837b8",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "eede138c-9745-453c-a8b5-684b696c2ad0",
"value": "Connection Proxy Mitigation (T1090) mitigates Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "b42378e0-f147-496f-992a-26a49705395b"
},
"uuid": "bab6aadc-7a93-43e4-88cb-904fd1f2fddd",
"value": "menuPass (G0045) uses PoisonIvy (S0012)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"uuid": "49f2c182-bd69-4874-9102-b5fd1acac59c",
"value": "Ke3chang (G0004) uses Exfiltration Over Command and Control Channel (T1041)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "42d4ae64-75da-4dfd-b23f-d270252115ee",
"value": "Patchwork (G0040) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "277d2f87-2ae5-4730-a3aa-50c1fdff9656",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "6476b9fe-dc7f-4578-a39d-beebc8390af2",
"value": "Strider (G0041) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "c8d0e862-20af-4f9f-84e8-0419c8080008",
"value": "SeaDuke (S0053) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5"
},
"uuid": "3dd745f5-1c0c-4376-8850-89679fcd4e31",
"value": "menuPass (G0045) uses RedLeaves (S0153)"
},
{
"meta": {
"source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "c74cbdc5-e454-4b22-957e-926854dd37f1",
"value": "Felismus (S0171) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
},
"uuid": "318afc9f-92f3-4262-af70-b2e045b87737",
"value": "admin@338 (G0018) uses Systeminfo (S0096)"
},
{
"meta": {
"source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"uuid": "47109a67-e1af-4f5c-8c58-c1580ff5c6ec",
"value": "Regin (S0019) uses Code Signing (T1116)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "c6606ced-4641-451f-ac2a-493b1d15d0aa",
"value": "RTM (S0148) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "5be33fef-39c0-4532-84ee-bea31e1b5324",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "a0500766-a6ba-4672-b7fc-2a712cd0cfca",
"value": "ISMInjector (S0189) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"target-uuid": "51dea151-0898-4a45-967c-3ebee0420484"
},
"uuid": "70f3eaca-179d-4412-ad32-c4e3cf60c27c",
"value": "Axiom (G0001) uses Remote Desktop Protocol (T1076)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1"
},
"uuid": "4b521c7b-c66b-4bbc-847e-d6a13e9ae62c",
"value": "Naikon (G0019) uses Systeminfo (S0096)"
},
{
"meta": {
"source-uuid": "06824aa2-94a5-474c-97f6-57c2e983d885",
"target-uuid": "36675cd3-fe00-454c-8516-aebecacbe9d9"
},
"uuid": "ab6dbf38-dfed-4bfa-9d7d-bbe6864f82d3",
"value": "Login Item Mitigation (T1162) mitigates Login Item (T1162)"
},
{
"meta": {
"source-uuid": "d8787791-d22e-45bb-a9a8-251d8d0a1ff2",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "338cf92d-43a8-4fdd-948d-1a3bde10d917",
"value": "System Service Discovery Mitigation (T1007) mitigates System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "d4f48744-0564-4ef3-bdae-421076912495",
"value": "Cobalt Strike (S0154) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
"target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"uuid": "fe0c8388-46fb-4064-9837-56a23339ffaa",
"value": "ChChes (S0144) uses Code Signing (T1116)"
},
{
"meta": {
"source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d",
"target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88"
},
"uuid": "40c202ae-fd92-4506-b72a-5fb0e7bcf99a",
"value": "Trojan.Karagany (S0094) uses Software Packing (T1045)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "8c359d18-06fc-4db1-9b58-6e85fa563066",
"value": "BADNEWS (S0128) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39"
},
"uuid": "d328f1e2-c98f-473e-aea5-063e1ee70744",
"value": "Cobalt Strike (S0154) uses Windows Remote Management (T1028)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "8d7cd505-3b0e-4e90-bf47-6552612958dc",
"value": "Duqu (S0038) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "d412ff4a-d9d0-44a9-b8b3-36a650f18036",
"value": "RTM (S0148) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "35aac341-5371-42e8-ad93-3ab94a11b51a",
"value": "Poseidon Group (G0033) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce"
},
"uuid": "b368c7c2-a593-45cb-b557-aac668a02656",
"value": "Ke3chang (G0004) uses Permission Groups Discovery (T1069)"
},
{
"meta": {
"source-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "7209b3d7-b8c8-4fc0-89fb-a5448f015540",
"value": "HDoor (S0061) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "03f32a8b-4cd9-488c-9759-37f3dff9faea",
"value": "menuPass (G0045) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "2fab555f-7664-4623-b4e0-1675ae38190b"
},
"uuid": "44858dc2-c869-42a0-8f67-3ddd9660b538",
"value": "APT1 (G0006) uses Lslsass (S0121)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c"
},
"uuid": "80dcd852-39c2-4ef9-a401-e54982010a65",
"value": "APT3 (G0022) uses Credentials in Files (T1081)"
},
{
"meta": {
"source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "fa04b7b3-e9ea-4c35-a2a5-8d0c73f5698b",
"value": "StreamEx (S0142) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "552462b9-ae79-49dd-855c-5973014e157f",
"target-uuid": "f2d44246-91f1-478a-b6c8-1227e0ca109d"
},
"uuid": "e584ec5f-af99-4d61-8b02-3dbacae4adf4",
"value": "Zeroaccess (S0027) uses NTFS Extended Attributes (T1096)"
},
{
"meta": {
"source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "adf7a6a5-91b0-4c37-9fa5-0bfbb382a838",
"value": "Backdoor.Oldrea (S0093) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "ba95a6e7-3235-4dcd-93eb-4eebc4d0aaec",
"value": "Dragonfly (G0035) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
"target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c"
},
"uuid": "1539eaf6-e4ea-4e9d-af2b-2594d1ca5b38",
"value": "H1N1 (S0132) uses Taint Shared Content (T1080)"
},
{
"meta": {
"source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "10619fa8-c479-4b61-9aac-ee08f00114d1",
"value": "ELMER (S0064) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c"
},
"uuid": "03303147-db81-4cb3-9368-98ee4f963c1a",
"value": "BRONZE BUTLER (G0060) uses Deobfuscate/Decode Files or Information (T1140)"
},
{
"meta": {
"source-uuid": "9752aef4-a1f3-4328-929f-b64eb0536090",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "37aa4e22-824b-468c-ae46-d9d007cc7cc7",
"value": "RawPOS (S0169) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "330c8e43-575f-4c9a-b6c2-def7306841ad",
"value": "CozyCar (S0046) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "7bec698a-7e20-4fd3-bb6a-12787770fb1a",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "0e630f6b-8662-4ffe-b666-709e17aad69f",
"value": "3PARA RAT (S0066) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "6e39f6fe-3808-41ae-9263-1fd23865bd7b",
"value": "Elise (S0081) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810"
},
"uuid": "8200c438-ec29-4f0e-81c3-9a058c735748",
"value": "BlackEnergy (S0089) uses Shortcut Modification (T1023)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "2f5f2d31-739e-4dc5-b137-840401985244",
"value": "Remsec (S0125) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "9f496c45-eac5-464f-858b-ef481f2f37ff",
"value": "ADVSTORESHELL (S0045) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "1c6f35f0-1169-4218-9881-7291e1765cd8",
"value": "Emissary (S0082) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c"
},
"uuid": "c2909563-2b7e-48d6-b165-05b8eff63862",
"value": "menuPass (G0045) uses Data from Network Shared Drive (T1039)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26"
},
"uuid": "f24d37c0-283d-4f37-8278-07fc75cc0e94",
"value": "APT3 (G0022) uses RemoteCMD (S0166)"
},
{
"meta": {
"source-uuid": "cafd0bf8-2b9c-46c7-ae3c-3e0f42c5062e",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "2be17426-9704-4913-981b-6d8fe4471147",
"value": "NetTraveler (S0033) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "9378f139-10ef-4e4b-b679-2255a0818902",
"target-uuid": "39a130e1-6ab7-434a-8bd2-418e7d9d6427"
},
"uuid": "52b6181e-881e-4b96-93a3-1292bc2f1352",
"value": "Service Registry Permissions Weakness Mitigation (T1058) mitigates Service Registry Permissions Weakness (T1058)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "cdf73653-b2d7-422f-b433-b6a428ff12d4",
"value": "Stealth Falcon (G0038) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "90347c97-c0c5-4407-9087-b917d0789b0e",
"value": "TinyZBot (S0004) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "1fbde0c8-1b00-40bf-8fef-11892d103d63",
"value": "PinchDuke (S0048) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "828afc32-9874-40aa-b752-315c7623ffee",
"value": "Kasidet (S0088) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "d0013f9d-4243-4ade-8d06-a2cd6158ca58",
"value": "HALFBAKED (S0151) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
"target-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61"
},
"uuid": "2092cbf8-4b5e-40e9-93dd-bfd8a71b4e8c",
"value": "Dust Storm (G0031) uses Mis-Type (S0084)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "852009ed-1b50-4b08-9e77-53f0271d995c",
"value": "Remsec (S0125) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "0c8465c0-d0b4-4670-992e-4eee8d7ff952"
},
"uuid": "80fc5f0c-3dcb-45ab-807a-bfa3d64334c6",
"value": "BRONZE BUTLER (G0060) uses at (S0110)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "0fd5d3bc-d736-43c0-b9ec-f1dcd95411a7",
"value": "Elise (S0081) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619"
},
"uuid": "ac7d5b88-7929-4f64-abcd-8219caafac24",
"value": "FIN6 (G0037) uses Automated Collection (T1119)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "c667befa-7242-47f8-bdc1-1056f62bb466",
"value": "Elise (S0081) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "6175bbbe-1bc1-4562-8c5f-9e437348636a",
"value": "APT18 (G0026) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "18572125-3439-4f7c-92c8-d787913dc989",
"value": "Hi-Zor (S0087) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "9ef58dda-688d-4461-b5fc-25f2ba3a9c54",
"value": "BRONZE BUTLER (G0060) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "a33c172b-9910-4f36-8373-32126201144b",
"value": "Mis-Type (S0084) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "7a14d974-f3d9-4e4e-9b7d-980385762908",
"target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09"
},
"uuid": "4f2dbf3d-70f6-42d9-8894-c98d8bc70abc",
"value": "DLL Side-Loading Mitigation (T1073) mitigates DLL Side-Loading (T1073)"
},
{
"meta": {
"source-uuid": "8c553311-0baa-4146-997a-f79acef3d831",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "4bf364ad-1e9c-4860-93c0-241da4c81068",
"value": "RARSTONE (S0055) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "4b5540e5-eac1-40f4-93d0-155f60e9395a",
"value": "Emissary (S0082) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "51dea151-0898-4a45-967c-3ebee0420484"
},
"uuid": "27ead6bc-2bba-49d3-bcfe-667c7654a6fc",
"value": "OilRig (G0049) uses Remote Desktop Protocol (T1076)"
},
{
"meta": {
"source-uuid": "1a7f5bd3-f6ee-4bd7-b949-2f3632ad6158",
"target-uuid": "6fb6408c-0db3-41d9-a3a1-a32e5f16454e"
},
"uuid": "47639246-6268-4a7e-9670-965873bdfb42",
"value": "Gatekeeper Bypass Mitigation (T1144) mitigates Gatekeeper Bypass (T1144)"
},
{
"meta": {
"source-uuid": "b91c2f9e-c1a0-44df-95f0-9e7c9d1d5e55",
"target-uuid": "1df0326d-2fbc-4d08-a16b-48365f1e742d"
},
"uuid": "e59e9443-740a-4e2b-a775-8ae59ceb3844",
"value": "SID-History Injection Mitigation (T1178) mitigates SID-History Injection (T1178)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077"
},
"uuid": "6c053469-7bd4-4b55-90b2-289a09aa53fa",
"value": "BRONZE BUTLER (G0060) uses System Time Discovery (T1124)"
},
{
"meta": {
"source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "d2bc1c1b-987b-4a1a-b488-8199f8113697",
"value": "Daserf (S0187) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619"
},
"uuid": "a83182d2-b619-4ca4-984b-21ecfe43da26",
"value": "RTM (S0148) uses Automated Collection (T1119)"
},
{
"meta": {
"source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "ecde1551-bca2-4f45-8692-cbc583cf3d4f",
"value": "Unknown Logger (S0130) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "fb11df98-790a-4b1c-9ca0-73224226cff3",
"value": "ZLib (S0086) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "39e856a1-4bab-474e-a6b2-3ce69249bc29",
"value": "Mis-Type (S0084) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"target-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351"
},
"uuid": "b6eb09bc-fef4-4cf3-b337-dfe6bd87ca35",
"value": "FIN7 (G0046) uses POWERSOURCE (S0145)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"uuid": "f08c1f67-485b-4ebd-81dd-e886f63025e6",
"value": "Naikon (G0019) uses PsExec (S0029)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "11010986-1b4d-4158-b47d-bbff34306c98",
"value": "BADNEWS (S0128) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "18324fed-7770-4768-b652-59860ac4782f",
"value": "FLASHFLOOD (S0036) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09"
},
"uuid": "2a93ea80-d0f6-4b81-887d-8911f7573245",
"value": "Threat Group-3390 (G0027) uses DLL Side-Loading (T1073)"
},
{
"meta": {
"source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "ce42140b-f801-40da-8185-105a9b1a915a",
"value": "PlugX (S0013) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "b7b2c89c-09c1-4b71-ae7c-000ec2893aab",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "bb1de6e6-23ce-42a8-bcd7-fd75aec24c50",
"value": "New Service Mitigation (T1050) mitigates New Service (T1050)"
},
{
"meta": {
"source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "7cf7d162-a34f-4951-a643-5bf959283f6b",
"value": "Trojan.Karagany (S0094) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "4fde23ab-b8db-4275-ac37-37e608cb00b0",
"value": "OilRig (G0049) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a",
"target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4"
},
"uuid": "114f98a4-6243-4a0c-a6c4-3e693a4f9b08",
"value": "SHIPSHAPE (S0028) uses Replication Through Removable Media (T1091)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "11a7431f-416f-48de-a3c0-8782abdede63",
"value": "BADNEWS (S0128) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "545a618f-9fe4-4573-a0a0-ecfcef0b407c",
"value": "BRONZE BUTLER (G0060) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd"
},
"uuid": "3427863f-d4c4-4272-ad60-1479e42ed4af",
"value": "APT3 (G0022) uses PlugX (S0013)"
},
{
"meta": {
"source-uuid": "b35068ec-107a-4266-bda8-eb7036267aea",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "92d3b6b0-7c61-452a-a9b9-c2549357bfef",
"value": "nbtstat (S0102) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be"
},
"uuid": "0d0b4507-b600-41f1-be98-03909e5d99cf",
"value": "RTM (S0148) uses Bypass User Account Control (T1088)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "e2675622-ec8e-4894-9f5e-3c82944e3019",
"value": "Turla (G0010) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "02206f22-80e9-4f87-9e4b-5c1df1eb737e",
"value": "Unknown Logger (S0130) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "08d20cd2-f084-45ee-8558-fa6ef5a18519",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "9253e8b3-9fbb-4149-a2e4-60d36c006ba6",
"value": "Downdelph (S0134) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "2daa14d6-cbf3-4308-bb8e-213c324a08e4",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "4556634c-06f7-48f9-bcaa-22d023524068",
"value": "HAMMERTOSS (S0037) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "1a4c94a1-6362-42b3-b1d9-41ae3fbf5ea5",
"value": "Misdat (S0083) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "007b44b6-e4c5-480b-b5b9-56f2081b1b7b",
"target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88"
},
"uuid": "db283fff-4b13-4c79-85f0-5cdb6b76e964",
"value": "HDoor (S0061) uses Network Service Scanning (T1046)"
},
{
"meta": {
"source-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392"
},
"uuid": "5fc0ca38-bb65-43ab-b8b2-6861442b25a8",
"value": "Net (S0039) uses Service Execution (T1035)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "f865403f-5b4a-4e5a-bb50-8d416ad36db4",
"value": "Ke3chang (G0004) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be"
},
"uuid": "4c6aea43-27ba-4e6a-8907-e5db364a145b",
"value": "BRONZE BUTLER (G0060) uses Bypass User Account Control (T1088)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"uuid": "f9600732-9116-4325-8073-28d81721b37a",
"value": "menuPass (G0045) uses PsExec (S0029)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "7dbb67c7-270a-40ad-836e-c45f8948aa5a"
},
"uuid": "5ccd4b15-ef11-4b89-b0e1-4dd714fa2fb5",
"value": "APT32 (G0050) uses KOMPROGO (S0156)"
},
{
"meta": {
"source-uuid": "85b39628-204a-48d2-b377-ec368cbcb7ca",
"target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9"
},
"uuid": "ff922dd7-21b6-4f95-bb8b-080d0dee6655",
"value": "TINYTYPHON (S0131) uses Automated Exfiltration (T1020)"
},
{
"meta": {
"source-uuid": "e669bb87-f773-4c7b-bfcc-a9ffebfdd8d4",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "b97e696f-6386-4b15-8f24-81d0abe51830",
"value": "HIDEDRV (S0135) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "20f863a1-f7de-4d66-a564-c4adee24fdbe",
"value": "Ke3chang (G0004) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "39b735d3-c659-4d1a-8e7e-082c0f049c2d",
"value": "Lazarus Group (G0032) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "ced15447-281b-4d92-941e-b5df9747a3d5",
"value": "Flame (S0143) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "05e9e12f-be5e-46f4-9f42-6f7fb7e9fb4a",
"value": "BRONZE BUTLER (G0060) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "d64ba78c-a332-40be-8e2f-904f15ceffe7",
"value": "Sakula (S0074) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "0e89ca75-b73e-476e-b56d-1cf815fa7868",
"value": "Patchwork (G0040) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "313c8b20-4d49-40c1-9ac0-4c573aca28f3",
"target-uuid": "514ede4c-78b3-4d78-a38b-daddf6217a79"
},
"uuid": "cca3a63c-e00e-49d1-bf10-f2c21f3469e6",
"value": "Winlogon Helper DLL Mitigation (T1004) mitigates Winlogon Helper DLL (T1004)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21"
},
"uuid": "a5b4d08c-963a-48fe-8f22-ba344835d00e",
"value": "BADNEWS (S0128) uses Process Hollowing (T1093)"
},
{
"meta": {
"source-uuid": "234e7770-99b0-4f65-b983-d3230f76a60b",
"target-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8"
},
"uuid": "3ec34d16-a4e6-4fc7-b819-5a041605aa42",
"value": "Janicab (S0163) uses Local Job Scheduling (T1168)"
},
{
"meta": {
"source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "babaa2be-7c41-490a-bd0b-2cf140858244",
"value": "SslMM (S0058) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "d7c49196-b40e-42bc-8eed-b803113692ed",
"target-uuid": "68c96494-1a50-403e-8844-69a6af278c68"
},
"uuid": "0b0884f1-1a40-436e-9a74-8cbe9c9d6732",
"value": "Change Default File Association Mitigation (T1042) mitigates Change Default File Association (T1042)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "16c7058c-8fa5-4477-8332-9e76fcb38924",
"value": "FIN6 (G0037) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "fb6f077c-06a2-46bb-9aef-959ef818d4aa",
"value": "admin@338 (G0018) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643"
},
"uuid": "45f9e4b6-a6a0-4f9f-aae9-9e8a69f5681d",
"value": "RTM (S0148) uses Peripheral Device Discovery (T1120)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "afbf5119-6e39-4e4c-8329-57f7249a67b4",
"value": "APT3 (G0022) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"uuid": "2e45dc12-f493-42ea-829e-011ba786bef1",
"value": "Threat Group-3390 (G0027) uses Net (S0039)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "62507790-a137-409e-a655-9190ff78cb52",
"value": "CosmicDuke (S0050) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "5f5af879-c239-416b-99ec-b46e2f9926a2",
"value": "OilRig (G0049) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "00d0b012-8a03-410e-95de-5826bf542de6"
},
"uuid": "cf7cd81f-3684-469f-936b-a6098ff76dbd",
"value": "Cobalt Strike (S0154) uses Indicator Removal from Tools (T1066)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "a6929a8b-e9b4-4122-8dd8-4030173346c9",
"value": "Cobalt Strike (S0154) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "f6ae7a52-f3b6-4525-9daf-640c083f006e",
"target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4"
},
"uuid": "202b96f6-0f7c-4aed-8004-780f1d880059",
"value": "PHOREAL (S0158) uses Modify Registry (T1112)"
},
{
"meta": {
"source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "2e80a049-220e-4d47-98f7-c0dbfe245cdc",
"value": "PinchDuke (S0048) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "c8c5b766-a719-43bd-988a-cb00beedbba3",
"value": "Threat Group-3390 (G0027) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069"
},
"uuid": "cfe2a359-bbab-4520-bdd7-b2d6abf742cc",
"value": "APT28 (G0007) uses XAgentOSX (S0161)"
},
{
"meta": {
"source-uuid": "5c49bc54-9929-48ca-b581-7018219b5a97",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "3d635b23-78b7-4de4-9417-8077787c7c0b",
"value": "Account Discovery Mitigation (T1087) mitigates Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "535e3fbe-e6d9-4608-9689-f8f1f8c1ddc9",
"value": "Backdoor.Oldrea (S0093) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a",
"target-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39"
},
"uuid": "6dbb3a1e-5fb4-4494-950c-570616302ece",
"value": "CopyKittens (G0052) uses Cobalt Strike (S0154)"
},
{
"meta": {
"source-uuid": "b1de6916-7a22-4460-8d26-6b5483ffaa2a",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "093215eb-4edb-4c55-bb5f-b8ca2de7962c",
"value": "SHIPSHAPE (S0028) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "9df1a5b0-f1fb-4239-abb5-67ba6e9e05f6",
"value": "WinMM (S0059) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "54e99ba2-143f-43be-8d7f-79de5551d1ac",
"value": "BBSRAT (S0127) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "dcd81c6e-ebf7-4a16-93e0-9a97fa49c88a",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "2e82ef21-9fb2-421e-bd96-73599089b448",
"value": "CopyKittens (G0052) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "57019a80-8523-46b6-be7d-f763a15a2cc6",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "edbef2c6-4005-4fdb-b978-9699a7b2a309",
"value": "Scripting Mitigation (T1064) mitigates Scripting (T1064)"
},
{
"meta": {
"source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "5cdbfaba-b4be-4cff-bdc6-c9205c44c844",
"value": "Felismus (S0171) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "ec30b3a9-69b4-4604-9def-db9e904df309",
"value": "Gazer (S0168) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "52c18ed1-91a5-4394-a4d0-f700c75bf3d9",
"value": "Turla (G0010) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "4ec9a523-e27f-4984-9bde-4af785e5e75a",
"value": "Pisloader (S0124) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "95047f03-4811-4300-922e-1ba937d53a61",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "2c29e6cf-a177-4578-bf1f-fd73ae254edd",
"value": "Hikit (S0009) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69"
},
"uuid": "4b8d211d-4969-4c0f-8b01-fd176c8172d1",
"value": "APT28 (G0007) uses Indicator Removal on Host (T1070)"
},
{
"meta": {
"source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "f4480854-9424-49d5-8b54-f839302e3ee7",
"value": "Rover (S0090) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "46944654-fcc1-4f63-9dad-628102376586"
},
"uuid": "ffee4cd1-f193-4dbc-9f47-6fe47e1523eb",
"value": "menuPass (G0045) uses DLL Search Order Hijacking (T1038)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"uuid": "032fb34d-3434-4667-9d5e-6bb9fd6b7d00",
"value": "APT32 (G0050) uses Mimikatz (S0002)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "284d622d-8b28-4569-97a7-936edced1b18",
"value": "Helminth (S0170) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
"uuid": "07a550a2-27c1-43f5-8b30-c288441ad5b0",
"value": "OilRig (G0049) uses Custom Command and Control Protocol (T1094)"
},
{
"meta": {
"source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772",
"target-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56"
},
"uuid": "34627bc3-c857-46c4-a9e8-060a779b643e",
"value": "MONSOON (G0042) uses Unknown Logger (S0130)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "327f3cc5-eea1-42d4-a6cd-ed34b7ce8f61"
},
"uuid": "1d3654f8-3a5e-4ef8-826f-4242ecf78c0a",
"value": "APT32 (G0050) uses Application Deployment Software (T1017)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754"
},
"uuid": "0585e082-8f8e-4162-b4a8-3c1cef02f7e3",
"value": "APT29 (G0016) uses CozyCar (S0046)"
},
{
"meta": {
"source-uuid": "823fbfe9-b015-4bf3-9e67-d340c7373ca0",
"target-uuid": "ff25900d-76d5-449b-a351-8824e62fc81b"
},
"uuid": "e81d69cf-62b8-464b-ad5b-9a9e80236801",
"value": "Trusted Developer Utilities Mitigation (T1127) mitigates Trusted Developer Utilities (T1127)"
},
{
"meta": {
"source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "a3fe1f58-b507-42ea-a21e-a6ac46de9ca8",
"value": "Sakula (S0074) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "8f5e8dc7-739d-4f5e-a8a1-a66e004d7063",
"target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"uuid": "b08e3c96-25a7-412f-bbfb-63e010ef3891",
"value": "Cleaver (G0003) uses Mimikatz (S0002)"
},
{
"meta": {
"source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
"target-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d"
},
"uuid": "69d05cb2-ded0-4847-b52e-af7af421f303",
"value": "Flame (S0143) uses Authentication Package (T1131)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "8db1b5bd-8f0c-4c13-8667-c83713ce799e",
"value": "Gazer (S0168) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "daf56e8e-ea82-4ef2-bb03-78dd7e6ef3c0",
"value": "APT3 (G0022) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "6a5bc2dd-2132-4af0-9b12-0e781971d96c",
"value": "Patchwork (G0040) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "ccb67d98-71d6-4a26-86b6-281174ca07b0",
"value": "Kasidet (S0088) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "10571bf2-8073-4edf-a71c-23bad225532e",
"target-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41"
},
"uuid": "8b439661-99e2-4410-b043-082155793155",
"value": "AppInit DLLs Mitigation (T1103) mitigates AppInit DLLs (T1103)"
},
{
"meta": {
"source-uuid": "46b7ef91-4e1d-43c5-a2eb-00fa9444f6f4",
"target-uuid": "3257eb21-f9a7-4430-8de1-d8b6e288f529"
},
"uuid": "c1600f3f-6c21-4c5b-82fe-a4514785f6bb",
"value": "Network Sniffing Mitigation (T1040) mitigates Network Sniffing (T1040)"
},
{
"meta": {
"source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "03c9b56e-f006-43b2-ac98-bcbe0c05e979",
"value": "ChChes (S0144) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "c839344c-a96d-412f-bded-5ac7c8fd446a",
"value": "RTM (S0148) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "7ee0879d-ce4f-4f54-a96b-c532dfb98ffd",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "1b4cd403-8e3a-43da-bc25-a7e8d707794b",
"value": "Data from Local System Mitigation (T1005) mitigates Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "cef7d272-ee0c-4379-9d7b-63adf1f40252",
"value": "Mis-Type (S0084) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "c560f682-0d21-4c9b-b35d-33aec2287117",
"value": "POWERSOURCE (S0145) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "30489451-5886-4c46-90c9-0dff9adc5252",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "d4fd461f-fc58-4060-aed4-cebe64f249b9",
"value": "Arp (S0099) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "5e7ef1dc-7fb6-4913-ac75-e06113b59e0c",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "d9e8d70a-06f6-4873-baf8-29ebfaf6bf99",
"value": "MiniDuke (S0051) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "1d36c3e8-238f-46c6-9b20-9fb4cb5c75ba",
"value": "Net (S0039) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "87e080cf-b8c0-4679-bcfb-ff77ab7698f3",
"value": "Misdat (S0083) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "d067b113-4584-419f-860b-d3184f734350",
"value": "S-Type (S0085) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "94927849-03e3-4a07-8f4c-9ee21b626719",
"target-uuid": "2ba5aa71-9d15-4b22-b726-56af06d9ad2f"
},
"uuid": "56086ed3-641e-4fd5-b26e-1ca9479c2081",
"value": "Startup Items Mitigation (T1165) mitigates Startup Items (T1165)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "519c4c7f-8495-4b8a-b58e-551a78e469cc",
"value": "Turla (G0010) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "e0301b36-c339-49c5-b257-9ece19152922",
"value": "OilRig (G0049) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "f837cc68-8715-4301-ae15-bf89c8b1f7ee",
"value": "Axiom (G0001) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "388b4637-f634-42ab-a370-981be7da89bd",
"value": "RedLeaves (S0153) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "7f17927d-b371-42c4-bd68-0c5c57e3edab",
"value": "Magic Hound (G0059) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "7c39ebbf-244e-4d1c-b0ac-b282453ece43",
"target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21"
},
"uuid": "13f5fad8-1b6f-4b65-9803-155f93b5d357",
"value": "Process Hollowing Mitigation (T1093) mitigates Process Hollowing (T1093)"
},
{
"meta": {
"source-uuid": "1f34230d-b6ae-4dc7-8599-78c18820bd21",
"target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f"
},
"uuid": "fb1a7bbd-9dec-4038-9935-1647378f739f",
"value": "Network Share Discovery Mitigation (T1135) mitigates Network Share Discovery (T1135)"
},
{
"meta": {
"source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "c5cf4822-a0bf-442a-9943-1937ac45520b",
"value": "SslMM (S0058) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "1022138b-497c-40e6-b53a-13351cbd4090",
"target-uuid": "0ca7beef-9bbc-4e35-97cf-437384ddce6a"
},
"uuid": "c7047518-c63f-41b5-a803-1ed54066a62e",
"value": "File System Permissions Weakness Mitigation (T1044) mitigates File System Permissions Weakness (T1044)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "2cc93cb7-fbe6-4c79-b619-a2eb877de1cf",
"value": "menuPass (G0045) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "f8a90328-b7ee-474a-9773-f5bf501defd3",
"value": "Mivast (S0080) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "00ce7309-114c-45a1-b905-f7a973cb3837",
"value": "APT29 (G0016) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "a10641f4-87b4-45a3-a906-92a149cb2c27"
},
"uuid": "2325c0b2-fb89-44e1-9206-e495811f2907",
"value": "Lazarus Group (G0032) uses Account Manipulation (T1098)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "43c34939-8236-4ddd-8def-0eb7b5fe62cf",
"value": "APT1 (G0006) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3"
},
"uuid": "e65112dc-8a58-486f-9f3b-5a84925a3e53",
"value": "APT29 (G0016) uses Accessibility Features (T1015)"
},
{
"meta": {
"source-uuid": "0b32ec39-ba61-4864-9ebe-b4b0b73caf9a",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "d2fa2382-dcfc-4cff-969b-2b5ec12dc406",
"value": "TDTESS (S0164) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "8beac7c2-48d2-4cd9-9b15-6c452f38ac06"
},
"uuid": "762f85a3-0120-4b09-aafd-3f460764e85f",
"value": "APT12 (G0005) uses Ixeshe (S0015)"
},
{
"meta": {
"source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86",
"target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4"
},
"uuid": "69bff194-c90e-4e30-a369-57da4cff014d",
"value": "StreamEx (S0142) uses Modify Registry (T1112)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "ed2f811d-3258-4489-abe1-57dac4bdbbf8",
"value": "RedLeaves (S0153) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "0f862b01-99da-47cc-9bdb-db4a86a95bb1",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "4a959425-4d43-4969-9a47-768894a3afaa",
"value": "Emissary (S0082) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "edbd751e-29ad-419f-a3ff-9d210453351d",
"value": "Reaver (S0172) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab",
"target-uuid": "ba8e391f-14b5-496f-81f2-2d5ecd646c1c"
},
"uuid": "044ad6d3-9389-4764-9b96-ad53dc98840d",
"value": "XTunnel (S0117) uses Credentials in Files (T1081)"
},
{
"meta": {
"source-uuid": "a5528622-3a8a-4633-86ce-8cdaf8423858",
"target-uuid": "66f73398-8394-4711-85e5-34c8540b22a5"
},
"uuid": "3b4f48d3-eb5d-4d7e-9f0b-86f68951207d",
"value": "FinFisher (S0182) uses Hooking (T1179)"
},
{
"meta": {
"source-uuid": "addb3703-5a59-4461-9bcd-7e2b5d4e92a0",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "2a0b74b3-cbc3-45fa-aba4-eabdb0cb89b5",
"value": "Standard Application Layer Protocol Mitigation (T1071) mitigates Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "5d55979e-d4e8-44eb-97d6-e3e78baa60c7",
"value": "MobileOrder (S0079) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "79057890-3cd0-4124-8b35-b86db6b4f9d7",
"value": "APT32 (G0050) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "ed45fb1c-048a-4378-8c15-6f6ea0c72d7a",
"value": "RedLeaves (S0153) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111"
},
"uuid": "325ccde0-2d5a-4306-9c4e-e1a554ee0d87",
"value": "Ke3chang (G0004) uses netstat (S0104)"
},
{
"meta": {
"source-uuid": "2a6f4c7b-e690-4cc7-ab6b-1f821fb6b80b",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "f19f6e41-14b2-44a1-940f-6a6f2cfab6be",
"value": "LOWBALL (S0042) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "e1f4c08f-b5b1-4d62-8f1c-75f4302b0bce",
"value": "Shamoon (S0140) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "9194756f-c455-427b-9fb0-4887c7bf3bf3",
"value": "RedLeaves (S0153) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "15f74597-d92d-406f-9941-c0dfef3cb609",
"value": "Net (S0039) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "dbacc7d5-5d10-4b41-994d-51e0792cfb19",
"value": "Pteranodon (S0147) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "26af1f3f-806e-45bd-860a-2eead8af7d3e",
"value": "Cobalt Strike (S0154) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "bd5b4264-1f10-4cd5-b7b0-a6a8b9dad7c3",
"value": "Remsec (S0125) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "52781f1e-4b91-4ff2-8f48-89e15bc40d42",
"value": "POWRUNER (S0184) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "a0cb9370-e39b-44d5-9f50-ef78e412b973",
"target-uuid": "94379dec-5c87-49db-b36e-66abc0b81344"
},
"uuid": "e4c7c4b7-fe19-4433-acd9-ec94f436f381",
"value": "Axiom (G0001) uses Derusbi (S0021)"
},
{
"meta": {
"source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "7c792d18-25a3-4d85-be44-93523228748c",
"value": "Rover (S0090) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c"
},
"uuid": "d9c29485-ced4-4ebc-880c-31d35dd54b26",
"value": "APT32 (G0050) uses WINDSHIELD (S0155)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd"
},
"uuid": "68487d82-458b-4f45-b1c8-c6e4affaa226",
"value": "menuPass (G0045) uses PlugX (S0013)"
},
{
"meta": {
"source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "a566127b-1d88-4b38-84dd-4686e2837399",
"value": "Daserf (S0187) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "95047f03-4811-4300-922e-1ba937d53a61",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "d7c40b1d-efe6-4869-9754-6494d45f51f1",
"value": "Hikit (S0009) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "007cc21a-685a-4701-99c1-20f258cedc7c",
"value": "BLACKCOFFEE (S0069) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "88c621a7-aef9-4ae0-94e3-1fc87123eb24",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "becf0a5e-4636-4d2f-bd4a-fd60b15ee74a",
"value": "gh0st (S0032) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "a72ad83f-8336-4d01-b22d-5c836f5e5bf9",
"value": "PowerDuke (S0139) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88"
},
"uuid": "e6b68811-113e-4f86-8096-9f506e34dda1",
"value": "Remsec (S0125) uses Network Service Scanning (T1046)"
},
{
"meta": {
"source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "252c0e02-0da6-4812-b147-81d9cfb3c998",
"value": "CHOPSTICK (S0023) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
"target-uuid": "970cdb5c-02fb-4c38-b17e-d6327cf3c810"
},
"uuid": "907df22e-fdfe-4b93-8b18-ebf66f83868c",
"value": "S-Type (S0085) uses Shortcut Modification (T1023)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "a39bc982-3934-4ec7-ba33-0de9331d55f5",
"value": "APT34 (G0057) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4"
},
"uuid": "773e99eb-0739-42d3-afaa-aff65e86329d",
"value": "Turla (G0010) uses Gazer (S0168)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"uuid": "68edf451-bda3-4159-9715-dbcfda8eb8e2",
"value": "APT3 (G0022) uses Exfiltration Over Command and Control Channel (T1041)"
},
{
"meta": {
"source-uuid": "95ddb356-7ba0-4bd9-a889-247262b8946f",
"target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b"
},
"uuid": "1e91cd45-a725-4965-abe3-700694374432",
"value": "Rootkit Mitigation (T1014) mitigates Rootkit (T1014)"
},
{
"meta": {
"source-uuid": "26fed817-e7bf-41f9-829a-9075ffac45c2",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "4d90fd9d-9f9b-45f8-986d-3db43b679905",
"value": "Kasidet (S0088) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411",
"target-uuid": "b42378e0-f147-496f-992a-26a49705395b"
},
"uuid": "fad44d26-02a8-4cdc-b566-5e24f32a93b3",
"value": "Molerats (G0021) uses PoisonIvy (S0012)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "5bb39b9d-3651-4cdf-80b1-9d88b2062258",
"value": "Shamoon (S0140) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48"
},
"uuid": "1a40426a-355c-4d7e-b51c-e95a102b31e2",
"value": "Lazarus Group (G0032) uses Access Token Manipulation (T1134)"
},
{
"meta": {
"source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e",
"target-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4"
},
"uuid": "64aab090-e7c2-4114-8c15-49700b611fb8",
"value": "Sowbug (G0054) uses Starloader (S0188)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"uuid": "d8abe157-f6cd-4959-b9d5-e0c87d16bcfe",
"value": "ADVSTORESHELL (S0045) uses Exfiltration Over Command and Control Channel (T1041)"
},
{
"meta": {
"source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9",
"target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f"
},
"uuid": "35ca6c35-f1e9-49b7-a8c9-a67951c57ea0",
"value": "TinyZBot (S0004) uses Clipboard Data (T1115)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "129cacdc-8acb-4209-a77c-a6a7e0820a97",
"value": "POWRUNER (S0184) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "1fe4be95-b162-4fc7-a3c9-4277547ea722",
"value": "Remsec (S0125) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52"
},
"uuid": "1d5e0da2-7741-4a31-9c54-cbbe584fe27b",
"value": "APT1 (G0006) uses Cachedump (S0119)"
},
{
"meta": {
"source-uuid": "7551188b-8f91-4d34-8350-0d0c57b2b913",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "2a7d01e9-9c42-4d17-947a-629ca7a9d515",
"value": "Elise (S0081) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "93b12e1a-7f21-4fa0-9b2a-c96c7c270625",
"value": "PittyTiger (G0011) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1"
},
"uuid": "e02d1cb4-1bb7-49b5-a918-5e0d194974aa",
"value": "Turla (G0010) uses Epic (S0091)"
},
{
"meta": {
"source-uuid": "cba5667e-e3c6-44a4-811c-266dbc00e440",
"target-uuid": "52f3d5a6-8a0f-4f82-977e-750abf90d0b0"
},
"uuid": "f6483534-196c-4540-a456-985594171cd8",
"value": "Extra Window Memory Injection Mitigation (T1181) mitigates Extra Window Memory Injection (T1181)"
},
{
"meta": {
"source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "13a8be40-1190-4553-b026-58c5088c322a",
"value": "Suckfly (G0039) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "7cb48d6d-1171-4e9d-87c7-4779293f6921",
"value": "Duqu (S0038) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "9559ecaf-2e75-48a7-aee8-9974020bc772",
"target-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300"
},
"uuid": "ded85906-e996-45cd-ae64-82adc22397e3",
"value": "MONSOON (G0042) uses AutoIt backdoor (S0129)"
},
{
"meta": {
"source-uuid": "d69c8146-ab35-4d50-8382-6fc80e641d43",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "5a77e097-3aed-4bd3-b5fc-997746da62ad",
"value": "BLACKCOFFEE (S0069) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "56648de3-8947-4559-90c4-eda10acc0f5a",
"target-uuid": "9e09ddb2-1746-4448-9cad-7f8b41777d6d"
},
"uuid": "dce95526-cb24-4d3e-9b3b-de704e0730e4",
"value": "Keychain Mitigation (T1142) mitigates Keychain (T1142)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "ed94edc7-e687-409e-9143-20a15190bd83",
"value": "Shamoon (S0140) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "2d450e2f-25c9-49af-b83f-6c91029ed28a",
"value": "APT28 (G0007) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
},
"uuid": "3beb0c09-e584-4fd8-92bb-d7a1ae9192e6",
"value": "OilRig (G0049) uses Tasklist (S0057)"
},
{
"meta": {
"source-uuid": "d01f473f-3cdc-4867-9e55-1de9cf1986f0",
"target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c"
},
"uuid": "8104dfee-8883-4f7c-8f7d-84c9b409efc3",
"value": "Deobfuscate/Decode Files or Information Mitigation (T1140) mitigates Deobfuscate/Decode Files or Information (T1140)"
},
{
"meta": {
"source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5",
"target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df"
},
"uuid": "0dee5507-6e61-4244-86a8-c7e8a34469da",
"value": "OwaAuth (S0072) uses Web Shell (T1100)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "3fe9b64a-6435-4592-9181-2ad50ee93044",
"value": "Lazarus Group (G0032) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "9b99b83a-1aac-4e29-b975-b374950551a3"
},
"uuid": "ab069468-3dff-4c77-9293-adb0b2627a4e",
"value": "Deep Panda (G0009) uses Accessibility Features (T1015)"
},
{
"meta": {
"source-uuid": "4fa49fc0-9162-4bdb-a37e-7aa3dcb6d38b",
"target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392"
},
"uuid": "3f416bd3-a06f-4ec2-8cf6-4a84e0611c63",
"value": "xCmd (S0123) uses Service Execution (T1035)"
},
{
"meta": {
"source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "79106ad4-28d3-4f67-a2c3-116d138ec84a",
"value": "PlugX (S0013) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "17dec760-9c8f-4f1b-9b4b-0ac47a453234",
"target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c"
},
"uuid": "e0d33a40-a0d1-49fe-bea1-d0e4f000f628",
"value": "Miner-C (S0133) uses Taint Shared Content (T1080)"
},
{
"meta": {
"source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "1d54c1d7-529f-4e4f-9a38-55b1b8cbff66",
"value": "Backdoor.Oldrea (S0093) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "6cac62ce-550b-4793-8ee6-6a1b8836edb0",
"target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69"
},
"uuid": "dd21c8fe-caf8-40df-b049-787ba465eef7",
"value": "Indicator Removal on Host Mitigation (T1070) mitigates Indicator Removal on Host (T1070)"
},
{
"meta": {
"source-uuid": "c5574ca0-d5a4-490a-b207-e4658e5fd1d7",
"target-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4"
},
"uuid": "9155d072-d94b-4a63-b089-26781aff5275",
"value": "Scarlet Mimic (G0029) uses MobileOrder (S0079)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "e8193b28-b28a-4ab7-8390-8a5bd4d851b5",
"value": "Threat Group-3390 (G0027) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"target-uuid": "62dfd1ca-52d5-483c-a84b-d6e80bf94b7b"
},
"uuid": "96077086-d811-47a1-a805-decbf6f249b7",
"value": "BBSRAT (S0127) uses Modify Existing Service (T1031)"
},
{
"meta": {
"source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"target-uuid": "7c93aa74-4bc0-4a9e-90ea-f25f86301566"
},
"uuid": "506acc8a-e691-4f4e-b69f-bfab84cf2c73",
"value": "FIN7 (G0046) uses Application Shimming (T1138)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "818a401d-dd4d-426a-b89c-d33625380b8b",
"value": "MoonWind (S0149) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "d53d1e84-f4de-4e6a-bc84-5edfce84b055",
"value": "OwaAuth (S0072) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce"
},
"uuid": "b3981ca6-7ef0-4625-99a8-9cbec731bac9",
"value": "Helminth (S0170) uses Permission Groups Discovery (T1069)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "8f897f1c-7bc6-4a85-8d3b-627f976af215",
"value": "BRONZE BUTLER (G0060) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "69682171-e717-4af7-a24a-06a39f381641",
"value": "Threat Group-3390 (G0027) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "fce2d07b-7bc7-497a-b21a-75a23fbccf50",
"value": "Prikormka (S0113) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "13c97dd2-5c0b-4f18-84ab-533949fbeb25",
"value": "SeaDuke (S0053) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
"uuid": "b51f3b69-d62b-4ccf-9ce8-62ec7f934e4b",
"value": "Lazarus Group (G0032) uses Custom Command and Control Protocol (T1094)"
},
{
"meta": {
"source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647",
"target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"uuid": "cc831c63-94af-4937-b8e6-668591ec7d04",
"value": "PittyTiger (G0011) uses Mimikatz (S0002)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "64cb753d-eb72-4dce-a417-7df747334347",
"value": "BACKSPACE (S0031) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "95c29444-49f9-49f7-8b20-bcd68d8fcaa6",
"target-uuid": "4bf5845d-a814-4490-bc5c-ccdee6043025"
},
"uuid": "0c2ba74b-a5b0-493c-84f3-41b6131070a0",
"value": "AppCert DLLs Mitigation (T1182) mitigates AppCert DLLs (T1182)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "d5c86dd3-3cfa-4ade-8984-fdf079b9f81b",
"value": "RTM (S0148) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "9e729a7e-0dd6-4097-95bf-db8d64911383",
"target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"uuid": "b69424ec-3af6-44aa-842a-81fba219b9f4",
"value": "Darkhotel (G0012) uses Code Signing (T1116)"
},
{
"meta": {
"source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "695c2f41-140a-48f9-9e14-0cd58d7712d1",
"value": "OLDBAIT (S0138) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
"target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be"
},
"uuid": "8961d93e-ec51-42dd-8f76-54d46ea21967",
"value": "H1N1 (S0132) uses Bypass User Account Control (T1088)"
},
{
"meta": {
"source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "bc72acee-e417-4de8-8084-153e141917b6",
"value": "MobileOrder (S0079) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "61fa303b-a9ff-419f-b3ac-96e43e37b6e5",
"value": "HALFBAKED (S0151) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "dd4c02ea-b54a-4753-beb5-3248d89a7e04",
"value": "APT1 (G0006) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "da44c85c-914b-41e0-aef7-68cd3c1faea1",
"value": "JHUHUGIT (S0044) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "fc4dd2b6-63a0-46fe-bfc4-90e58e5d1422",
"value": "BRONZE BUTLER (G0060) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "87b8b451-bf9b-4e93-b591-05ef502970f5",
"value": "Magic Hound (G0059) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "a1e74408-5c7b-4538-afd9-a01b23a92429",
"value": "Psylo (S0078) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "bb005145-438c-4fd8-9cac-a636df7465da",
"value": "XAgentOSX (S0161) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "64d76fa5-cf8f-469c-b78c-1a4f7c5bad80",
"target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21"
},
"uuid": "ec6074e4-4137-42a4-86c8-1ea95ce54df6",
"value": "BBSRAT (S0127) uses Process Hollowing (T1093)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "61dd6d75-a95b-488d-9a1d-924563592df7",
"value": "POWRUNER (S0184) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "a5ffea60-7694-48cd-92e9-b755669b2fdb",
"value": "Gamaredon Group (G0047) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "0f5d3626-1dc2-4ebe-ba37-3f86ab0df9ec",
"value": "Rover (S0090) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4"
},
"uuid": "edaf0203-4959-4e1e-9240-3d20cf0f3b6a",
"value": "APT28 (G0007) uses Replication Through Removable Media (T1091)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
"uuid": "44090eb6-1166-4986-8583-60dcc8e69cc7",
"value": "RedLeaves (S0153) uses Uncommonly Used Port (T1065)"
},
{
"meta": {
"source-uuid": "ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68",
"target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e"
},
"uuid": "74486fa3-a5b8-49b2-82b7-0c453b4baf12",
"value": "Tor (S0183) uses Multilayer Encryption (T1079)"
},
{
"meta": {
"source-uuid": "b52f41b9-ccf6-4da7-a6c0-167eeb71fbd8",
"target-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8"
},
"uuid": "d18d4353-e344-4759-b51b-ed39ab2b5f46",
"value": "Browser Extensions Mitigation (T1176) mitigates Browser Extensions (T1176)"
},
{
"meta": {
"source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "e41ab3e7-2b69-4461-a693-e53a24c9ab59",
"value": "CORESHELL (S0137) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "b8f1354c-9cff-40ef-aa47-591952c735c3",
"value": "Backdoor.Oldrea (S0093) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "94f6b4f5-b528-4f50-91d5-f66457c2f8f7",
"target-uuid": "544b0346-29ad-41e1-a808-501bb4193f47"
},
"uuid": "efa2ae6b-8942-4ea2-80ca-b4181dd01427",
"value": "Man in the Browser Mitigation (T1185) mitigates Man in the Browser (T1185)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "a52edc76-328d-4596-85e7-d56ef5a9eb69"
},
"uuid": "76393f0c-a13c-48a8-ba7d-80502ae938a7",
"value": "APT1 (G0006) uses Pass-The-Hash Toolkit (S0122)"
},
{
"meta": {
"source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "f9669551-29f8-4aaf-83b9-50e541bbdced",
"value": "FLASHFLOOD (S0036) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "ed74954d-4717-4d63-9836-4cbd66c37345",
"value": "Crimson (S0115) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "555e47f2-54bb-4c97-8804-536aa354126c",
"value": "APT3 (G0022) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "22addc7b-b39f-483d-979a-1b35147da5de"
},
"uuid": "45966f4c-51d4-4940-854d-79d712f63ed5",
"value": "Naikon (G0019) uses WinMM (S0059)"
},
{
"meta": {
"source-uuid": "7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "c088f23e-b741-453c-a710-01990dead853",
"value": "Systeminfo (S0096) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "362dc67f-4e85-4562-9dac-1b6b7f3ec4b5",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "01e01c24-ba4c-41d7-8f30-8fca364dc2c6",
"value": "ifconfig (S0101) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "27834043-1004-4a70-9023-a318bd6db7c6",
"value": "FALLCHILL (S0181) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "515f6584-fa98-44fe-a4e8-e428c7188514",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "bb523d35-52f1-4c61-a8de-b4605ce9e596",
"value": "Fallback Channels Mitigation (T1008) mitigates Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808",
"target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd"
},
"uuid": "3e497bf1-4fdc-40a2-b8a2-3492c1d605e5",
"value": "POSHSPY (S0150) uses Data Transfer Size Limits (T1030)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "25d96e8e-6893-4b90-82cc-253cbd499543",
"value": "Dragonfly (G0035) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "ed8b5029-835d-492c-a1f4-10ccbf084a76",
"value": "Pisloader (S0124) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "19edfa02-1a5f-47e4-ad82-3288f57f64cf",
"target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f"
},
"uuid": "25a46055-25f5-4f91-9b0f-ba099f9dde4b",
"value": "Clipboard Data Mitigation (T1115) mitigates Clipboard Data (T1115)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "d4ca926c-6976-4ee8-a5b0-89aa11931bea",
"value": "RedLeaves (S0153) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "838b4a52-1360-4ca7-ab25-1b549508e687",
"value": "CHOPSTICK (S0023) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "b3f53743-4bd9-47a6-bf41-6f7786bbdc87",
"value": "BADNEWS (S0128) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "17594ffb-af22-4cdc-8849-ca31d2019a9e",
"value": "Threat Group-3390 (G0027) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "74febc44-8955-4e4d-aca0-d4dad2f967d7",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "f004e6c4-0c37-4060-9627-9ec0940aee9c",
"value": "Process Injection Mitigation (T1055) mitigates Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "c6f81350-a410-4ac7-a4b0-58bd4a9c1d9e",
"value": "Poseidon Group (G0033) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "d6e43621-ca4a-475f-b81c-037a0878728b",
"value": "Patchwork (G0040) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "ec362b37-1a64-4b28-8d34-7819d0aa5b2a",
"value": "XAgentOSX (S0161) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "3884be12-f73f-4f9b-875e-68d40798faf6",
"value": "BADNEWS (S0128) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "bbd9b8d7-431c-44fa-95ac-61f73271ae92",
"value": "BlackEnergy (S0089) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "ee51d531-5cc4-4836-a55c-6062bde1a4d4",
"value": "StreamEx (S0142) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"target-uuid": "317fefa6-46c7-4062-adb6-2008cf6bcb41"
},
"uuid": "3d16b34f-f58b-4469-a0ef-7585f88d6001",
"value": "T9000 (S0098) uses AppInit DLLs (T1103)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "51dea151-0898-4a45-967c-3ebee0420484"
},
"uuid": "3cb99d8e-8a3d-47ed-b4b7-e217cea48013",
"value": "Cobalt Strike (S0154) uses Remote Desktop Protocol (T1076)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "56f46b17-8cfa-46c0-b501-dd52fef394e2"
},
"uuid": "4a1bfb6c-f110-4785-9dff-4c8e433bf04d",
"value": "Threat Group-3390 (G0027) uses ASPXSpy (S0073)"
},
{
"meta": {
"source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "5bb94c21-96c6-4c71-ae46-b222a69a493a",
"value": "NETEAGLE (S0034) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "82cb34ba-02b5-432b-b2d2-07f55cbf674d",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "7282eabe-73e0-4a10-824b-f18df7f892e2",
"value": "Trojan.Karagany (S0094) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9"
},
"uuid": "d8ac067b-f246-40bb-98bd-fcff74092139",
"value": "CosmicDuke (S0050) uses Automated Exfiltration (T1020)"
},
{
"meta": {
"source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "9b80479d-6f7a-45fd-af5b-1e8adfb1e7fd",
"value": "Mis-Type (S0084) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "a6150e37-2411-409f-82a0-e259d55d1166",
"value": "T9000 (S0098) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef"
},
"uuid": "167d7b11-01f3-42d5-bb8a-78306dc80243",
"value": "CHOPSTICK (S0023) uses Communication Through Removable Media (T1092)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619"
},
"uuid": "cd58d271-9ee2-45d6-9ca3-22ae8da639b5",
"value": "Helminth (S0170) uses Automated Collection (T1119)"
},
{
"meta": {
"source-uuid": "fbe9387f-34e6-4828-ac28-3080020c597b",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "a5888362-00f3-4c9e-98ee-048aee5169e1",
"value": "FIN10 (G0051) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "89da3f24-b9dc-4c68-9240-228215e51bfc",
"value": "Dragonfly (G0035) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8"
},
"uuid": "16ef3e00-dc40-462c-9b74-5e8a8b24c86e",
"value": "APT3 (G0022) uses OSInfo (S0165)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "5f95e123-9f44-47a0-affc-aaae6929d269",
"value": "APT34 (G0057) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "2e5d3a83-fe00-41a5-9b60-237efc84832f",
"target-uuid": "b42378e0-f147-496f-992a-26a49705395b"
},
"uuid": "d6e40826-7af0-4e4e-96c3-28493abda6c7",
"value": "Moafee (G0002) uses PoisonIvy (S0012)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d"
},
"uuid": "e9a2c6b5-c02a-404b-818c-d54915a53952",
"value": "APT34 (G0057) uses External Remote Services (T1133)"
},
{
"meta": {
"source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"target-uuid": "1035cdf2-3e5f-446f-a7a7-e8f6d7925967"
},
"uuid": "842f8f4b-9d90-4533-850f-777f33ef8257",
"value": "T9000 (S0098) uses Audio Capture (T1123)"
},
{
"meta": {
"source-uuid": "45e7f570-6a0b-4095-bf02-4bca05da6bae",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "61528841-379e-4fa3-a233-34c745764c18",
"value": "Masquerading Mitigation (T1036) mitigates Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "a602be33-6ed6-4f73-b7f6-10b47581707a",
"value": "Poseidon Group (G0033) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "720be590-5ea0-43b6-8360-fa75dd4d1a67",
"value": "Poseidon Group (G0033) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "f5936bbd-f8cb-404a-bd43-87f7bc836294",
"value": "BlackEnergy (S0089) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "d57d1a71-6ac7-4028-ba73-86e5df98395f",
"value": "POSHSPY (S0150) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "3268cdc0-7cee-4fe5-92cc-2c3cdc06712b",
"value": "Derusbi (S0021) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "b8eb28e4-48a6-40ae-951a-328714f75eda"
},
"uuid": "19fce62c-ba70-4c20-bf74-0bca7886190c",
"value": "APT1 (G0006) uses BISCUIT (S0017)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "45522d60-160a-4c07-bd98-9a487175910e",
"value": "SeaDuke (S0053) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
},
"uuid": "9d081347-3446-47a4-b5a9-d7a9d2d499e7",
"value": "Deep Panda (G0009) uses Tasklist (S0057)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "448a35fc-fecf-4373-9888-30c37dd1d56a",
"value": "Duqu (S0038) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "38952eac-cb1b-4a71-bad2-ee8223a1c8fe",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "44259d7d-e156-4e09-a401-ff62f0706cdd",
"value": "dsquery (S0105) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "c47a9b55-8f61-4b82-b833-1db6242c754e",
"target-uuid": "c0a384a4-9a25-40e1-97b6-458388474bc8"
},
"uuid": "cfe1e092-57a9-4f7e-ba4a-794bfa797de8",
"value": "Local Job Scheduling Mitigation (T1168) mitigates Local Job Scheduling (T1168)"
},
{
"meta": {
"source-uuid": "5e595477-2e78-4ce7-ae42-e0b059b17808",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "b380ad90-2f3b-4f98-ae23-3dfdba448e0a",
"value": "POSHSPY (S0150) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "80a014ba-3fef-4768-990b-37d8bd10d7f4",
"target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b"
},
"uuid": "eb74fa31-121d-4e43-9794-048a901f509a",
"value": "Uroburos (S0022) uses Rootkit (T1014)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "0b823cda-4775-4690-9ea6-02bbaa3522a1",
"value": "Duqu (S0038) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "6b62e336-176f-417b-856a-8552dd8c44e1",
"target-uuid": "1b84d551-6de8-4b96-9930-d177677c3b1d"
},
"uuid": "88ad4d2e-745e-4712-8901-e772dfaf3298",
"value": "Epic (S0091) uses Code Signing (T1116)"
},
{
"meta": {
"source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "6f01abdc-bd94-4645-afed-8d3bd365bba4",
"value": "TinyZBot (S0004) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "94379dec-5c87-49db-b36e-66abc0b81344"
},
"uuid": "ba4e03d1-f9b6-442d-974b-2fb7feddb551",
"value": "Deep Panda (G0009) uses Derusbi (S0021)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "1eac1b9e-28f1-4315-8070-6946e7e11444",
"value": "APT34 (G0057) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "6e757efa-8231-4674-a1ea-e234e2dfb838",
"value": "Molerats (G0021) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "7123a6ee-2026-4db8-a983-cbc2932c2a09",
"value": "Backdoor.Oldrea (S0093) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "dc5d1a33-62aa-4a0c-aa8c-589b87beb11e",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "e376d1ed-a35a-47c1-98c6-4d37f52b1b84",
"value": "ChChes (S0144) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "0bc3ce00-83bc-4a92-a042-79ffbc6af259",
"target-uuid": "e906ae4d-1d3a-4675-be23-22f7311c0da4"
},
"uuid": "4b5bd2c6-b460-401d-8457-005add9037d9",
"value": "Windows Management Instrumentation Event Subscription Mitigation (T1084) mitigates Windows Management Instrumentation Event Subscription (T1084)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "8bb44b86-379d-49ba-9b28-2451e69db30d",
"value": "Patchwork (G0040) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "687c23e4-4e25-4ee7-a870-c5e002511f54",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "ad5f49b0-8b92-43d1-99f3-c691ccb7a8ac",
"value": "DustySky (S0062) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "4320b080-9ae9-4541-9b8b-bcd0961dbbbd",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "47316750-4ca7-4ea3-b72c-9d7c7d895e3a",
"value": "Data Staged Mitigation (T1074) mitigates Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "d7903e1f-f31c-48bc-b7c3-3616cb1a792f",
"value": "RTM (S0148) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "3240cbe4-c550-443b-aa76-cc2a7058b870"
},
"uuid": "15aa00d1-11c0-4be1-a900-ede5e1376110",
"value": "menuPass (G0045) uses SNUGRIDE (S0159)"
},
{
"meta": {
"source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39",
"target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4"
},
"uuid": "7f3c015e-d95d-4d35-a583-236134464554",
"value": "Agent.btz (S0092) uses Replication Through Removable Media (T1091)"
},
{
"meta": {
"source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "27375058-3002-4fc2-a964-a1e336a10a2a",
"value": "4H RAT (S0065) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69"
},
"uuid": "be5dadd8-71ce-40ac-8858-5d5c5fbe0e96",
"value": "Prikormka (S0113) uses Indicator Removal on Host (T1070)"
},
{
"meta": {
"source-uuid": "da2ef4a9-7cbe-400a-a379-e2f230f28db3",
"target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d"
},
"uuid": "63d53308-7d7d-4777-a1cc-c7100735609c",
"value": "BOOTRASH (S0114) uses Bootkit (T1067)"
},
{
"meta": {
"source-uuid": "294e2560-bd48-44b2-9da2-833b5588ad11",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "b91e06c1-9546-4184-9552-ba501bf9182e",
"value": "ipconfig (S0100) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "80ca0faf-6958-4158-a36d-b3e7936c5f5a",
"value": "Tasklist (S0057) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "3017cf15-f6a8-4281-8c74-9dd8f7c2666f",
"value": "FALLCHILL (S0181) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "ed2e17b5-171b-4878-a3ab-2b70e8ca132a",
"value": "Pisloader (S0124) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "0e12d7d1-5c46-4314-97fb-263853eed6af",
"value": "HTTPBrowser (S0070) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
"target-uuid": "e01be9c5-e763-4caf-aeb7-000b416aef67"
},
"uuid": "6d819560-bdfb-4e0a-bf56-fddcba60cdb5",
"value": "S-Type (S0085) uses Create Account (T1136)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "9670979e-9785-45f0-a470-f591c97f6f8a",
"value": "POWRUNER (S0184) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d"
},
"uuid": "9abd0448-a3b7-4262-8753-fe81dc91c434",
"value": "FIN5 (G0053) uses External Remote Services (T1133)"
},
{
"meta": {
"source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "7a30e6e7-ed64-47b1-b368-c1cec96d5fbf",
"value": "Sykipot (S0018) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "3363ae54-1fe3-4c9f-b074-79dc0d7fbba5",
"value": "GeminiDuke (S0049) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "1dfbe8fe-0e7a-42a7-85f0-a94b086b470b",
"value": "Gazer (S0168) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "67f19627-27a5-4898-bab5-7b235aa4ad77",
"value": "APT18 (G0026) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "25d5e1d8-c6fb-4735-bc57-115a21222f4b",
"target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830"
},
"uuid": "3e89d94b-5e6f-48b3-ba80-d366940fa968",
"value": "Application Window Discovery Mitigation (T1010) mitigates Application Window Discovery (T1010)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "eaaf6671-ead6-441b-b8d0-037a1e47572e",
"value": "FIN6 (G0037) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "2ace01f8-67c8-43eb-b7b1-a7b9f1fe67e1",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "e432b3bc-5539-40e5-bce2-3ba6f463b571",
"value": "File and Directory Discovery Mitigation (T1083) mitigates File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "e0a0966c-7a2f-41b3-962f-3a6b22a5a8a9",
"value": "Reaver (S0172) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "427a9eb9-659d-433c-9e2c-9a66d115a9a3",
"value": "Felismus (S0171) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "ae3be82b-3d54-4be8-939b-e074a2cea170",
"value": "Misdat (S0083) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "4d4c8221-17a9-4e5b-86f9-6a0cffc42424",
"value": "S-Type (S0085) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "0a68f1f1-da74-4d28-8d9a-696c082706cc",
"target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c"
},
"uuid": "5918cee6-c2f1-41be-ab96-36f3d17e5293",
"value": "certutil (S0160) uses Deobfuscate/Decode Files or Information (T1140)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "b8a1739d-240b-46c1-a25a-b82d1c4e4765",
"value": "Turla (G0010) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "926d0b0c-9421-4b8e-a740-8823e35c642f",
"value": "Dragonfly (G0035) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "9c4a8336-5f5f-4e58-b00d-b6bf1c59ec03",
"value": "MoonWind (S0149) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "41023c59-b41e-454a-ace2-cd98d4fedb8e",
"value": "Mis-Type (S0084) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "72cd5bab-20d9-4895-a6be-7d33f28d4b65",
"value": "Dust Storm (G0031) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "33162cc2-a800-4d42-89bb-13ac1e75dfce",
"value": "Sakula (S0074) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"uuid": "e94576ee-284c-4782-a6ef-b7dd8a780254",
"value": "OilRig (G0049) uses Mimikatz (S0002)"
},
{
"meta": {
"source-uuid": "1881da33-fdf2-4eea-afd0-e04caf9c000f",
"target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643"
},
"uuid": "9d0c7e94-b7d6-4ede-8223-a19e615e0a0b",
"value": "Peripheral Device Discovery Mitigation (T1120) mitigates Peripheral Device Discovery (T1120)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df"
},
"uuid": "2ccda6d1-5196-4e22-b94a-01c3676fecc9",
"value": "APT34 (G0057) uses Web Shell (T1100)"
},
{
"meta": {
"source-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "3ada7220-b5a6-45b9-a7ca-4a26423da831",
"value": "hcdLoader (S0071) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "902286b2-96cc-4dd7-931f-e7340c9961da",
"target-uuid": "0c8ab3eb-df48-4b9c-ace7-beacaac81cc5"
},
"uuid": "77fad92a-72ba-44d2-b4cb-a3079fbdb256",
"value": "File System Logical Offsets Mitigation (T1006) mitigates File System Logical Offsets (T1006)"
},
{
"meta": {
"source-uuid": "d9727aee-48b8-4fdb-89e2-4c49746ba4dd",
"target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c"
},
"uuid": "592d0c31-e61f-495e-a60e-70d7be59a719",
"value": "Data from Network Shared Drive Mitigation (T1039) mitigates Data from Network Shared Drive (T1039)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "26eafe5d-0ffc-48cf-ba1d-3681bdcbfaa3",
"value": "Threat Group-3390 (G0027) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "f72eb8a8-cd4c-461d-a814-3f862befbf00"
},
"uuid": "47e827f6-ec1d-4f16-80ab-0c54254ff42c",
"value": "Duqu (S0038) uses Custom Command and Control Protocol (T1094)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "5abaaa8f-19c7-448f-9e5a-66f1cbf412f9",
"value": "SeaDuke (S0053) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "1d808f62-cf63-4063-9727-ff6132514c22",
"target-uuid": "46944654-fcc1-4f63-9dad-628102376586"
},
"uuid": "191885b6-1282-4173-a2bd-174c30c8a1dc",
"value": "WEBC2 (S0109) uses DLL Search Order Hijacking (T1038)"
},
{
"meta": {
"source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4"
},
"uuid": "9aeda7e2-e452-4cd3-837f-e258cba1fc96",
"value": "CHOPSTICK (S0023) uses Replication Through Removable Media (T1091)"
},
{
"meta": {
"source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
"target-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31"
},
"uuid": "4cb1c7b1-6efd-488c-857d-605ff8ca9ab5",
"value": "Dust Storm (G0031) uses ZLib (S0086)"
},
{
"meta": {
"source-uuid": "65341f30-bec6-4b1d-8abf-1a5620446c29",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "67f82f6c-18f1-4f1e-8352-b7ecf8839ea2",
"value": "Reaver (S0172) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "9a902722-cecd-4fbe-a6c9-49333aa0f8c2",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "863d6b6f-9e13-4925-a736-5e719a10a0b8",
"value": "Remote System Discovery Mitigation (T1018) mitigates Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "564de5da-7ecc-45c7-bbd5-619a8f316f70",
"value": "BACKSPACE (S0031) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
"target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"uuid": "3565539f-7ebf-4288-8422-5212c774821b",
"value": "NETEAGLE (S0034) uses Exfiltration Over Command and Control Channel (T1041)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839"
},
"uuid": "0942dc11-0fcd-480a-ae4d-d571ba96331b",
"value": "Threat Group-3390 (G0027) uses Exploitation of Vulnerability (T1068)"
},
{
"meta": {
"source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
"target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69"
},
"uuid": "dc68cc0c-154a-4c69-a35a-b7fd843d8e98",
"value": "Misdat (S0083) uses Indicator Removal on Host (T1070)"
},
{
"meta": {
"source-uuid": "552462b9-ae79-49dd-855c-5973014e157f",
"target-uuid": "0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b"
},
"uuid": "da6aa745-9eb5-44d9-80f8-e9f542d106d2",
"value": "Zeroaccess (S0027) uses Rootkit (T1014)"
},
{
"meta": {
"source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "02a629d3-b970-43e8-a11b-79f35107a4c0",
"value": "Pisloader (S0124) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "94211067-148f-4196-a216-c1bb1e5cfc70",
"value": "Putter Panda (G0024) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "d6e48ec5-1634-4ddd-865e-0bcb32a1fd1a",
"value": "APT34 (G0057) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "c5947e1c-1cbc-434c-94b8-27c7e3be0fff",
"target-uuid": "d3afa961-a80c-4043-9509-282cdf69ab21"
},
"uuid": "a70d06e8-63dd-4cb3-83a5-f7bd8f2a8132",
"value": "Winnti Group (G0044) uses Winnti (S0141)"
},
{
"meta": {
"source-uuid": "f108215f-3487-489d-be8b-80e346d32518",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "c08ef8e9-9e12-4bb2-9e6a-061934f33ea0",
"value": "Komplex (S0162) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "71a8ae5e-3a78-49b5-9857-e202d636cedf",
"value": "APT32 (G0050) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "e6e324d1-b775-48bb-ac9f-02fcc2428752",
"value": "admin@338 (G0018) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "358047bf-1dd3-4fc4-bc1a-b7004bd54b8d",
"value": "OwaAuth (S0072) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "8b880b41-5139-4807-baa9-309690218719",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "d0332cfa-d932-4bc3-b661-9cd72c00b390",
"value": "SPACESHIP (S0035) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "41cff8e9-fd05-408e-b3d5-d98c54c20bcf",
"target-uuid": "c1b11bf7-c68e-4fbf-a95b-28efbe7953bb"
},
"uuid": "b02c9017-5ec9-4be0-9aa9-b183d252c516",
"value": "SSH Hijacking Mitigation (T1184) mitigates SSH Hijacking (T1184)"
},
{
"meta": {
"source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc",
"target-uuid": "428ca9f8-0e33-442a-be87-f869cb4cf73e"
},
"uuid": "a5d7526f-2b1f-4a69-abc7-926b22bc402b",
"value": "Hi-Zor (S0087) uses Multilayer Encryption (T1079)"
},
{
"meta": {
"source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "58f6b7ce-c0d0-4a54-b60d-1c39d6204796",
"value": "Psylo (S0078) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "ccc38b61-c517-4186-909a-760f12ef65e8",
"value": "CORESHELL (S0137) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "79f89b33-046c-4bfa-a12d-c50fa0d84ea6",
"value": "Magic Hound (G0059) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "ba1b953d-08ce-4b4b-924e-92556cdf1d90",
"value": "APT3 (G0022) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "ccd61dfc-b03f-4689-8c18-7c97eab08472",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "f55d54fe-27ed-41f9-81db-11ccbe2d2125",
"value": "CHOPSTICK (S0023) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
"target-uuid": "322bad5a-1c49-4d23-ab79-76d641794afa"
},
"uuid": "09c10778-19ad-441a-8a75-a3cf1288f960",
"value": "Sykipot (S0018) uses System Service Discovery (T1007)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "46944654-fcc1-4f63-9dad-628102376586"
},
"uuid": "6ce3735c-bfae-4eec-ab6b-bbf08cb7d60f",
"value": "Prikormka (S0113) uses DLL Search Order Hijacking (T1038)"
},
{
"meta": {
"source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"target-uuid": "bba595da-b73a-4354-aa6c-224d4de7cb4e"
},
"uuid": "89c6bcd7-e330-4902-8296-0918923d6573",
"value": "APT18 (G0026) uses cmd (S0106)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "ca1a3f50-5ebd-41f8-8320-2c7d6a6e88be"
},
"uuid": "6c030461-42c5-44db-908a-85ac9a5a9822",
"value": "Cobalt Strike (S0154) uses Bypass User Account Control (T1088)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "88c50625-6d02-42fb-aa82-4315a532b754",
"value": "Magic Hound (G0059) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "b22cebe6-129a-41a2-8a9e-70c222c88af6",
"value": "OilRig (G0049) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "eb85fa2e-3c50-4130-9717-8688237fecbc",
"value": "admin@338 (G0018) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "e47397b7-b3c7-4919-ac5e-1f3266ef97e3",
"value": "AutoIt backdoor (S0129) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "c3a1969b-1edb-4a78-80ab-b122cc2822e4",
"value": "Group5 (G0043) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "167e1e15-1fe1-4073-aac1-062557fdd79f",
"value": "CORESHELL (S0137) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "dcc2c503-25dc-47bb-b9cb-35ce27e73cd2",
"value": "CORESHELL (S0137) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "37dd9a3c-dd52-4541-be7c-b490d026305c",
"value": "RTM (S0148) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "84e02621-8fdf-470f-bd58-993bb6a89d91"
},
"uuid": "1258536b-6cf4-4cfe-98c7-e9c1d30c5a34",
"value": "APT3 (G0022) uses Multi-Stage Channels (T1104)"
},
{
"meta": {
"source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "d0d74930-6b1d-4d1d-ba7f-60b93c114fd9",
"value": "Hi-Zor (S0087) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "0c56b369-b665-4001-87ff-d27ae135cc64",
"value": "Pisloader (S0124) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "eb7a6a3f-cc88-4ed7-8421-4642c1eb1978",
"value": "BACKSPACE (S0031) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "98229d5a-fce3-442e-91cf-7ec7b7994248",
"value": "FIN6 (G0037) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d"
},
"uuid": "5e4ec089-c86d-4684-9783-af348d4aaa14",
"value": "Dragonfly (G0035) uses External Remote Services (T1133)"
},
{
"meta": {
"source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d"
},
"uuid": "3b521f87-a77d-4c8d-8ab8-ffc6dbc3d62e",
"value": "APT18 (G0026) uses External Remote Services (T1133)"
},
{
"meta": {
"source-uuid": "b6b3dfc7-9a81-43ff-ac04-698bad48973a",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "4abcf209-1dab-435b-a347-b8ff318ac5d8",
"value": "Daserf (S0187) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "242f3da3-4425-4d11-8f5c-b842886da966"
},
"uuid": "fb6a8268-5a73-4ac0-8f61-439f472063d6",
"value": "Threat Group-3390 (G0027) uses Windows Credential Editor (S0005)"
},
{
"meta": {
"source-uuid": "df71bb3b-813c-45eb-a8bc-f2a419837411",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "a06bd922-b887-4134-81cb-1e4180cf5a5a",
"value": "Molerats (G0021) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "2eb9b131-d333-4a48-9eb4-d8dec46c19ee",
"target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f"
},
"uuid": "66625422-17cd-4b04-beb5-fa2eabe350ad",
"value": "CosmicDuke (S0050) uses Clipboard Data (T1115)"
},
{
"meta": {
"source-uuid": "b35068ec-107a-4266-bda8-eb7036267aea",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "980e4dca-4d6b-4206-9c51-bff32c72a961",
"value": "nbtstat (S0102) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "083bb47b-02c8-4423-81a2-f9ef58572974"
},
"uuid": "d4968f45-d06b-4843-8f72-6e08beb94cab",
"value": "Dragonfly (G0035) uses Backdoor.Oldrea (S0093)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "e362d1ad-5d36-4f6d-b2b0-63af2f5f08ff",
"value": "Stealth Falcon (G0038) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "8d0d938e-2e4c-49e8-9290-6bfb86161260",
"value": "Duqu (S0038) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "b07c2c47-fefb-4d7c-a69e-6a3296171f54"
},
"uuid": "3b6fc69c-9759-465a-b09c-a6161e4e2f56",
"value": "Threat Group-3390 (G0027) uses gsecdump (S0008)"
},
{
"meta": {
"source-uuid": "fbb470da-1d44-4f29-bbb3-9efbe20f94a3",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "5ab3897a-4f37-4b59-99ca-f39605cb1a35",
"value": "Mivast (S0080) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "21ff06b5-022f-40bf-821b-3e08dc9f08a3",
"value": "Poseidon Group (G0033) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "863c1d57-db93-49a9-a953-eb7c2d6b2e5b",
"value": "Felismus (S0171) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
"target-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2"
},
"uuid": "a5015a35-a6a2-4289-8d79-79b583c23e63",
"value": "APT30 (G0013) uses NETEAGLE (S0034)"
},
{
"meta": {
"source-uuid": "96b08451-b27a-4ff6-893f-790e26393a8e",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "e2e91dcc-87b0-4ff8-a6cd-0dfd6a813483",
"value": "Sakula (S0074) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"target-uuid": "a127c32c-cbb0-4f9d-be07-881a792408ec"
},
"uuid": "9e77b81d-6298-4233-8baa-f419031a9d64",
"value": "FIN7 (G0046) uses Mshta (T1170)"
},
{
"meta": {
"source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"target-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd"
},
"uuid": "4f33536d-eb06-4eba-8765-4379e399f3b8",
"value": "Gamaredon Group (G0047) uses Pteranodon (S0147)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "979812c4-939e-4a7e-96b3-348028db10ce",
"value": "Lazarus Group (G0032) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "8e461ca3-0996-4e6e-a0df-e2a5bbc51ebc",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "71ee5336-929a-41c7-bfbd-42a7208ca29d",
"value": "4H RAT (S0065) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88"
},
"uuid": "891a97f1-d3e2-45ff-a079-43dcad21a175",
"value": "Patchwork (G0040) uses Software Packing (T1045)"
},
{
"meta": {
"source-uuid": "f5352566-1a64-49ac-8f7f-97e1d1a03300",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "3de749e5-353a-4bdc-8951-9e0fa387bc70",
"value": "AutoIt backdoor (S0129) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"target-uuid": "e7eab98d-ae11-4491-bd28-a53ba875865a"
},
"uuid": "4e167937-d152-4c57-a7b7-e3b407470720",
"value": "Net (S0039) uses Network Share Connection Removal (T1126)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "1a7d1db3-9383-4171-8938-382e9b0375c6",
"value": "BlackEnergy (S0089) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "e8268361-a599-4e45-bd3f-71c8c7e700c0",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "a45f37c0-da3f-4766-bdb2-4cc1f4bda04d",
"value": "httpclient (S0068) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "43b366a4-b5ff-4d4e-8a3b-f09a9d2faff5",
"target-uuid": "804c042c-cfe6-449e-bc1a-ba0a998a70db"
},
"uuid": "143c0761-981a-4668-ab8a-9ba74cb58869",
"value": "Shared Webroot Mitigation (T1051) mitigates Shared Webroot (T1051)"
},
{
"meta": {
"source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "73fe447a-8d70-433f-be9a-5af74934a662",
"value": "WINDSHIELD (S0155) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "bd2554b8-634f-4434-a986-9b49c29da2ae",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "c0b07b4a-d421-4faa-8564-4cc89668afac",
"value": "Security Software Discovery Mitigation (T1063) mitigates Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "00c3bfcb-99bd-4767-8c03-b08f585f5c8a",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "1cbf5583-626a-4a24-bc59-f3b973752cee",
"value": "PowerDuke (S0139) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"uuid": "ec6002c7-a2ca-4792-8dc4-0f0746768762",
"value": "APT34 (G0057) uses Windows Management Instrumentation (T1047)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "fece06b7-d4b1-42cf-b81a-5323c917546e"
},
"uuid": "216c15b0-3091-49f2-ba85-356d56265671",
"value": "Lazarus Group (G0032) uses FALLCHILL (S0181)"
},
{
"meta": {
"source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "4cb1a0d0-6276-4c2c-b299-c26c982e9e1e",
"value": "PlugX (S0013) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "d6c628b9-789a-416b-8abe-cd457e566346",
"value": "Crimson (S0115) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "e89d06bc-31f3-49c0-a555-360eeff7f7c6",
"value": "Net Crawler (S0056) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "f108215f-3487-489d-be8b-80e346d32518",
"target-uuid": "dc27c2ec-c5f9-4228-ba57-d67b590bda93"
},
"uuid": "f5acb12e-6d83-4628-9b1d-61f277a699b2",
"value": "Komplex (S0162) uses Hidden Files and Directories (T1158)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "e2e33068-b08e-45fd-89e0-0cf79868f902",
"value": "Stealth Falcon (G0038) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565",
"target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69"
},
"uuid": "64309b21-2dc2-4369-9c70-66f47f5c4b56",
"value": "ComRAT (S0126) uses Component Object Model Hijacking (T1122)"
},
{
"meta": {
"source-uuid": "4a99fecc-680b-448e-8fe7-8144c60d272c",
"target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd"
},
"uuid": "cade3e14-aab4-4297-b77d-019d3ee0ccef",
"value": "Brute Force Mitigation (T1110) mitigates Brute Force (T1110)"
},
{
"meta": {
"source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09"
},
"uuid": "677f32ad-2aa1-4fe3-8dab-73494891aa4a",
"value": "T9000 (S0098) uses DLL Side-Loading (T1073)"
},
{
"meta": {
"source-uuid": "876f6a77-fbc5-4e13-ab1a-5611986730a3",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "bb11119c-c409-4615-8c3f-8491749f2d3b",
"value": "T9000 (S0098) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53"
},
"uuid": "d0560e25-020d-4cd6-b61c-5fc82a757edc",
"value": "APT28 (G0007) uses Office Application Startup (T1137)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "c848fcf7-6b62-4bde-8216-b6c157d48da0"
},
"uuid": "7ed59789-3b2d-4acf-9127-7af35234a373",
"value": "Remsec (S0125) uses Uncommonly Used Port (T1065)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c"
},
"uuid": "67469b79-67e2-4932-9776-b09a82871723",
"value": "OilRig (G0049) uses Deobfuscate/Decode Files or Information (T1140)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "4664b683-f578-434f-919b-1c1aad2a1111"
},
"uuid": "d75ee2bd-801c-4521-8d70-f5e2d64c87f9",
"value": "admin@338 (G0018) uses netstat (S0104)"
},
{
"meta": {
"source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "a76e4748-2cef-4ee6-96a3-53ee227f0333",
"value": "Unknown Logger (S0130) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "c9cd7ec9-40b7-49db-80be-1399eddd9c52",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "5c6b3fda-2eec-4c7a-af09-5f880f260085",
"value": "Cachedump (S0119) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "2dd34b01-6110-4aac-835d-b5e7b936b0be",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "cc065036-1b46-4f5c-935e-fb80bd3de7c7",
"value": "OLDBAIT (S0138) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "121b2863-5b97-4538-acb3-f8aae070ec13",
"target-uuid": "dd901512-6e37-4155-943b-453e3777b125"
},
"uuid": "48b9ca0c-925b-4f6a-8f25-459b2489be7c",
"value": "Launch Agent Mitigation (T1159) mitigates Launch Agent (T1159)"
},
{
"meta": {
"source-uuid": "59a97b15-8189-4d51-9404-e1ce8ea4a069",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "785abba4-fdb4-4aad-9049-5a0c748cc965",
"value": "XAgentOSX (S0161) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "df7fb8f2-e7a6-4342-8d67-09655ceefead",
"value": "StreamEx (S0142) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "ae9d818d-95d0-41da-b045-9cabea1ca164",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "7b29c94f-1834-42ac-933c-ae6cd125e87a",
"value": "PinchDuke (S0048) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60",
"target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c"
},
"uuid": "76037b22-a3e4-40d3-bd56-699d1ea4e97e",
"value": "Mimikatz (S0002) uses Pass the Ticket (T1097)"
},
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "17262c58-2f41-41d2-a86a-5bc86642ddb4",
"value": "menuPass (G0045) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "4c59cce8-cb48-4141-b9f1-f646edfaadb0",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "e7ac3ee3-a014-4b07-9bad-b93d3d1d0f4b",
"value": "Regin (S0019) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "40d3e230-ed32-469f-ba89-be70cc08ab39",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "f4c6cb3f-b24c-4a1e-9bba-7b129b89a17a",
"value": "Agent.btz (S0092) uses Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "463f68f1-5cde-4dc2-a831-68b73488f8f4",
"target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"uuid": "4ffcf69a-c7ef-46dc-add7-9093e454a67e",
"value": "MobileOrder (S0079) uses Exfiltration Over Command and Control Channel (T1041)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "761edf58-baad-4626-acca-a137c251b0e6",
"value": "MoonWind (S0149) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "8ca6a5e0-aae5-49bc-8d07-f888c7dba9ea",
"target-uuid": "2c4d4e92-0ccf-4a97-b54c-86d662988a53"
},
"uuid": "140b4bbc-68c6-474a-adae-9b2275471f13",
"value": "Office Application Startup Mitigation (T1137) mitigates Office Application Startup (T1137)"
},
{
"meta": {
"source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "396edbf6-41b5-4377-90b6-4967c24de7fb",
"value": "DownPaper (S0186) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"uuid": "2df910df-37cc-4349-96c3-f938fa5a9054",
"value": "Deep Panda (G0009) uses Net (S0039)"
},
{
"meta": {
"source-uuid": "0e18b800-906c-4e44-a143-b11c72b3448b",
"target-uuid": "731f4f55-b6d0-41d1-a7a9-072a66389aea"
},
"uuid": "7cfafeb7-2662-4b65-8dfc-93db752f5e71",
"value": "FLIPSIDE (S0173) uses Connection Proxy (T1090)"
},
{
"meta": {
"source-uuid": "3a476d83-43eb-4fad-9b75-b1febd834e3d",
"target-uuid": "a257ed11-ff3b-4216-8c9d-3938ef57064c"
},
"uuid": "cb35f782-6fb4-4a0c-b549-8af99dbc57fd",
"value": "Pass the Ticket Mitigation (T1097) mitigates Pass the Ticket (T1097)"
},
{
"meta": {
"source-uuid": "da987565-27b6-4b31-bbcd-74b909847116",
"target-uuid": "99709758-2b96-48f2-a68a-ad7fbd828091"
},
"uuid": "c57efd0b-817e-45c2-9f11-e8e7ac11b44c",
"value": "Multiband Communication Mitigation (T1026) mitigates Multiband Communication (T1026)"
},
{
"meta": {
"source-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "550bf43e-53da-467e-affd-9f44ad668508",
"value": "Sys10 (S0060) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "e48df773-7c95-4a4c-ba70-ea3d15900148",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "ef318b23-1b8c-4c24-ad20-09c0977a73b3",
"value": "DownPaper (S0186) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a"
},
"uuid": "dfcc52d8-4664-48c4-9e35-2be2cd649d93",
"value": "APT32 (G0050) uses Regsvr32 (T1117)"
},
{
"meta": {
"source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "84f40044-00a2-4015-be0d-1bb0107ef42b",
"value": "Crimson (S0115) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "717d87d5-df97-48a9-8766-c9a947541e1d",
"value": "Crimson (S0115) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "ae1600d0-8271-4709-a1a6-6fb62494fa23",
"value": "Sowbug (G0054) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "7296e1e2-514d-4a6c-a1fe-18558a5e3b0f",
"value": "ZLib (S0086) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "ca8ed9e2-f7a6-4d54-b450-94c187b1f9b6",
"value": "H1N1 (S0132) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "c416b28c-103b-4df1-909e-78089a7e0e5f",
"target-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841"
},
"uuid": "9755e169-0dd5-4bf5-a884-d50d31f33ad9",
"value": "RTM (G0048) uses RTM (S0148)"
},
{
"meta": {
"source-uuid": "f6469191-1814-4dbe-a081-2a6daf83a10b",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "03f30a17-095b-4656-a7db-87d98628dfd8",
"value": "Process Discovery Mitigation (T1057) mitigates Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "166c0eca-02fd-424a-92c0-6b5106994d31",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "32568a57-ff9c-42f5-9b60-0b78d7b0a7c0",
"value": "ZLib (S0086) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "f8dfbc54-b070-4224-b560-79aaa5f835bd",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "4a419b18-5fb2-43a0-8c0a-6521b8d9de63",
"value": "H1N1 (S0132) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "f9d6633a-55e6-4adc-9263-6ae080421a13",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "65f7704a-358a-464d-b09b-fee5dd96adf3",
"value": "Magic Hound (G0059) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "122e6f20-ab3b-4bf0-bef1-0372399bee7c",
"value": "NETEAGLE (S0034) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88"
},
"uuid": "b1c49faa-0b6f-4a0e-85da-5ab8ddeab2ce",
"value": "FIN6 (G0037) uses Network Service Scanning (T1046)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f"
},
"uuid": "1e03e95c-1c9a-4fa8-9d6d-b5d244b06509",
"value": "RTM (S0148) uses Clipboard Data (T1115)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "9b52fca7-1a36-4da0-b62d-da5bd83b4d69"
},
"uuid": "075e7d33-8d5c-4016-9a24-dc6e61f56fcd",
"value": "ADVSTORESHELL (S0045) uses Component Object Model Hijacking (T1122)"
},
{
"meta": {
"source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "89424d69-a426-4f76-9e7f-7b2dabe459be",
"value": "POWERSOURCE (S0145) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "e97b39d6-7be1-4f59-8959-7f1f01402152",
"value": "XTunnel (S0117) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "2e69a835-6443-455e-8ff0-775bb8c823f1",
"value": "GeminiDuke (S0049) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "5b2c87e3-8eac-48b3-832b-2290b367403d",
"value": "BlackEnergy (S0089) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88"
},
"uuid": "6a5bd9f5-f8ff-4eab-a4bc-edb2e098c47d",
"value": "APT34 (G0057) uses Network Service Scanning (T1046)"
},
{
"meta": {
"source-uuid": "bcc91b8c-f104-4710-964e-1d5409666736",
"target-uuid": "c16e5409-ee53-4d79-afdc-4099dc9292df"
},
"uuid": "38d4c148-6fe8-4703-94e5-1b79b1cf5b8c",
"value": "Web Shell Mitigation (T1100) mitigates Web Shell (T1100)"
},
{
"meta": {
"source-uuid": "6b616fc1-1505-48e3-8b2c-0d19337bff38",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "6184b127-47cf-43fc-880b-890554d9cc9a",
"value": "Rover (S0090) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "b96680d1-5eb3-4f07-b95c-00ab904ac236",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "548e7315-5055-4434-96c1-1429779b0e2b",
"value": "Pisloader (S0124) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "519630c5-f03f-4882-825c-3af924935817"
},
"uuid": "cc13f316-0f88-4ed1-8790-b13bc35be119",
"value": "BRONZE BUTLER (G0060) uses Binary Padding (T1009)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "03342581-f790-4f03-ba41-e82e67392e23"
},
"uuid": "0ef9bb79-c221-40a8-94b0-58bfc816565f",
"value": "Naikon (G0019) uses Net (S0039)"
},
{
"meta": {
"source-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "c945e5f2-5622-46ce-8b35-468d41d2af46",
"value": "RIPTIDE (S0003) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48"
},
"uuid": "968610c5-7fa5-4840-b9bb-2f70eecd87fa",
"value": "Duqu (S0038) uses Access Token Manipulation (T1134)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "8edb0383-cae8-43ee-9241-b25e5068cc95",
"value": "OilRig (G0049) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "43213480-78f7-4fb3-976f-d48f5f6a4c2a",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "e5728c4d-d404-44e8-9e28-3411942c5234",
"value": "FLASHFLOOD (S0036) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"target-uuid": "f24faf46-3b26-4dbb-98f2-63460498e433"
},
"uuid": "bd74b90d-ff9f-4ce3-96af-9b809fffc3da",
"value": "Derusbi (S0021) uses Fallback Channels (T1008)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "478aa214-2ca7-4ec0-9978-18798e514790"
},
"uuid": "46660a8a-7724-4577-b09e-551a1ce61bfc",
"value": "Duqu (S0038) uses New Service (T1050)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21"
},
"uuid": "6c303446-f8d1-424c-b1ac-8c10f82d33d7",
"value": "Cobalt Strike (S0154) uses Process Hollowing (T1093)"
},
{
"meta": {
"source-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "c4ce39f8-371c-45dd-a8d2-a411a6f0678d",
"value": "RIPTIDE (S0003) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "d2560c35-b2f6-47d2-b573-236ef99894d5",
"value": "Matroyshka (S0167) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "3afd226c-934f-44fd-8194-9a6dee5cba59",
"value": "Lazarus Group (G0032) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "3c4a2599-71ee-4405-ba1e-0e28414b4bc5"
},
"uuid": "8c763d80-4c50-4ebd-b2c6-3cad22c55bfa",
"value": "Ke3chang (G0004) uses Data from Local System (T1005)"
},
{
"meta": {
"source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "b5a1cf65-c128-4d2e-bd28-54514d1a3aae",
"value": "GeminiDuke (S0049) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "943d370b-2054-44df-8be2-ab4139bde1c5",
"target-uuid": "52d40641-c480-4ad5-81a3-c80ccaddf82d"
},
"uuid": "758b6582-b988-4ab9-911e-e40c9bbebc2d",
"value": "Authentication Package Mitigation (T1131) mitigates Authentication Package (T1131)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "c4962ae6-91e2-407d-9f42-aa0381574476",
"value": "admin@338 (G0018) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f"
},
"uuid": "1e1b566b-152a-4778-a03f-0ce94b72c5f2",
"value": "Dragonfly (G0035) uses Network Share Discovery (T1135)"
},
{
"meta": {
"source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "b13fd1c9-a42c-45fc-9db8-1cd691740e0a",
"value": "HTTPBrowser (S0070) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "9ca488bd-9587-48ef-b923-1743523e63b2",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "c3ee174d-fd40-4636-97b2-afe80854f987",
"value": "SOUNDBITE (S0157) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "ae41895a-243f-4a65-b99b-d85022326c31",
"target-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039"
},
"uuid": "c8253944-3a69-42e6-b36a-1c3defbb088e",
"value": "Dust Storm (G0031) uses Misdat (S0083)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81"
},
"uuid": "ba64e6d1-4deb-440a-a4eb-1c3476b6fb47",
"value": "APT28 (G0007) uses CORESHELL (S0137)"
},
{
"meta": {
"source-uuid": "9ea525fa-b0a9-4dde-84f2-bcea0137b3c1",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "2864eb81-71a5-4325-b42a-7a725f0c6887",
"value": "MoonWind (S0149) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "a12a471b-39b2-4abf-80d0-af88d5a4f038",
"value": "Misdat (S0083) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "cbf646f1-7db5-4dc6-808b-0094313949df",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "800825f5-6e74-43ad-a732-476fdf471225",
"value": "CloudDuke (S0054) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "72f54d66-675d-4587-9bd3-4ed09f9522e4",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "210f5206-8763-48ac-a4c3-a08440892b5d",
"value": "Carbanak (S0030) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "72b74d71-8169-42aa-92e0-e7b04b9f5a08"
},
"uuid": "9a615c7f-986d-4769-bea6-af9ffe0d575e",
"value": "APT3 (G0022) uses Account Discovery (T1087)"
},
{
"meta": {
"source-uuid": "f6d1d2cb-12f5-4221-9636-44606ea1f3f8",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "7507eb37-407e-4428-b29f-da0bda3f7970",
"value": "OSInfo (S0165) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
"target-uuid": "8b880b41-5139-4807-baa9-309690218719"
},
"uuid": "fca5a601-68fd-4b20-ad1e-0592cadecb73",
"value": "APT30 (G0013) uses SPACESHIP (S0035)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "1ace08c6-0f1a-487d-92b2-6c61c2299270",
"value": "FIN5 (G0053) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "7105ecea-8da8-4723-b717-ae9c3152cfdd",
"value": "ADVSTORESHELL (S0045) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "348f1eef-964b-4eb6-bb53-69b3dcb0c643"
},
"uuid": "a0f1273a-e422-4801-a911-e7cb223ebea2",
"value": "ADVSTORESHELL (S0045) uses Peripheral Device Discovery (T1120)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "5206976b-ac4d-4286-a954-4b1ef5c20adc",
"value": "Shamoon (S0140) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "2e45723a-31da-4a7e-aaa6-e01998a6788f"
},
"uuid": "79cd2ec8-068c-4a7a-8133-1855381d3bd3",
"value": "APT1 (G0006) uses Tasklist (S0057)"
},
{
"meta": {
"source-uuid": "f27ef4f2-71fe-48b6-b7f4-02dcac14320e",
"target-uuid": "56ff457d-5e39-492b-974c-dfd2b8603ffe"
},
"uuid": "5718d7a3-c402-4816-92fb-4322094b84f8",
"value": "Private Keys Mitigation (T1145) mitigates Private Keys (T1145)"
},
{
"meta": {
"source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "4ffe2425-c971-45e5-9256-0b1a2bf63bbf",
"value": "Mis-Type (S0084) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "afc079f3-c0ea-4096-b75d-3f05338b7f60"
},
"uuid": "28471736-5b62-4132-b4ed-c22ae449b455",
"value": "BRONZE BUTLER (G0060) uses Mimikatz (S0002)"
},
{
"meta": {
"source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5",
"target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09"
},
"uuid": "c1884e62-7b2e-45a1-89fd-c76b1b717f50",
"value": "OwaAuth (S0072) uses DLL Side-Loading (T1073)"
},
{
"meta": {
"source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "166c430d-0272-4dca-8d30-318cda0a0a63",
"value": "CozyCar (S0046) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88"
},
"uuid": "47e4d006-2685-4628-a46b-f6d9066f3585",
"value": "BlackEnergy (S0089) uses Network Service Scanning (T1046)"
},
{
"meta": {
"source-uuid": "bb3c1098-d654-4620-bf40-694386d28921",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "a00d3582-7c2d-45dc-8580-1de25356ae70",
"value": "FakeM (S0076) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "b42378e0-f147-496f-992a-26a49705395b",
"target-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d"
},
"uuid": "7d020981-51b3-4ff6-825f-7cd192c934e1",
"value": "PoisonIvy (S0012) uses Process Injection (T1055)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd"
},
"uuid": "83ba5b2c-b3fd-4558-a3f8-cef4c31e02bd",
"value": "Lazarus Group (G0032) uses Brute Force (T1110)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "1c338d0f-a65e-4073-a5c1-c06878849f21"
},
"uuid": "28139c5b-be96-44d2-8e54-425311d108d6",
"value": "Patchwork (G0040) uses Process Hollowing (T1093)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "b028b9a6-4031-4b56-8dd5-0bdd3c59dbec",
"value": "APT3 (G0022) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "f0cf3ea2-5345-48d7-9685-be0180eb0e4a",
"value": "RTM (S0148) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "b42378e0-f147-496f-992a-26a49705395b"
},
"uuid": "47545d87-b0ae-45ae-aeea-dc849eac2f6f",
"value": "APT1 (G0006) uses PoisonIvy (S0012)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "cde2d700-9ed1-46cf-9bce-07364fe8b24f"
},
"uuid": "d0ed3128-67f0-43dd-b1d9-01843eb71b77",
"value": "Turla (G0010) uses Reg (S0075)"
},
{
"meta": {
"source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"target-uuid": "9e2bba94-950b-4fcf-8070-cb3f816c5f4e"
},
"uuid": "7dc4c8b9-a380-4dc0-9973-a8a2f8d0175c",
"value": "APT18 (G0026) uses hcdLoader (S0071)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "7dd95ff6-712e-4056-9626-312ea4ab4c5e"
},
"uuid": "9c7ecbf4-88fe-4144-8dc4-f5bca2c3156d",
"value": "Helminth (S0170) uses Data Staged (T1074)"
},
{
"meta": {
"source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "16632790-94dc-40ce-9c0a-2f6af0f691b1",
"value": "Pteranodon (S0147) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "fb366179-766c-4a4a-afa1-52bff1fd601c",
"target-uuid": "c3bce4f4-9795-46c6-976e-8676300bbc39"
},
"uuid": "df8350d6-a7a7-421d-a9e8-64d7e0cc0653",
"value": "Threat Group-3390 (G0027) uses Windows Remote Management (T1028)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "b0791504-fc65-402b-bc47-bd96ed4abea1",
"value": "APT3 (G0022) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "7e216050-e850-4591-a870-7148d4544642",
"value": "APT34 (G0057) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "9ea25bfb-3e3a-42cb-8d2a-939169057806",
"value": "SHOTPUT (S0063) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "59df5f14-e570-417e-8184-e8e7c6c1ea75",
"value": "Shamoon (S0140) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "4f45dfeb-fe51-4df0-8db3-edf7dd0513fe",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "f1d5a985-406e-4b03-9f55-2706a2adba92",
"value": "Fgdump (S0120) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "1d3296a5-9a15-4bd9-a294-ee014348136c",
"value": "Unknown Logger (S0130) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "ed202147-4026-4330-b5bd-1e8dfa8cf7cc",
"target-uuid": "57340c81-c025-4189-8fa0-fc7ede51bae4"
},
"uuid": "ff93eedd-e788-4541-9a9b-ccead3df0d13",
"value": "Modify Registry Mitigation (T1112) mitigates Modify Registry (T1112)"
},
{
"meta": {
"source-uuid": "1c6bc7f3-d517-4971-aed4-8f939090846b",
"target-uuid": "1f47e2fd-fa77-4f2f-88ee-e85df308f125"
},
"uuid": "05d3fd1d-6041-4395-906a-e3104a192e1c",
"value": "Port Monitors Mitigation (T1013) mitigates Port Monitors (T1013)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "1fbf92c8-747b-4c0f-ab33-ce63cbff8197",
"value": "Deep Panda (G0009) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "f047ee18-7985-4946-8bfb-4ed754d3a0dd",
"target-uuid": "fb261c56-b80e-43a9-8351-c84081e7213d"
},
"uuid": "9820c1e9-a414-4af1-a78c-aaf2cb164361",
"value": "APT30 (G0013) uses BACKSPACE (S0031)"
},
{
"meta": {
"source-uuid": "1e4ef2c7-ee96-4484-9baa-3b5777561301",
"target-uuid": "5ad95aaa-49c1-4784-821d-2e83f47b079b"
},
"uuid": "620ab17a-3e46-4083-82b0-aeff74d104cd",
"value": "AppleScript Mitigation (T1155) mitigates AppleScript (T1155)"
},
{
"meta": {
"source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56",
"target-uuid": "3b744087-9945-4a6f-91e8-9dbceda417a4"
},
"uuid": "291df761-474b-4c5f-a9bd-2aaef0f80d70",
"value": "Unknown Logger (S0130) uses Replication Through Removable Media (T1091)"
},
{
"meta": {
"source-uuid": "d0415180-51e9-40ce-b57c-c332b0b441f2",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "1f8f6283-6004-4204-a54f-759e9c0519b1",
"value": "PowerShell Mitigation (T1086) mitigates PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "c47f937f-1022-4f42-8525-e7a4779a14cb",
"target-uuid": "ad4f146f-e3ec-444a-ba71-24bffd7f0f8e"
},
"uuid": "d242dc5a-3969-498c-b7eb-5d850e7d384d",
"value": "APT12 (G0005) uses RIPTIDE (S0003)"
},
{
"meta": {
"source-uuid": "4e6b9625-bbda-4d96-a652-b3bb45453f26",
"target-uuid": "54a649ff-439a-41a4-9856-8d144a2551ba"
},
"uuid": "d6fd820e-09ea-494d-a5f7-9de4431a309d",
"value": "RemoteCMD (S0166) uses Remote Services (T1021)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "7606ad11-1322-4b97-83b9-aaafaee02c07",
"value": "APT28 (G0007) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "a20b8e4c-330f-4e91-b4f6-e58e5800d690",
"value": "Pteranodon (S0147) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "d256cb63-b021-4b4a-bb6d-1b42eea179a3",
"target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88"
},
"uuid": "371d43af-ef68-4471-9db9-f2d40d2baefc",
"value": "Network Service Scanning Mitigation (T1046) mitigates Network Service Scanning (T1046)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db"
},
"uuid": "397e4a59-23b1-47ef-9a57-9f401375b2cb",
"value": "Dragonfly (G0035) uses PsExec (S0029)"
},
{
"meta": {
"source-uuid": "55033a4d-3ffe-46b2-99b4-2c1541e9ce1c",
"target-uuid": "5a63f900-5e7e-4928-a746-dd4558e1df71"
},
"uuid": "e2e2d332-f27b-46fb-b48f-4ee1872b321f",
"value": "Carbanak (G0008) uses netsh (S0108)"
},
{
"meta": {
"source-uuid": "5ce5392a-3a6c-4e07-9df3-9b6a9159ac45",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "55120727-0b7f-4d6a-a881-d17bdc9c85ba",
"value": "Putter Panda (G0024) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "37cc7eb6-12e3-467b-82e8-f20f2cc73c69",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "3caec960-fa9c-4b2f-80e4-6dd4471e26ba",
"value": "Prikormka (S0113) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "e066bf86-9cfb-407a-9d25-26fd5d91e360",
"target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09"
},
"uuid": "71ede2de-7e5f-49fa-ac07-9322ef4857ae",
"value": "HTTPBrowser (S0070) uses DLL Side-Loading (T1073)"
},
{
"meta": {
"source-uuid": "f3bdec95-3d62-42d9-a840-29630f6cdc1a",
"target-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd"
},
"uuid": "ee2739de-6829-4c73-b72b-91ba4b9fac5c",
"value": "DragonOK (G0017) uses PlugX (S0013)"
},
{
"meta": {
"source-uuid": "6a0ef5d4-fc7c-4dda-85d7-592e4dbdc5d9",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "83ad6071-8874-49c9-98cd-0d493a8eeb07",
"value": "Sykipot (S0018) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "0bd2ee1a-6202-4ff5-9a42-4869a276a92c",
"value": "POWRUNER (S0184) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "bb3c1098-d654-4620-bf40-694386d28921",
"target-uuid": "ad255bfe-a9e6-4b52-a258-8d3462abe842"
},
"uuid": "d8c5b193-b49d-4c0e-a9da-072302ff47a0",
"value": "FakeM (S0076) uses Data Obfuscation (T1001)"
},
{
"meta": {
"source-uuid": "cb7bcf6f-085f-41db-81ee-4b68481661b5",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "bdd64378-e348-4156-8490-528392c6ea82",
"value": "CallMe (S0077) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "dfb5fa9b-3051-4b97-8035-08f80aef945b",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "922c214d-ad32-4490-bb3f-a4db73b718d5",
"value": "Psylo (S0078) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "fb575479-14ef-41e9-bfab-0b7cf10bec73",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "66819f02-7a22-4f21-8e4f-df24969e5567",
"value": "ADVSTORESHELL (S0045) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "5cbe0d3b-6fb1-471f-b591-4b192915116d",
"target-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88"
},
"uuid": "9b360cf4-4600-4ea8-a28c-99d91e0d1734",
"value": "Suckfly (G0039) uses Network Service Scanning (T1046)"
},
{
"meta": {
"source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
"target-uuid": "830c9528-df21-472c-8c14-a036bf17d665"
},
"uuid": "233d1a32-f826-4705-a535-806edee8a5aa",
"value": "CozyCar (S0046) uses Web Service (T1102)"
},
{
"meta": {
"source-uuid": "d1acfbb3-647b-4723-9154-800ec119006e",
"target-uuid": "196f1f32-e0c2-4d46-99cd-234d4b6befe1"
},
"uuid": "b2496438-9431-40e5-8ca0-2ec713f342c3",
"value": "Sowbug (G0054) uses Felismus (S0171)"
},
{
"meta": {
"source-uuid": "2fb26586-2b53-4b9a-ad4f-2b3bcb9a2421",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "0df8e968-716a-4de9-9669-862af62d6eb6",
"value": "SslMM (S0058) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec"
},
"uuid": "78e8d9e6-48b7-473f-af94-43f626de7931",
"value": "APT28 (G0007) uses Data from Removable Media (T1025)"
},
{
"meta": {
"source-uuid": "3e7018e9-7389-48e7-9208-0bdbcbba9483",
"target-uuid": "d3046a90-580c-4004-8208-66915bc29830"
},
"uuid": "02f28dfb-4e72-47e2-a390-2ec3fa67d26d",
"value": "Clear Command History Mitigation (T1146) mitigates Clear Command History (T1146)"
},
{
"meta": {
"source-uuid": "f108215f-3487-489d-be8b-80e346d32518",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "cdca2bdf-a29b-45d5-90ff-17ab56b094a4",
"value": "Komplex (S0162) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "408db284-4c7a-4ad4-8399-90a8102b4bfa",
"value": "POWRUNER (S0184) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "f108215f-3487-489d-be8b-80e346d32518",
"target-uuid": "dd901512-6e37-4155-943b-453e3777b125"
},
"uuid": "6c879d75-7f07-44ff-9801-815a549cdc44",
"value": "Komplex (S0162) uses Launch Agent (T1159)"
},
{
"meta": {
"source-uuid": "6a2e693f-24e5-451a-9f88-b36a108e5662",
"target-uuid": "f2e8c7a1-cae1-45c4-baf0-6f21bdcbb2c2"
},
"uuid": "324a5331-cce7-4154-a803-ad68d5de1f94",
"value": "APT1 (G0006) uses GLOOXMAIL (S0026)"
},
{
"meta": {
"source-uuid": "a569295c-a093-4db4-9fb4-7105edef85ad",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "442aa7b4-00a0-4d73-ae61-5a09c319ac1c",
"value": "Custom Cryptographic Protocol Mitigation (T1024) mitigates Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
"target-uuid": "1608f3e1-598a-42f4-a01a-2e252e81728f"
},
"uuid": "892ff1d1-3da9-489e-89c3-374ab07a417b",
"value": "Crimson (S0115) uses Email Collection (T1114)"
},
{
"meta": {
"source-uuid": "326af1cd-78e7-45b7-a326-125d2f7ef8f2",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "a0186caf-482a-4f2a-bf2f-cac9fc51244a",
"value": "Crimson (S0115) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "30973a08-aed9-4edf-8604-9084ce1b5c4f"
},
"uuid": "a58983e1-45d7-4b45-a578-307659a619dc",
"value": "Helminth (S0170) uses Clipboard Data (T1115)"
},
{
"meta": {
"source-uuid": "0db09158-6e48-4e7c-8ce7-2b10b9c0c039",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "01ab8fee-5204-40c1-ac7a-b11a5683a87d",
"value": "Misdat (S0083) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "66b1dcde-17a0-4c7b-95fa-b08d430c2131",
"target-uuid": "cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f"
},
"uuid": "813e4416-bee6-4192-a712-6b5f80a7fff3",
"value": "S-Type (S0085) uses Data Encoding (T1132)"
},
{
"meta": {
"source-uuid": "ff6840c9-4c87-4d07-bbb6-9f50aa33d498",
"target-uuid": "0259baeb-9f63-4c69-bf10-eb038c390688"
},
"uuid": "7ba62129-a4ba-42b4-9971-4a650682cb52",
"value": "Flame (S0143) uses Screen Capture (T1113)"
},
{
"meta": {
"source-uuid": "0bbdf25b-30ff-4894-a1cd-49260d0dd2d9",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "df4b49f1-71ca-4744-8554-47bf36174d89",
"value": "APT3 (G0022) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "399d9038-b100-43ef-b28d-a5065106b935",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "aa80b239-dc67-4883-adfd-6a10e96c18c6",
"value": "Standard Non-Application Layer Protocol Mitigation (T1095) mitigates Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "dcaa092b-7de9-4a21-977f-7fcb77e89c48"
},
"uuid": "b719d37b-8f0e-4704-b21d-8977a5c7cceb",
"value": "APT28 (G0007) uses Access Token Manipulation (T1134)"
},
{
"meta": {
"source-uuid": "af2ad3b7-ab6a-4807-91fd-51bcaff9acbb",
"target-uuid": "774a3188-6ba9-4dc4-879d-d54ee48a5ce9"
},
"uuid": "ae8a95fa-c0ad-40b4-a573-a9441ed94fab",
"value": "USBStealer (S0136) uses Automated Exfiltration (T1020)"
},
{
"meta": {
"source-uuid": "fde50aaa-f5de-4cb8-989a-babb57d6a704",
"target-uuid": "a93494bb-4b80-4ea1-8695-3236a49916fd"
},
"uuid": "2355c588-ff82-4eaf-82db-54af59ede582",
"value": "Net Crawler (S0056) uses Brute Force (T1110)"
},
{
"meta": {
"source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "c52eb151-c8c5-45f1-984b-d99a12ca05cf",
"value": "Derusbi (S0021) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "65370d0b-3bd4-4653-8cf9-daf56f6be830"
},
"uuid": "0e0197fe-eca5-4d70-bf72-2d9092bc777b",
"value": "APT29 (G0016) uses meek (S0175)"
},
{
"meta": {
"source-uuid": "c0c45d38-fe57-4cd4-b2b2-9ecd0ddd4ca9",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "d8f5283b-fe44-4206-8a7d-393d216beb7e",
"value": "TinyZBot (S0004) uses Input Capture (T1056)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "62b8c999-dcc0-4755-bd69-09442d9359f5"
},
"uuid": "b258b8da-ddd2-4f0e-b5da-83a89f018d54",
"value": "RTM (S0148) uses Rundll32 (T1085)"
},
{
"meta": {
"source-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"target-uuid": "15dbf668-795c-41e6-8219-f0447c0e64ce"
},
"uuid": "75f7d0e0-b1e9-4289-8895-d8a262930523",
"value": "Net (S0039) uses Permission Groups Discovery (T1069)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "5183147b-4563-4a01-a360-a419691e35f8",
"value": "POWRUNER (S0184) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "f3c544dc-673c-4ef3-accb-53229f1ae077"
},
"uuid": "0024d82d-97ea-4dc5-81a1-8738862e1f3b",
"value": "Shamoon (S0140) uses System Time Discovery (T1124)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "4ae4f953-fe58-4cc8-a327-33257e30a830"
},
"uuid": "bbc31a33-f55f-43d4-a3fd-23426c5fc638",
"value": "Duqu (S0038) uses Application Window Discovery (T1010)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "87fb2671-e71a-4630-bde2-67e546fdeaa6",
"value": "RTM (S0148) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "0ced8926-914e-4c78-bc93-356fb90dbd1f",
"target-uuid": "01a5a209-b94c-450b-b7f9-946497d91055"
},
"uuid": "77ea5d03-715b-4247-8484-6c1cf2bc7984",
"value": "HALFBAKED (S0151) uses Windows Management Instrumentation (T1047)"
},
{
"meta": {
"source-uuid": "c1676218-c16a-41c9-8f7a-023779916e39",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "b6f00052-49e3-48c5-8f5e-492be4e67acf",
"value": "System Network Connections Discovery Mitigation (T1049) mitigates System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "4ca1929c-7d64-4aab-b849-badbfc0c760d",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "0fa0f5d6-be0b-4a48-938c-6d9bb8b1a170",
"value": "OilRig (G0049) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "6aabc5ec-eae6-422c-8311-38d45ee9838a"
},
"uuid": "11f6ad22-0293-47bd-95d1-34bf4ee1de9e",
"value": "FIN5 (G0053) uses Redundant Access (T1108)"
},
{
"meta": {
"source-uuid": "624d063d-cda8-4616-b4e4-54c04e427aec",
"target-uuid": "bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2"
},
"uuid": "e8c25f99-67f0-4aae-aeee-55e5bcea2d8e",
"value": "Netsh Helper DLL Mitigation (T1128) mitigates Netsh Helper DLL (T1128)"
},
{
"meta": {
"source-uuid": "53cf6cc4-65aa-445a-bcf8-c3d296f8a7a2",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "b41abaa3-a21f-4d2c-9c60-c90c4f360b00",
"value": "NETEAGLE (S0034) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "48b75b8b-5bef-4f99-baa8-5fa978d371d2",
"value": "Remsec (S0125) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "03342581-f790-4f03-ba41-e82e67392e23",
"target-uuid": "3489cfc5-640f-4bb3-a103-9137b97de79f"
},
"uuid": "3b5d1788-c59b-4e84-97b0-b109df608619",
"value": "Net (S0039) uses Network Share Discovery (T1135)"
},
{
"meta": {
"source-uuid": "17b40f60-729f-4fe8-8aea-cc9ee44a95d5",
"target-uuid": "4b74a1d4-b0e9-4ef1-93f1-14ecc6e2f5b5"
},
"uuid": "b94e707d-b2f8-4b68-acac-44d3777dd93f",
"value": "RedLeaves (S0153) uses Standard Cryptographic Protocol (T1032)"
},
{
"meta": {
"source-uuid": "6713ab67-e25b-49cc-808d-2b36d4fbc35c",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "42d2f816-9db2-47bf-9481-3065d038725d",
"value": "Ke3chang (G0004) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "aafea02e-ece5-4bb2-91a6-3bf8c7f38a39",
"target-uuid": "f879d51c-5476-431c-aedf-f14d207e4d1e"
},
"uuid": "8924eb12-0841-48ca-9d36-69de932b1f21",
"value": "Cobalt Strike (S0154) uses Commonly Used Port (T1043)"
},
{
"meta": {
"source-uuid": "2a158b0a-7ef8-43cb-9985-bf34d1e12050",
"target-uuid": "7f8730af-f683-423f-9ee1-5f6875a80481"
},
"uuid": "956303a4-558c-433d-bc2f-28a7e69192ae",
"value": "Naikon (G0019) uses Sys10 (S0060)"
},
{
"meta": {
"source-uuid": "a60657fa-e2e7-4f8f-8128-a882534ae8c5",
"target-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0"
},
"uuid": "1088fc27-2de5-4b73-83fd-6741ab3ff4d6",
"value": "OwaAuth (S0072) uses Masquerading (T1036)"
},
{
"meta": {
"source-uuid": "3cab1b76-2f40-4cd0-8d2c-7ed16eeb909c",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "771c349e-1b23-41ea-bcab-59bdbd6c935f",
"value": "ELMER (S0064) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "09b2cd76-c674-47cc-9f57-d2f2ad150a46",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "ea5f9e1f-68fb-46dd-9e09-f66066808d0c",
"value": "POWRUNER (S0184) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "64196062-5210-42c3-9a02-563a0d1797ef"
},
"uuid": "c569059f-8a7d-4777-a111-d3ab62d178ca",
"value": "APT28 (G0007) uses Communication Through Removable Media (T1092)"
},
{
"meta": {
"source-uuid": "98e8a977-3416-43aa-87fa-33e287e9c14c",
"target-uuid": "c21d5a77-d422-4a69-acd7-2c53c1faa34b"
},
"uuid": "1984ba26-2309-49db-8c42-75951d0ef678",
"value": "WINDSHIELD (S0155) uses Standard Non-Application Layer Protocol (T1095)"
},
{
"meta": {
"source-uuid": "da5880b4-f7da-4869-85f2-e0aba84b8565",
"target-uuid": "355be19c-ffc9-46d5-8d50-d6a036c675b6"
},
"uuid": "1782abeb-8d28-42a1-8abe-c137f23b282c",
"value": "ComRAT (S0126) uses Standard Application Layer Protocol (T1071)"
},
{
"meta": {
"source-uuid": "63c2a130-8a5b-452f-ad96-07cf0af12ffe",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "17f9d6c8-f938-4532-b834-3834655911b8",
"value": "Dyre (S0024) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "c9703cd3-141c-43a0-a926-380082be5d04",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "eeeac3c6-78d1-4506-a9a9-2518d0c6e500",
"value": "schtasks (S0111) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "e6ef745b-077f-42e1-a37d-29eecff9c754",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "ae38c68d-cc08-4460-9d98-ddf957f837e2",
"value": "CozyCar (S0046) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "7a19ecb1-3c65-4de3-a230-993516aed6a6",
"target-uuid": "b35068ec-107a-4266-bda8-eb7036267aea"
},
"uuid": "1ab3f63b-bd80-4e4c-8f62-79f26b9724ab",
"value": "Turla (G0010) uses nbtstat (S0102)"
},
{
"meta": {
"source-uuid": "8bd1ae32-a686-48f4-a6f8-470287f76152",
"target-uuid": "30208d3e-0d6b-43c8-883e-44462a514619"
},
"uuid": "fa04ac7f-206f-42ad-b0c7-499e57bc99ce",
"value": "Automated Collection Mitigation (T1119) mitigates Automated Collection (T1119)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "de376ec3-0fad-4c41-944d-2d74cee6968c",
"value": "Lazarus Group (G0032) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "8a61f6b9-6b7a-4cf2-8e08-f1e26434f6df",
"target-uuid": "91ce1ede-107f-4d8b-bf4c-735e8789c94b"
},
"uuid": "67bde2b2-49d1-4a61-8fe7-1a48c58089e6",
"value": "Input Prompt Mitigation (T1141) mitigates Input Prompt (T1141)"
},
{
"meta": {
"source-uuid": "a8d3d497-2da9-4797-8e0b-ed176be08654",
"target-uuid": "241814ae-de3f-4656-b49e-f9a80764d4b7"
},
"uuid": "b1371fd9-1bfd-40b2-90a2-4876d89029bf",
"value": "Wingbird (S0176) uses Security Software Discovery (T1063)"
},
{
"meta": {
"source-uuid": "ab3580c8-8435-4117-aace-3d9fbe46aa56",
"target-uuid": "2e0dd10b-676d-4964-acd0-8a404c92b044"
},
"uuid": "fb1ff794-8060-42c8-8969-b6660b07068f",
"value": "Unknown Logger (S0130) uses Disabling Security Tools (T1089)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e"
},
"uuid": "ce288414-89f3-40d4-9a85-004d8a064eb4",
"value": "APT34 (G0057) uses Helminth (S0170)"
},
{
"meta": {
"source-uuid": "4b62ab58-c23b-4704-9c15-edd568cd59f8",
"target-uuid": "6856ddd6-2df3-4379-8b87-284603c189c3"
},
"uuid": "6ab0ff01-1695-4301-ac9a-1cd0719be532",
"value": "Hacking Team UEFI Rootkit (S0047) uses System Firmware (T1019)"
},
{
"meta": {
"source-uuid": "68dca94f-c11d-421e-9287-7c501108e18c",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "3b0a7f6a-173f-41e6-8dec-2d1b4a0851d9",
"value": "Duqu (S0038) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "91000a8a-58cc-4aba-9ad0-993ad6302b86",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "788ca56e-1194-4c5f-a12b-72678390f1ef",
"value": "StreamEx (S0142) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "39706d54-0d06-4a25-816a-78cc43455100",
"target-uuid": "1b7ba276-eedc-4951-a762-0ceea2c030ec"
},
"uuid": "bb283a5e-7d61-4b33-aa30-e7c2f0bacbe6",
"value": "Data from Removable Media Mitigation (T1025) mitigates Data from Removable Media (T1025)"
},
{
"meta": {
"source-uuid": "d519164e-f5fa-4b8c-a1fb-cf0172ad0983",
"target-uuid": "ffe742ed-9100-4686-9e00-c331da544787"
},
"uuid": "0512a63b-58c8-4b0c-b2b4-e4da562cee5f",
"value": "Threat Group-1314 (G0028) uses Windows Admin Shares (T1077)"
},
{
"meta": {
"source-uuid": "8901ac23-6b50-410c-b0dd-d8174a86f9b3",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "8dd9d97d-0eb1-4e17-94ac-5589db51f878",
"value": "Shamoon (S0140) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "85c95ce3-8685-4d2a-9d6f-7e4be4cd9623",
"value": "Gazer (S0168) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "2c3ce852-06a2-40ee-8fe6-086f6402a739",
"target-uuid": "4be89c7c-ace6-4876-9377-c8d54cef3d63"
},
"uuid": "4aecd118-a823-4859-9245-90155a0bbe11",
"value": "Hypervisor Mitigation (T1062) mitigates Hypervisor (T1062)"
},
{
"meta": {
"source-uuid": "5967cc93-57c9-404a-8ffd-097edfa7bdfc",
"target-uuid": "68f7e3a1-f09f-4164-9a62-16b648a0dd5a"
},
"uuid": "ecb0d858-dd15-4181-b15b-76459db1d294",
"value": "Hi-Zor (S0087) uses Regsvr32 (T1117)"
},
{
"meta": {
"source-uuid": "7ecc3b4f-5cdb-457e-b55a-df376b359446",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "e2ce90d2-7470-4f2d-a86c-f429b934ab35",
"value": "Poseidon Group (G0033) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "58adaaa8-f1e8-4606-9a08-422e568461eb",
"target-uuid": "7e150503-88e7-4861-866b-ff1ac82c4475"
},
"uuid": "a5efdeb3-10db-4e40-b8cd-61dee7d72cc0",
"value": "SHOTPUT (S0063) uses System Network Connections Discovery (T1049)"
},
{
"meta": {
"source-uuid": "76abb3ef-dafd-4762-97cb-a35379429db4",
"target-uuid": "35dd844a-b219-4e2b-a6bb-efa9a75995a9"
},
"uuid": "eb0307d6-901d-4140-84f9-a08c6a8ea14c",
"value": "Gazer (S0168) uses Scheduled Task (T1053)"
},
{
"meta": {
"source-uuid": "1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"target-uuid": "b77cf5f3-6060-475d-bd60-40ccbf28fdc2"
},
"uuid": "8c8cc494-628c-4540-b5ba-862cd937f94e",
"value": "Dragonfly (G0035) uses Forced Authentication (T1187)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "d20b659b-3595-4171-9beb-668ab26bf398",
"value": "BRONZE BUTLER (G0060) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "edbe24e9-aec4-4994-ac75-6a6bc7f1ddd0"
},
"uuid": "69f57458-bfb2-44a2-a8cf-0fce0e2b0a22",
"value": "APT28 (G0007) uses Dynamic Data Exchange (T1173)"
},
{
"meta": {
"source-uuid": "6e7db820-9735-4545-bc64-039bc4ce354b",
"target-uuid": "a0a189c8-d3bd-4991-bf6f-153d185ee373"
},
"uuid": "0a4e270a-5641-424d-a343-437ae9548125",
"value": "LC_MAIN Hijacking Mitigation (T1149) mitigates LC_MAIN Hijacking (T1149)"
},
{
"meta": {
"source-uuid": "2a7914cf-dff3-428d-ab0f-1014d1c28aeb",
"target-uuid": "b21c3b2d-02e6-45b1-980b-e69051040839"
},
"uuid": "74e737cf-67fb-4f80-ac4e-0ddff90b6f8e",
"value": "FIN6 (G0037) uses Exploitation of Vulnerability (T1068)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "d35f6c6f-c1ed-4b0d-b95f-9fd762eb3ac7",
"value": "Lazarus Group (G0032) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "ae676644-d2d2-41b7-af7e-9bed1b55898c"
},
"uuid": "6c9649b7-00c6-4503-a911-9e8b9086eac4",
"value": "BADNEWS (S0128) uses Data from Network Shared Drive (T1039)"
},
{
"meta": {
"source-uuid": "64fa0de0-6240-41f4-8638-f4ca7ed528fd",
"target-uuid": "b2001907-166b-4d71-bb3c-9d26c871de09"
},
"uuid": "464ce0ed-31a5-4a99-9791-9ce5bb987f58",
"value": "PlugX (S0013) uses DLL Side-Loading (T1073)"
},
{
"meta": {
"source-uuid": "247cb30b-955f-42eb-97a5-a89fef69341e",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "93f1726f-f172-4705-a13a-d5adaeb4e91b",
"value": "APT32 (G0050) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "3753cc21-2dae-4dfb-8481-d004e74502cc",
"target-uuid": "f4882e23-8aa7-4b12-b28a-b349c12ee9e0"
},
"uuid": "4856de0a-2635-4081-97a8-3f15593c2aa5",
"value": "FIN7 (G0046) uses PowerShell (T1086)"
},
{
"meta": {
"source-uuid": "7331c66a-5601-4d3f-acf6-ad9e3035eb40",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "a9bc7666-f637-4093-a5bb-4edb61710e45",
"value": "Group5 (G0043) uses File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "68ba94ab-78b8-43e7-83e2-aed3466882c6",
"target-uuid": "0998045d-f96e-4284-95ce-3c8219707486"
},
"uuid": "47214641-972c-4924-828a-3db470553dcb",
"value": "APT34 (G0057) uses SEASHARPEE (S0185)"
},
{
"meta": {
"source-uuid": "8ae43c46-57ef-47d5-a77a-eebb35628db2",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "e11d4f32-842a-4684-8974-f368e52b8632",
"value": "JHUHUGIT (S0044) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14",
"target-uuid": "6ff403bc-93e3-48be-8687-e102fdba8c88"
},
"uuid": "8a48e56d-f837-4a5a-99b6-db0f60b541a0",
"value": "SeaDuke (S0053) uses Software Packing (T1045)"
},
{
"meta": {
"source-uuid": "69d6f4a9-fcf0-4f51-bca7-597c51ad0bb8",
"target-uuid": "e358d692-23c0-4a31-9eb6-ecc13a8d7735"
},
"uuid": "51742efe-5f0c-4fbf-9eb7-5e765a0a408f",
"value": "Remsec (S0125) uses Remote System Discovery (T1018)"
},
{
"meta": {
"source-uuid": "2a8de25c-f743-4348-b101-3ee33ab5871b",
"target-uuid": "d54416bd-0803-41ca-870a-ce1af7c05638"
},
"uuid": "bd5699e8-8765-4f24-8307-c81a296b87e0",
"value": "Data Encrypted Mitigation (T1022) mitigates Data Encrypted (T1022)"
},
{
"meta": {
"source-uuid": "38fd6a28-3353-4f2b-bb2b-459fecd5c648",
"target-uuid": "b17a1a56-e99c-403c-8948-561df0cffe81"
},
"uuid": "1ac5bace-cdc2-4a1b-abad-d30ca0ed7f45",
"value": "APT18 (G0026) uses Valid Accounts (T1078)"
},
{
"meta": {
"source-uuid": "17862c7d-9e60-48a0-b48e-da4dc4c3f6b0",
"target-uuid": "51dea151-0898-4a45-967c-3ebee0420484"
},
"uuid": "2816f512-1a04-4cf8-94e9-36720b949c76",
"value": "Patchwork (G0040) uses Remote Desktop Protocol (T1076)"
},
{
"meta": {
"source-uuid": "16ade1aa-0ea1-4bb7-88cc-9079df2ae756",
"target-uuid": "123bd7b3-675c-4b1a-8482-c55782b20e2b"
},
"uuid": "013ab34f-54bf-4813-bd37-42a4eebb8d52",
"value": "admin@338 (G0018) uses BUBBLEWRAP (S0043)"
},
{
"meta": {
"source-uuid": "94379dec-5c87-49db-b36e-66abc0b81344",
"target-uuid": "8f4a33ec-8b1f-4b80-a2f6-642b2e479580"
},
"uuid": "f017f6c0-96f4-46f1-905f-44e9950effbc",
"value": "Derusbi (S0021) uses Process Discovery (T1057)"
},
{
"meta": {
"source-uuid": "93f52415-0fe4-4d3d-896c-fc9b8e88ab90",
"target-uuid": "b9f5dbe2-4c55-4fc5-af2e-d42c1d182ec4"
},
"uuid": "99e9583f-433d-437d-bf37-7ea2b3f1b613",
"value": "BRONZE BUTLER (G0060) uses Data Compressed (T1002)"
},
{
"meta": {
"source-uuid": "cba78a1c-186f-4112-9e6a-be1839f030f7",
"target-uuid": "02fefddc-fb1b-423f-a76b-7552dd211d4d"
},
"uuid": "44b56e08-7cd1-442c-8806-c69bb65fd231",
"value": "ROCKBOOT (S0112) uses Bootkit (T1067)"
},
{
"meta": {
"source-uuid": "7343e208-7cab-45f2-a47b-41ba5e2f0fab",
"target-uuid": "e6919abc-99f9-4c6c-95a5-14761e7b2add"
},
"uuid": "59aabb7b-9211-4577-9c6b-ba2cf6e3704c",
"value": "XTunnel (S0117) uses Remote File Copy (T1105)"
},
{
"meta": {
"source-uuid": "34efb2fd-4dc2-40d4-a564-0c147c85034d",
"target-uuid": "56fca983-1cf1-4fd1-bda0-5e170a37ab59"
},
"uuid": "8ff745b7-9985-4781-a8bc-dae6d71233d3",
"value": "File Deletion Mitigation (T1107) mitigates File Deletion (T1107)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22"
},
"uuid": "6b429676-7b77-4453-a6ce-2d6a6cb0dfe7",
"value": "FIN5 (G0053) uses Credential Dumping (T1003)"
},
{
"meta": {
"source-uuid": "1cc934e4-b01d-4543-a011-b988dfc1a458",
"target-uuid": "b3d682b6-98f2-4fb0-aa3b-b4df007ca70a"
},
"uuid": "573916d8-804d-4453-be37-e6b1865e87db",
"value": "Matroyshka (S0167) uses Obfuscated Files or Information (T1027)"
},
{
"meta": {
"source-uuid": "92ec0cbd-2c30-44a2-b270-73f4ec949841",
"target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69"
},
"uuid": "81cfd1fd-999b-4730-b5dc-363d367dd92e",
"value": "RTM (S0148) uses Indicator Removal on Host (T1070)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "c3888c54-775d-4b2f-b759-75a2ececcbfd"
},
"uuid": "f81274dc-2f5b-47f7-b91f-70a4ebdfde95",
"value": "Helminth (S0170) uses Data Transfer Size Limits (T1030)"
},
{
"meta": {
"source-uuid": "f0a42cad-9b1f-44da-a672-718f18381018",
"target-uuid": "246fd3c7-f5e3-466d-8787-4c13d9e3b61c"
},
"uuid": "37781434-3f1e-4f45-af34-b2378647c13a",
"value": "Taint Shared Content Mitigation (T1080) mitigates Taint Shared Content (T1080)"
},
{
"meta": {
"source-uuid": "899ce53f-13a0-479b-a0e4-67d46e241542",
"target-uuid": "67e6d66b-1b82-4699-b47a-e2efb6268d14"
},
"uuid": "8d6cf235-4a33-4866-9b73-a7119293e5db",
"value": "APT29 (G0016) uses SeaDuke (S0053)"
},
{
"meta": {
"source-uuid": "85403903-15e0-4f9f-9be4-a259ecad4022",
"target-uuid": "799ace7f-e227-4411-baa0-8868704f2a69"
},
"uuid": "9b43f780-6a8b-477f-826f-c45e867749c9",
"value": "FIN5 (G0053) uses Indicator Removal on Host (T1070)"
},
{
"meta": {
"source-uuid": "ff6caf67-ea1f-4895-b80e-4bb0fc31c6db",
"target-uuid": "f44731de-ea9f-406d-9b83-30ecbb9b4392"
},
"uuid": "a66aff09-0635-44a3-b591-a530a25c9012",
"value": "PsExec (S0029) uses Service Execution (T1035)"
},
{
"meta": {
"source-uuid": "894aab42-3371-47b1-8859-a4a074c804c8",
"target-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1"
},
"uuid": "efbe5efa-6863-4334-90e5-d7caab9806a6",
"value": "Stealth Falcon (G0038) uses System Information Discovery (T1082)"
},
{
"meta": {
"source-uuid": "fe98767f-9df8-42b9-83c9-004b1dec8647",
"target-uuid": "251fbae2-78f6-4de7-84f6-194c727a64ad"
},
"uuid": "71416f0d-b037-48b2-a14d-acb1a5f3a4a4",
"value": "PittyTiger (G0011) uses Lurid (S0010)"
},
{
"meta": {
"source-uuid": "4f6aa78c-c3d4-4883-9840-96ca2f5d6d47",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "b8e6bb17-9652-464d-8e5d-bd21e1f69a2e",
"value": "TEXTMATE (S0146) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "eff1a885-6f90-42a1-901f-eef6e7a1905e",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "2a7cd52f-46e5-4a18-bdf6-4c38edfcb97c",
"value": "Helminth (S0170) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "495b6cdb-7b5a-4fbc-8d33-e7ef68806d08"
},
"uuid": "e46836e5-8ffe-45e5-9398-bb9fbb3a4aeb",
"value": "Lazarus Group (G0032) uses Volgmer (S0180)"
},
{
"meta": {
"source-uuid": "bef4c620-0787-42a8-a96d-b7eb6e85917c",
"target-uuid": "128c55d3-aeba-469f-bd3e-c8996ab4112a"
},
"uuid": "1036833a-1d4c-4d9e-b716-1e52606ab684",
"value": "APT28 (G0007) uses Timestomp (T1099)"
},
{
"meta": {
"source-uuid": "a653431d-6a5e-4600-8ad3-609b5af57064",
"target-uuid": "7fd87010-3a00-4da3-b905-410525e8ec44"
},
"uuid": "8cbcb17a-01f4-4899-bc83-9b02fd44f861",
"value": "Deep Panda (G0009) uses Scripting (T1064)"
},
{
"meta": {
"source-uuid": "d4fd04e0-d1a4-4b5a-a5bb-16683cdbcce2",
"target-uuid": "10d51417-ee35-4589-b1ff-b6df1c334e8d"
},
"uuid": "a93e5f9f-5c8c-4832-93db-a6c180840a43",
"value": "External Remote Services Mitigation (T1133) mitigates External Remote Services (T1133)"
},
{
"meta": {
"source-uuid": "0998045d-f96e-4284-95ce-3c8219707486",
"target-uuid": "7385dfaf-6886-4229-9ecd-6fd678040830"
},
"uuid": "7276fbbe-3237-4e95-b2ad-8518327432ba",
"value": "SEASHARPEE (S0185) uses Command-Line Interface (T1059)"
},
{
"meta": {
"source-uuid": "22addc7b-b39f-483d-979a-1b35147da5de",
"target-uuid": "7bc57495-ea59-4380-be31-a64af124ef18"
},
"uuid": "1684e405-53bd-4951-a26d-e7c39887b06a",
"value": "WinMM (S0059) uses File and Directory Discovery (T1083)"
},
{
"meta": {
"source-uuid": "199463de-d9be-46d6-bb41-07234c1dd5a6",
"target-uuid": "707399d6-ab3e-4963-9315-d9d3818cd6a0"
},
"uuid": "847752f4-59a2-46e9-ae28-befe0142b223",
"value": "GeminiDuke (S0049) uses System Network Configuration Discovery (T1016)"
},
{
"meta": {
"source-uuid": "2e290bfe-93b5-48ce-97d6-edcd6d32b7cf",
"target-uuid": "92d7da27-2d91-488e-a00c-059dc162766d"
},
"uuid": "d361058d-a11b-470d-bed8-44bfd8e50393",
"value": "Gamaredon Group (G0047) uses Exfiltration Over Command and Control Channel (T1041)"
},
{
"meta": {
"source-uuid": "54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4",
"target-uuid": "9422fc14-1c43-410d-ab0f-a709b76c72dc"
},
"uuid": "cd2a7854-1339-4f40-8ba1-be032dc5249e",
"value": "BlackEnergy (S0089) uses Registry Run Keys / Start Folder (T1060)"
},
{
"meta": {
"source-uuid": "17e919aa-4a49-445c-b103-dbb8df9e7351",
"target-uuid": "c32f7008-9fea-41f7-8366-5eb9b74bd896"
},
"uuid": "9c79076c-341f-4eb3-bed7-300723747b18",
"value": "POWERSOURCE (S0145) uses Query Registry (T1012)"
},
{
"meta": {
"source-uuid": "e1161124-f22e-487f-9d5f-ed8efc8dcd61",
"target-uuid": "03d7999c-1f4c-42cc-8373-e7690d318104"
},
"uuid": "a1e9769e-5172-4959-84d3-5a28796f86e1",
"value": "Mis-Type (S0084) uses System Owner/User Discovery (T1033)"
},
{
"meta": {
"source-uuid": "60c18d06-7b91-4742-bae3-647845cd9d81",
"target-uuid": "3b3cbbe0-6ed3-4334-b543-3ddfd8c5642d"
},
"uuid": "f4e53b40-abcf-4157-9e53-4ab9632619f1",
"value": "CORESHELL (S0137) uses Custom Cryptographic Protocol (T1024)"
},
{
"meta": {
"source-uuid": "e9595678-d269-469e-ae6b-75e49259de63",
"target-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670"
},
"uuid": "d15cda3e-7ed6-4914-a0a8-ff1f4fe668ec",
"value": "BADNEWS (S0128) uses Execution through API (T1106)"
},
{
"meta": {
"source-uuid": "96566860-9f11-4b6f-964d-1c924e4f24a4",
"target-uuid": "3ccef7ae-cb5e-48f6-8302-897105fbf55c"
},
"uuid": "283bdd5f-f356-43a2-864c-6f8211073d45",
"value": "Starloader (S0188) uses Deobfuscate/Decode Files or Information (T1140)"
},
{
"meta": {
"source-uuid": "c93fccb1-e8e8-42cf-ae33-2ad1d183913a",
"target-uuid": "bb5a00de-e086-4859-a231-fa793f6797e2"
},
"uuid": "7f695d14-17e1-46c6-92eb-7c2f57fc6553",
"value": "Lazarus Group (G0032) uses Input Capture (T1056)"
}
]
}