diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0230410f..fa87dad1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,7 +18,7 @@ jobs: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: - node-version: '18' + node-version: '19' - name: Install dependencies working-directory: ./src/attack_flow_builder/ run: npm ci @@ -28,13 +28,6 @@ jobs: # Workaround for node.js bug: https://github.com/webpack/webpack/issues/14532 NODE_OPTIONS: "--openssl-legacy-provider" run: npm run build - # TODO: uncomment when we add autocomplete to the builder: - # - name: Fetch ATT&CK Data - # working-directory: ./src/attack_flow_builder/ - # run: npm run fetch-attack - # - name: Build ATT&CK Index - # working-directory: ./src/attack_flow_builder/ - # run: npm run build-index - name: Upload artifact uses: actions/upload-artifact@v3 with: @@ -52,17 +45,20 @@ jobs: python-version: '3.8' - uses: actions/setup-node@v3 with: - node-version: '18' + node-version: '19' - name: Update APT run: sudo apt update - - name: Install dependencies + - name: Install APT dependencies run: sudo apt install graphviz - name: Install Poetry run: curl -sSL https://install.python-poetry.org/ | python - - name: Add Poetry to PATH run: echo "$HOME/.poetry/bin" >> $GITHUB_PATH - - name: Install dependencies + - name: Install Python dependencies run: poetry install + - name: Install Node dependencies + working-directory: ./src/attack_flow_builder/ + run: npm ci - name: Install Mermaid run: npm install -g @mermaid-js/mermaid-cli - name: Create client directory @@ -75,6 +71,9 @@ jobs: - name: Make Attack Flow schema run: poetry run make docs-schema - name: Copy corpus into docs + env: + # Workaround for node.js bug: https://github.com/webpack/webpack/issues/14532 + NODE_OPTIONS: "--openssl-legacy-provider" run: poetry run make docs-examples - name: Copy matrix-viz code into docs run: poetry run make docs-matrix diff --git a/Makefile b/Makefile index 212b095a..ea5a8235 100644 --- a/Makefile +++ b/Makefile @@ -10,6 +10,8 @@ docs: docs-examples: mkdir -p docs/extra/corpus cp corpus/*.afb docs/extra/corpus + cd src/attack_flow_builder && env VUE_CLI_SERVICE_CONFIG_PATH="${ROOTDIR}src/attack_flow_builder/vue.cli.config.js" npx vue-cli-service build --target lib --name cli --formats commonjs --no-clean src/cli.ts + node src/attack_flow_builder/dist/cli.common.js --verbose corpus/*.afb cp corpus/*.json docs/extra/corpus ls -1 corpus/*.json | sed 's/corpus\/\(.*\)\.json/\1/' | xargs -t -I {} af graphviz "corpus/{}.json" "docs/extra/corpus/{}.dot" ls -1 docs/extra/corpus/*.dot | xargs -t -I {} dot -Tpng -O -q1 "{}" diff --git a/corpus/.gitignore b/corpus/.gitignore new file mode 100644 index 00000000..a6c57f5f --- /dev/null +++ b/corpus/.gitignore @@ -0,0 +1 @@ +*.json diff --git a/corpus/CISA AA22-138B VMWare Workspace (Alt).json b/corpus/CISA AA22-138B VMWare Workspace (Alt).json deleted file mode 100644 index 5736159f..00000000 --- a/corpus/CISA AA22-138B VMWare Workspace (Alt).json +++ /dev/null @@ -1,486 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--5b9c7d01-9f9a-4a7b-b99b-749640338c75", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--ca2783d5-ddf2-441d-af82-9cfa68abead0", - "spec_version": "2.1", - "created": "2023-02-21T14:51:27.768Z", - "modified": "2023-03-10T19:54:29.098Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--f258633c-c033-474c-bf81-de5ee1334830", - "start_refs": [ - "attack-action--84454574-3ed2-43eb-979f-66c3d343a71a" - ], - "name": "CISA AA22-138B VMWare Workspace (Alt)", - "description": "Alternative method used to exploit VMWare Workspace ONE Access", - "scope": "incident", - "external_references": [ - { - "source_name": "CISA", - "description": "Alert", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b" - } - ] - }, - { - "type": "identity", - "id": "identity--f258633c-c033-474c-bf81-de5ee1334830", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "name": "Lauren Parker", - "identity_class": "individual", - "contact_information": "lparker@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--84454574-3ed2-43eb-979f-66c3d343a71a", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploitation for Client Execution", - "technique_id": "T1203", - "description": "attackers used a Bash script to exploit software vulnerabilities in VMWare Workspace ONE Access", - "confidence": 100, - "effect_refs": [ - "attack-action--401fbfb9-930a-43b9-a43e-6cbc7f9e3802" - ] - }, - { - "type": "vulnerability", - "id": "vulnerability--bfbfe054-666b-498e-a067-ed49356fab29", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "name": "CVE 2022-22960" - }, - { - "type": "attack-action", - "id": "attack-action--401fbfb9-930a-43b9-a43e-6cbc7f9e3802", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploitation for Privilege Escalation", - "technique_id": "T1068", - "description": "Horizon user's privileges escalated", - "confidence": 100, - "effect_refs": [ - "attack-action--3c019d2c-c56f-47e4-8977-e86a4a359069" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3c019d2c-c56f-47e4-8977-e86a4a359069", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter", - "technique_id": "T1059", - "description": "Horizon user can execute commands and scripts as a superuser (sudo)", - "confidence": 100, - "effect_refs": [ - "attack-action--1472fccf-cdf4-4a4b-a0c3-b927e3381c02" - ] - }, - { - "type": "malware", - "id": "malware--c6e2dfb4-33c5-4908-86a2-db3a3612c0c5", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "name": "Bash script", - "description": "Exploits software vulnerabilities and escalates privileges; overwrites files on the host; executes commands", - "malware_types": [ - "webshell", - "downloader" - ], - "is_family": false, - "implementation_languages": [ - "bash" - ], - "capabilities": [ - "cleans-traces-of-infection", - "escalates-privileges", - "exfiltrates-data", - "communicates-with-c2", - "installs-other-components", - "probes-network-environment", - "steals-authentication-credentials" - ] - }, - { - "type": "attack-action", - "id": "attack-action--1472fccf-cdf4-4a4b-a0c3-b927e3381c02", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Discovery", - "tactic_id": "TA0007", - "description": "The script allows users to collect network information and additional information from the host system", - "confidence": 100, - "effect_refs": [ - "attack-action--24692f77-c123-4107-923e-937e7cc9349e" - ] - }, - { - "type": "attack-action", - "id": "attack-action--24692f77-c123-4107-923e-937e7cc9349e", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Indicator Removal on Host", - "technique_id": "T1070", - "description": "publishCaCert.hzn overwritten with fd86ald0.pem", - "confidence": 100, - "effect_refs": [ - "attack-action--7fa1a34d-5d0c-4655-8e23-ef9d23771bba" - ] - }, - { - "type": "file", - "id": "file--23625c13-d92b-4e65-8f82-91a4820319ee", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "name": "fd86ald0.pem" - }, - { - "type": "attack-action", - "id": "attack-action--7fa1a34d-5d0c-4655-8e23-ef9d23771bba", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Archive Collected Data", - "technique_id": "T1560", - "description": "script compresses files containing network interface configurations, users, passwords, masterkeys, hosts, and domains to a TAR archive, located in a VMWare Workspace ONE Access directory", - "confidence": 100, - "effect_refs": [ - "attack-action--35c17809-784f-4aa9-a827-aa7e376de16e" - ] - }, - { - "type": "directory", - "id": "directory--07354f90-6d57-4de7-b9af-7f6130ba9dc3", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "path": "/opt/vmware/horizon/workspace/webapps/SAAS/horizon/images/" - }, - { - "type": "attack-action", - "id": "attack-action--298530ff-51b1-43f6-8c1f-59f432625094", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Indicator Removal on Host", - "technique_id": "T1070", - "description": "fd86ald0.pem removed from host", - "confidence": 100 - }, - { - "type": "attack-action", - "id": "attack-action--35c17809-784f-4aa9-a827-aa7e376de16e", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Control", - "tactic_id": "TA0011", - "description": "script communicated with 20.232.97.189 for C2", - "confidence": 100, - "effect_refs": [ - "attack-action--3c3fea04-7678-4ae6-a8dd-0b0c28eafe97" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--6f00d94e-3724-4f17-a01d-d2e73c9860cf", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "name": "20.232.97.189", - "description": "Command and Control", - "infrastructure_types": [ - "command-and-control" - ] - }, - { - "type": "note", - "id": "note--6b8158c0-becf-443c-ab7b-c72fba4890ee", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "content": "The following IPs download, execute, and check the bash script: 45.72.112.245; 115.167.53.141; 191.102.179.197; 209.127.110.126; 45.72.85.172; 192.241.67.12", - "authors": [ - "Lauren Parker" - ], - "object_refs": [ - "malware--c6e2dfb4-33c5-4908-86a2-db3a3612c0c5" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3c3fea04-7678-4ae6-a8dd-0b0c28eafe97", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "attackers attempted to download MoneroOcean miner from GitHub from the associated IP", - "confidence": 100, - "effect_refs": [ - "attack-action--747d2282-1bf8-4848-89f0-0ee82ca3b6a5" - ] - }, - { - "type": "ipv4-addr", - "id": "ipv4-addr--545cfd59-0603-4476-93fc-c7c91c22e0bd", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "value": "194.31.98.141" - }, - { - "type": "attack-action", - "id": "attack-action--747d2282-1bf8-4848-89f0-0ee82ca3b6a5", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "File and Directory Discovery", - "technique_id": "T1083", - "description": "attackers used an associated IP address to run cat on a number of files in the listed directory", - "confidence": 100, - "effect_refs": [ - "attack-action--6dbde84b-f026-46b8-bde6-f963be602a4c" - ] - }, - { - "type": "ipv4-addr", - "id": "ipv4-addr--e01fce30-934b-4d5c-ab81-ca635e99b406", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "value": "8.45.41.114" - }, - { - "type": "directory", - "id": "directory--d277228f-6835-488e-8145-4e43af09f875", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "path": "/usr/local/horizon/conf" - }, - { - "type": "attack-action", - "id": "attack-action--6dbde84b-f026-46b8-bde6-f963be602a4c", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "attackers attempted to download a JSP webshell from the listed URL", - "confidence": 100, - "effect_refs": [ - "attack-action--298530ff-51b1-43f6-8c1f-59f432625094" - ] - }, - { - "type": "url", - "id": "url--e1c165a0-165b-4760-8da0-dcd112475096", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "value": "http://84.38.133[.]149/img/icon.gif" - }, - { - "type": "relationship", - "id": "relationship--e595778b-c877-4524-91a8-bf04912b78cb", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "relationship_type": "related-to", - "source_ref": "attack-action--84454574-3ed2-43eb-979f-66c3d343a71a", - "target_ref": "vulnerability--bfbfe054-666b-498e-a067-ed49356fab29" - }, - { - "type": "relationship", - "id": "relationship--bb44ccb3-e4d8-4540-b86e-d64a864a6d00", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "relationship_type": "related-to", - "source_ref": "attack-action--84454574-3ed2-43eb-979f-66c3d343a71a", - "target_ref": "malware--c6e2dfb4-33c5-4908-86a2-db3a3612c0c5" - }, - { - "type": "relationship", - "id": "relationship--59c75772-9382-4f86-bb04-ba3772a2f21a", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "relationship_type": "related-to", - "source_ref": "attack-action--24692f77-c123-4107-923e-937e7cc9349e", - "target_ref": "file--23625c13-d92b-4e65-8f82-91a4820319ee" - }, - { - "type": "relationship", - "id": "relationship--bbae2e20-3c07-4735-a990-43a61ebaf90a", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "relationship_type": "related-to", - "source_ref": "attack-action--7fa1a34d-5d0c-4655-8e23-ef9d23771bba", - "target_ref": "directory--07354f90-6d57-4de7-b9af-7f6130ba9dc3" - }, - { - "type": "relationship", - "id": "relationship--aa6a015e-b607-4b6c-ac5f-02fa7304f009", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "relationship_type": "related-to", - "source_ref": "attack-action--35c17809-784f-4aa9-a827-aa7e376de16e", - "target_ref": "infrastructure--6f00d94e-3724-4f17-a01d-d2e73c9860cf" - }, - { - "type": "relationship", - "id": "relationship--efb903e9-fe14-46d2-9e1d-e74a303364a6", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "relationship_type": "related-to", - "source_ref": "attack-action--3c3fea04-7678-4ae6-a8dd-0b0c28eafe97", - "target_ref": "ipv4-addr--545cfd59-0603-4476-93fc-c7c91c22e0bd" - }, - { - "type": "relationship", - "id": "relationship--678fa334-618f-4596-b096-9fa24b3ccf07", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "relationship_type": "related-to", - "source_ref": "attack-action--747d2282-1bf8-4848-89f0-0ee82ca3b6a5", - "target_ref": "ipv4-addr--e01fce30-934b-4d5c-ab81-ca635e99b406" - }, - { - "type": "relationship", - "id": "relationship--108622ba-f9e6-4418-b82f-c164b1ffab1d", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "relationship_type": "related-to", - "source_ref": "attack-action--747d2282-1bf8-4848-89f0-0ee82ca3b6a5", - "target_ref": "directory--d277228f-6835-488e-8145-4e43af09f875" - }, - { - "type": "relationship", - "id": "relationship--128d24d9-80cd-4cd7-bb0b-c9b039c9af03", - "spec_version": "2.1", - "created": "2023-03-10T19:54:29.098Z", - "modified": "2023-03-10T19:54:29.098Z", - "relationship_type": "related-to", - "source_ref": "attack-action--6dbde84b-f026-46b8-bde6-f963be602a4c", - "target_ref": "url--e1c165a0-165b-4760-8da0-dcd112475096" - } - ] -} \ No newline at end of file diff --git a/corpus/CISA AA22-138B VMWare Workspace (TA1).json b/corpus/CISA AA22-138B VMWare Workspace (TA1).json deleted file mode 100644 index 00a072ba..00000000 --- a/corpus/CISA AA22-138B VMWare Workspace (TA1).json +++ /dev/null @@ -1,478 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--8bba8e3d-7582-4bbd-8dbb-226b92533e4a", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--5924382f-e14f-4f29-b0df-08999f51b922", - "spec_version": "2.1", - "created": "2023-02-20T16:07:26.305Z", - "modified": "2023-03-10T19:45:04.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--bfe16be0-5a61-4938-b7ed-748d2a219541", - "start_refs": [ - "attack-action--87cf2efa-5784-4ccd-a75e-ec4d964d58a5", - "attack-action--847def26-4d0a-4562-865d-d9c23e3820cf" - ], - "name": "CISA AA22-138B VMWare Workspace (TA1)", - "description": "Threat Actor 1 exploited VMWare Workspace ONE Access through various methods", - "scope": "incident", - "external_references": [ - { - "source_name": "CISA", - "description": "Alert", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-138b" - } - ] - }, - { - "type": "identity", - "id": "identity--bfe16be0-5a61-4938-b7ed-748d2a219541", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "name": "Lauren Parker", - "identity_class": "individual", - "contact_information": "lparker@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--427f3a5b-4890-4305-951b-b76da8b9651b", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "server downloads a malicious shell script to VMWare Workspace ONE Access", - "confidence": 100, - "effect_refs": [ - "attack-operator--1e41f6c5-95dc-483b-b6eb-9e315991f509" - ] - }, - { - "type": "vulnerability", - "id": "vulnerability--bebccad3-14d6-43c4-b9e4-5dea60ceef76", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "name": "CVE 2022-22954" - }, - { - "type": "attack-action", - "id": "attack-action--87cf2efa-5784-4ccd-a75e-ec4d964d58a5", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Application Layer Protocol: Web Protocols", - "technique_id": "T1071.001", - "description": "Freemarker targeted by attackers to send a customized GET request URI to a vulnerable server", - "confidence": 100, - "effect_refs": [ - "attack-action--780d1e10-6642-41d2-b1a7-de801a6b972a" - ], - "asset_refs": [ - "attack-asset--14c7eab3-bee7-4350-bf52-cbfebb34921a" - ] - }, - { - "type": "software", - "id": "software--32cf10a0-552b-41b0-a80c-111f89903c8f", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "name": "Freemarker" - }, - { - "type": "attack-action", - "id": "attack-action--780d1e10-6642-41d2-b1a7-de801a6b972a", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploitation for Client Execution", - "technique_id": "T1203", - "description": "attackers exploited software vulnerabilities", - "confidence": 100, - "effect_refs": [ - "attack-action--427f3a5b-4890-4305-951b-b76da8b9651b", - "attack-action--7d09b87c-e2c6-4760-9050-92f36a24e9ff" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--14c7eab3-bee7-4350-bf52-cbfebb34921a", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "VMWare Workspace ONE Access ", - "description": "vulnerable, public-facing server" - }, - { - "type": "malware", - "id": "malware--e2710797-ff3a-4465-b4ed-923e15f59b2d", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "name": "80b6ae2cea.sh", - "description": "malicious shell script; contains VMWare Workspace ONE Access directory paths and file locations", - "malware_types": [ - "unknown" - ], - "is_family": false, - "capabilities": [ - "exfiltrates-data", - "cleans-traces-of-infection" - ] - }, - { - "type": "directory", - "id": "directory--2f184fcc-a09b-4b6d-8cf2-d0029e360d1f", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "path": "/usr/local/horizon/scripts/" - }, - { - "type": "attack-action", - "id": "attack-action--847def26-4d0a-4562-865d-d9c23e3820cf", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploitation for Privilege Escalation", - "technique_id": "T1068", - "description": "Malicious script run with root privileges (run with SUDO)", - "confidence": 100, - "effect_refs": [ - "attack-action--4c353a44-3987-401a-b578-d4a1e9280bbd" - ] - }, - { - "type": "vulnerability", - "id": "vulnerability--7c91bf6f-749b-41a8-80b0-cbce51bcbb7b", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "name": "CVE 2022-22960", - "description": "allows root privileges" - }, - { - "type": "attack-action", - "id": "attack-action--4c353a44-3987-401a-b578-d4a1e9280bbd", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Collection", - "tactic_id": "TA0009", - "description": "script collects sensitive files, including user names, passwords, master keys, and firewall rules and stored them in a tar ball ", - "confidence": 100, - "effect_refs": [ - "attack-action--af956aab-7dd4-440d-8af4-adb9ae32a63b" - ] - }, - { - "type": "attack-action", - "id": "attack-action--af956aab-7dd4-440d-8af4-adb9ae32a63b", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Archive Collected Data", - "technique_id": "T1560", - "description": "collected information stored in a tar ball file on the server", - "confidence": 100, - "effect_refs": [ - "attack-action--a9ddb932-cc96-49fc-acd8-f5675b7368ea" - ] - }, - { - "type": "directory", - "id": "directory--726756ce-5a1c-4ccc-a32e-92975c07f959", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "path": "/opt/vmware/horizon/workspace/webapps/SAAS/horizon/images/" - }, - { - "type": "attack-action", - "id": "attack-action--a9ddb932-cc96-49fc-acd8-f5675b7368ea", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Indicator Removal on Host", - "technique_id": "T1070", - "description": "deleted files and logs, including fd86ald0.pem, localhost_access logs, logs associated with the VMWare Horizon application, and greenbox logs for the date of activity", - "confidence": 100, - "effect_refs": [ - "attack-action--4edb3b2d-7bc8-4fe2-85d7-66c04ceba3c7" - ] - }, - { - "type": "attack-action", - "id": "attack-action--7d09b87c-e2c6-4760-9050-92f36a24e9ff", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "attackers downloaded jtest.jsp to the server's web directory from the IP address", - "effect_refs": [ - "attack-operator--1e41f6c5-95dc-483b-b6eb-9e315991f509" - ] - }, - { - "type": "malware", - "id": "malware--ecffdaac-3bc0-4552-bb1b-1da439cc5dbb", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "name": "jtest.jsp", - "description": "webshell", - "malware_types": [ - "webshell" - ], - "is_family": true, - "capabilities": [ - "communicates-with-c2" - ] - }, - { - "type": "directory", - "id": "directory--10e001e1-c3ce-4cc1-a6a7-5eef5b206c88", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "path": "/SAAS/Horizon/js-lib/" - }, - { - "type": "ipv4-addr", - "id": "ipv4-addr--1fd1c853-b8df-4db5-bfd2-92d445bdf3b3", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "value": "186.233.187.245" - }, - { - "type": "attack-action", - "id": "attack-action--4edb3b2d-7bc8-4fe2-85d7-66c04ceba3c7", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltration", - "tactic_id": "TA0010", - "description": "sensitive data stored in tar ball is exfiltrated by GET request", - "confidence": 100 - }, - { - "type": "note", - "id": "note--1b79a858-23da-40da-a86a-31ffccb21579", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "content": "an application that allows for customized notifications by creating templates", - "authors": [ - "CISA" - ], - "object_refs": [ - "software--32cf10a0-552b-41b0-a80c-111f89903c8f" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--1e41f6c5-95dc-483b-b6eb-9e315991f509", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--847def26-4d0a-4562-865d-d9c23e3820cf" - ] - }, - { - "type": "relationship", - "id": "relationship--b65ee5bc-a299-4168-b930-074a4284acd1", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "relationship_type": "related-to", - "source_ref": "attack-action--427f3a5b-4890-4305-951b-b76da8b9651b", - "target_ref": "malware--e2710797-ff3a-4465-b4ed-923e15f59b2d" - }, - { - "type": "relationship", - "id": "relationship--b8fabfae-b321-4dff-9bc1-88037dc4bbe9", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "relationship_type": "related-to", - "source_ref": "attack-action--87cf2efa-5784-4ccd-a75e-ec4d964d58a5", - "target_ref": "software--32cf10a0-552b-41b0-a80c-111f89903c8f" - }, - { - "type": "relationship", - "id": "relationship--5b29d968-5eef-4a75-aeb6-e030262290ba", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "relationship_type": "related-to", - "source_ref": "attack-action--780d1e10-6642-41d2-b1a7-de801a6b972a", - "target_ref": "vulnerability--bebccad3-14d6-43c4-b9e4-5dea60ceef76" - }, - { - "type": "relationship", - "id": "relationship--90d1f164-0dde-4728-b4b0-975597648fab", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "relationship_type": "related-to", - "source_ref": "directory--2f184fcc-a09b-4b6d-8cf2-d0029e360d1f", - "target_ref": "malware--e2710797-ff3a-4465-b4ed-923e15f59b2d" - }, - { - "type": "relationship", - "id": "relationship--e881e059-7460-402e-a8eb-a34814e5819b", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "relationship_type": "related-to", - "source_ref": "attack-action--847def26-4d0a-4562-865d-d9c23e3820cf", - "target_ref": "vulnerability--7c91bf6f-749b-41a8-80b0-cbce51bcbb7b" - }, - { - "type": "relationship", - "id": "relationship--7e2d83ba-4d7a-4edb-b6cc-c028cd3a7881", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "relationship_type": "related-to", - "source_ref": "attack-action--af956aab-7dd4-440d-8af4-adb9ae32a63b", - "target_ref": "directory--726756ce-5a1c-4ccc-a32e-92975c07f959" - }, - { - "type": "relationship", - "id": "relationship--506b9641-ab24-458b-bd9f-cc4ed89705d0", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "relationship_type": "related-to", - "source_ref": "attack-action--7d09b87c-e2c6-4760-9050-92f36a24e9ff", - "target_ref": "malware--ecffdaac-3bc0-4552-bb1b-1da439cc5dbb" - }, - { - "type": "relationship", - "id": "relationship--343e21d2-927b-448a-92f1-fa3334960586", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "relationship_type": "related-to", - "source_ref": "attack-action--7d09b87c-e2c6-4760-9050-92f36a24e9ff", - "target_ref": "directory--10e001e1-c3ce-4cc1-a6a7-5eef5b206c88" - }, - { - "type": "relationship", - "id": "relationship--99ce3ff8-295c-434b-9eba-5abc4b73b19a", - "spec_version": "2.1", - "created": "2023-03-10T19:45:04.547Z", - "modified": "2023-03-10T19:45:04.547Z", - "relationship_type": "related-to", - "source_ref": "attack-action--7d09b87c-e2c6-4760-9050-92f36a24e9ff", - "target_ref": "ipv4-addr--1fd1c853-b8df-4db5-bfd2-92d445bdf3b3" - } - ] -} \ No newline at end of file diff --git a/corpus/CISA Iranian APT.json b/corpus/CISA Iranian APT.json deleted file mode 100644 index 78c10d2e..00000000 --- a/corpus/CISA Iranian APT.json +++ /dev/null @@ -1,1083 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--0061a6b9-cda3-425d-8aac-f6c443f819ec", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.546Z", - "modified": "2023-02-07T20:05:21.546Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--a2b7e8ad-9fb2-48b3-8e5c-e94da374ab89", - "spec_version": "2.1", - "created": "2023-01-27T19:55:42.542Z", - "modified": "2023-02-07T20:05:21.546Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--36bb2689-d2da-4782-9624-500c2c897f37", - "start_refs": [ - "attack-action--b6143619-dac3-4f9c-ae0a-605961bef9c7" - ], - "name": "CISA Iranian APT", - "description": "Iranian APT exploited Log4Shell and deployed XMRig crypto mining software.", - "scope": "threat actor", - "external_references": [ - { - "source_name": "CISA", - "description": "Cybersecurity Advisory", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-320a" - } - ] - }, - { - "type": "identity", - "id": "identity--36bb2689-d2da-4782-9624-500c2c897f37", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.546Z", - "modified": "2023-02-07T20:05:21.546Z", - "name": "Lauren Parker", - "identity_class": "individual", - "contact_information": "lparker@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--b6143619-dac3-4f9c-ae0a-605961bef9c7", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploit Public-Facing Application", - "technique_id": "T1190", - "description": "Initial access gained through Log4Shell", - "confidence": 100, - "asset_refs": [ - "attack-asset--f37681b2-371c-4764-ae2f-36fdf3244460" - ], - "effect_refs": [ - "attack-action--0d573bcd-ee5d-4231-ab43-188ef7e809e9" - ] - }, - { - "type": "vulnerability", - "id": "vulnerability--924ed7f2-54ae-42ad-b1af-94734ff368e0", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "name": "CVE-2021-44228", - "description": "Log4Shell vulnerability that allows attackers to execute arbitrary code loaded from LDAP servers" - }, - { - "type": "note", - "id": "note--715f87ed-5429-478b-93da-f466a3695f5a", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "content": "LDAP server (51.89.181.64) is used to exploit Log4Shell", - "object_refs": [ - "vulnerability--924ed7f2-54ae-42ad-b1af-94734ff368e0" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--b7ee6cab-d421-4ea9-8f97-d529c383e7fe", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "name": "182.54.217.2", - "infrastructure_types": [ - "command-and-control" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--f37681b2-371c-4764-ae2f-36fdf3244460", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "VMware Horizon server" - }, - { - "type": "attack-action", - "id": "attack-action--0d573bcd-ee5d-4231-ab43-188ef7e809e9", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: PowerShell", - "technique_id": "T1059.001", - "description": "PowerShell added an exclusion rule to Windows Defender and was executed on AD to obtain a list of machines on the domain", - "confidence": 100, - "effect_refs": [ - "attack-action--56ca6034-001b-4c5d-99b4-4f9bd3db56ba" - ], - "asset_refs": [ - "attack-asset--1713a15d-fa56-404a-92eb-2c4f7089d399" - ], - "command_ref": "process--3f5b9295-9d49-410e-b542-54f258b52434" - }, - { - "type": "attack-action", - "id": "attack-action--56ca6034-001b-4c5d-99b4-4f9bd3db56ba", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Impair Defenses: Disable or Modify Tools", - "technique_id": "T1562.001", - "description": "Exclusion rule allowlisted the entire c:\\drive. Attackers also manually disabled Windows Defender via the GUI", - "confidence": 100, - "effect_refs": [ - "attack-action--cfae690b-64c4-405f-84f1-5e8b65da3f83" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--1713a15d-fa56-404a-92eb-2c4f7089d399", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Active Directory" - }, - { - "type": "directory", - "id": "directory--02b1765f-0d2e-4991-8ba8-1053ef09de2c", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "path": "c:\\drive" - }, - { - "type": "attack-action", - "id": "attack-action--cfae690b-64c4-405f-84f1-5e8b65da3f83", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "mde.ps1 downloaded onto disk", - "confidence": 100, - "effect_refs": [ - "attack-action--3fbadab6-0484-4754-85af-fe99f575677e" - ] - }, - { - "type": "malware", - "id": "malware--89e310ac-f996-4bc7-9ee7-84b527178fa7", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "name": "mde.ps1", - "description": "mdeploy.text downloaded from 182.54.217.2/mdeploy.txt to C:\\users\\public\\mde.ps1", - "malware_types": [ - "downloader" - ], - "is_family": true, - "capabilities": [ - "communicates-with-c2", - "installs-other-components" - ] - }, - { - "type": "attack-action", - "id": "attack-action--9c30cd6b-b97c-4336-8f91-777437b3824c", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Indicator Removal on Host: File Deletion", - "technique_id": "T1070.004", - "description": "mde.ps1 is removed from the system", - "confidence": 100, - "effect_refs": [ - "attack-action--857eaaa1-d168-417a-8446-fe6e80095490" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3fbadab6-0484-4754-85af-fe99f575677e", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "mde.ps1 downloads file.zip ", - "confidence": 100, - "effect_refs": [ - "attack-action--9c30cd6b-b97c-4336-8f91-777437b3824c" - ] - }, - { - "type": "malware", - "id": "malware--31658705-f1fd-4d16-a928-ecc093820ed4", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "name": "file.zip", - "description": "mde.ps1 downloads file.zip from 182.54.217.2; contained 4 files", - "malware_types": [ - "dropper" - ], - "is_family": true, - "capabilities": [ - "escalates-privileges", - "installs-other-components" - ] - }, - { - "type": "malware", - "id": "malware--ac51c325-5c08-4c3d-b89e-c31b1a171a84", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "name": "WinRing0x64.sys", - "description": "XMRig Miner driver", - "malware_types": [ - "resource-exploitation" - ], - "is_family": true, - "capabilities": [ - "compromises-system-availability" - ] - }, - { - "type": "malware", - "id": "malware--d8f8e9a7-0c82-4094-a811-348661a542ac", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "name": "wuacltservice.exe", - "description": "XMRig Miner", - "malware_types": [ - "resource-exploitation" - ], - "is_family": true, - "capabilities": [ - "compromises-system-availability" - ] - }, - { - "type": "malware", - "id": "malware--ab4c411d-58e9-4f99-b0f7-0f67f1f43159", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "name": "RuntimeBroker.exe", - "description": "associated file", - "malware_types": [ - "trojan" - ], - "is_family": true, - "capabilities": [ - "communicates-with-c2", - "escalates-privileges", - "installs-other-components", - "persists-after-system-reboot" - ] - }, - { - "type": "tool", - "id": "tool--d783a8af-533c-4ecf-a097-698326a213ed", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "name": "config.json", - "description": "XMRig Miner configuration", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-action", - "id": "attack-action--857eaaa1-d168-417a-8446-fe6e80095490", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Create Account: Local Account", - "technique_id": "T1136.001", - "description": "RuntimeBroker.exe can create local user accounts", - "confidence": 100, - "effect_refs": [ - "attack-action--69978025-0b45-44ae-8a3e-1730d7d93d07" - ] - }, - { - "type": "attack-action", - "id": "attack-action--69978025-0b45-44ae-8a3e-1730d7d93d07", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Network Configuration Discovery: Internet Connection Discovery", - "technique_id": "T1016.001", - "description": "Malware tests for internet connectivity by pinging 8.8.8.8", - "confidence": 100, - "effect_refs": [ - "attack-action--de68b787-80bb-424d-8d70-32b0cec8c94f" - ] - }, - { - "type": "attack-action", - "id": "attack-action--de68b787-80bb-424d-8d70-32b0cec8c94f", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Scheduled Task/Job: Scheduled Task", - "technique_id": "T1053.005", - "description": "exploit payload created a scheduled task that executed RuntimeBroker.exe daily as SYSTEM", - "confidence": 100, - "effect_refs": [ - "attack-action--f8daeaa9-22f9-4601-96f9-ef3426c4630b" - ] - }, - { - "type": "process", - "id": "process--3f5b9295-9d49-410e-b542-54f258b52434", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "command_line": "powershell try{Add-MpPreference -ExclusionPath 'C:\\'; Write-Host 'added-exclusion'} catch {Write-Host 'adding-exclusion-failed' }; powershell -enc \"$BASE64 encoded payload to download next stage and execute it\"" - }, - { - "type": "malware", - "id": "malware--ad11d63f-b48d-4c18-b7ff-0baf8edca7e3", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "name": "RuntimeBrokerService.exe", - "description": "scheduled task is named RuntimeBrokerService.exe, masquerading as a legitimate Windows task", - "malware_types": [ - "trojan" - ], - "is_family": true, - "capabilities": [ - "communicates-with-c2", - "installs-other-components", - "persists-after-system-reboot" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f8daeaa9-22f9-4601-96f9-ef3426c4630b", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Remote Services: Remote Desktop Protocol", - "technique_id": "T1021.001", - "description": "RDP used to move laterally to multiple hosts on the network", - "confidence": 100, - "effect_refs": [ - "attack-action--57e36a89-fa92-470c-9d78-a90d8bd938a7" - ] - }, - { - "type": "attack-action", - "id": "attack-action--57e36a89-fa92-470c-9d78-a90d8bd938a7", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Valid Accounts: Default Accounts", - "technique_id": "T1078.001", - "description": "Actors used built-in Windows account - DefaultAccount", - "confidence": 100, - "effect_refs": [ - "attack-action--c55d72d0-4b7b-4e86-93cf-a65a79ee24ce" - ] - }, - { - "type": "user-account", - "id": "user-account--039865eb-337f-4941-92c5-14de002c7753", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "user_id": "DefaultAccount", - "account_type": "windows-local", - "display_name": "DefaultAccount" - }, - { - "type": "ipv4-addr", - "id": "ipv4-addr--903efce3-4a7d-4272-9c33-7868fc767876", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.547Z", - "modified": "2023-02-07T20:05:21.547Z", - "value": "182.54.217.2" - }, - { - "type": "ipv4-addr", - "id": "ipv4-addr--c51c9009-568d-46c6-8fac-09b4ce1e848c", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "value": "182.54.217.2" - }, - { - "type": "user-account", - "id": "user-account--8b025fd8-d5a5-408a-8b29-c6795ba84c37", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "user_id": "SYSTEM", - "display_name": "SYSTEM", - "is_privileged": true - }, - { - "type": "attack-action", - "id": "attack-action--c55d72d0-4b7b-4e86-93cf-a65a79ee24ce", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Lateral Movement", - "tactic_id": "TA0008", - "description": "actors used DefaultAccount to move laterally to a VMware VDI-KMS host", - "confidence": 100, - "asset_refs": [ - "attack-asset--b7164aca-5ac6-449f-b4da-d66f94be41b2" - ], - "effect_refs": [ - "attack-action--0606c44c-4fcf-4d24-837c-e78341f77183" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--b7164aca-5ac6-449f-b4da-d66f94be41b2", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "VMware VDI-KMS host" - }, - { - "type": "attack-action", - "id": "attack-action--0606c44c-4fcf-4d24-837c-e78341f77183", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "actors downloaded around 30MB of files from transfer.sh server associated with 144.76.136.153", - "confidence": 100, - "effect_refs": [ - "attack-action--d8ba9c2f-c6a6-4950-8cb3-d2d84c97859f" - ] - }, - { - "type": "tool", - "id": "tool--5b7f7115-8d96-4f17-ab2f-b305b476f8c1", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "name": "PsExec", - "description": "Microsoft signed tool for system administrators", - "tool_types": [ - "remote-access" - ] - }, - { - "type": "tool", - "id": "tool--6f3d8f4c-e92c-42aa-b065-351f552fe10c", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "name": "Mimikatz", - "description": "credential recovery/theft tool", - "tool_types": [ - "credential-exploitation" - ] - }, - { - "type": "malware", - "id": "malware--5e38cef0-6735-40f6-97dd-1b549424788e", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "name": "Ngrok", - "description": "reverse proxy tool for proxying an internal service onto an Ngrok domain, which the user can then access at a randomly generated subdomain at *.ngrok.io", - "malware_types": [ - "webshell" - ], - "is_family": true, - "capabilities": [ - "persists-after-system-reboot" - ] - }, - { - "type": "attack-action", - "id": "attack-action--d8ba9c2f-c6a6-4950-8cb3-d2d84c97859f", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Create Account: Domain Account", - "tactic_ref": "T1136.002", - "technique_id": "T1136.002", - "description": "Mimikatz used to create a rogue domain administrator account", - "confidence": 100, - "effect_refs": [ - "attack-action--52069465-600c-487a-8185-e809ed74588b" - ] - }, - { - "type": "attack-action", - "id": "attack-action--52069465-600c-487a-8185-e809ed74588b", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Remote Services: Remote Desktop Protocol", - "technique_id": "T1021.001", - "description": "RDP used to move laterally to multiple hosts on the network", - "confidence": 100, - "effect_refs": [ - "attack-action--1d283005-09ce-49d3-8610-625a75635755" - ] - }, - { - "type": "attack-action", - "id": "attack-action--1d283005-09ce-49d3-8610-625a75635755", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Impair Defenses: Disable or Modify Tools", - "technique_id": "T1562.001", - "description": "Logging into multiple hosts on the system, attackers manually disabled Windows Defender via the GUI", - "confidence": 100, - "effect_refs": [ - "attack-action--ee829570-2ca7-4948-a3de-a667f81fa2f5" - ] - }, - { - "type": "attack-action", - "id": "attack-action--ee829570-2ca7-4948-a3de-a667f81fa2f5", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Lateral Tool Transfer", - "technique_id": "T1570", - "description": "actors implanted Ngrok executables and configuration files on multiple hosts", - "confidence": 100, - "effect_refs": [ - "attack-action--4beb5555-7460-4636-a2e4-096a01b54186" - ] - }, - { - "type": "malware", - "id": "malware--a6988ce0-635c-47fc-9d91-a4d919e97950", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "name": "Ngrok", - "description": "reverse proxy tool for proxying an internal service onto an Ngrok domain, which the user can then access at a randomly generated subdomain at *.ngrok.io", - "malware_types": [ - "webshell" - ], - "is_family": true, - "capabilities": [ - "persists-after-system-reboot" - ] - }, - { - "type": "attack-action", - "id": "attack-action--4beb5555-7460-4636-a2e4-096a01b54186", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Proxy", - "technique_id": "T1090", - "description": "Ngrok used to proxy RDP connections", - "confidence": 100, - "effect_refs": [ - "attack-action--7e2175b8-63f8-4934-82cf-394390accd82" - ] - }, - { - "type": "url", - "id": "url--5cb4ac20-de90-4aba-8467-fe57ba5af2a8", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "value": "tunnel.us.ngrok[.]com" - }, - { - "type": "url", - "id": "url--3e9fd4ff-625f-42e3-8285-762835bd6b50", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "value": "korgn.su.lennut[.]com " - }, - { - "type": "note", - "id": "note--31244bf1-3b1c-4ba6-bb41-063352cdcfa4", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "content": "attackers may have configured a custom domain or used other Ngrok tunnel domains - *.ngrok[.]com, *.ngrok[.]io, ngrok.*.tunnel[.]com, or korgn.*.lennut[.]com", - "object_refs": [ - "attack-action--4beb5555-7460-4636-a2e4-096a01b54186" - ] - }, - { - "type": "attack-action", - "id": "attack-action--7e2175b8-63f8-4934-82cf-394390accd82", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Lateral Movement", - "tactic_id": "TA0008", - "description": "actors moved laterally to the domain controller", - "confidence": 100, - "asset_refs": [ - "attack-asset--abf74a16-1d54-4a82-9384-b7eac0d9f4c4" - ], - "effect_refs": [ - "attack-action--2f9114f6-e715-448a-b0b7-3ccce0f95f7a" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--abf74a16-1d54-4a82-9384-b7eac0d9f4c4", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Domain Controller" - }, - { - "type": "attack-action", - "id": "attack-action--45e8b0a1-83a5-41dc-8186-7d6d4c8a7c0a", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Remote System Discovery", - "technique_id": "T1018", - "description": "Attackers used PowerShell on the AD to obtain a list of all machines attached to the domain", - "confidence": 100, - "command_ref": "process--6a0cd876-3fd3-4557-9dfc-7d004cf217ae", - "effect_refs": [ - "attack-action--792aaa39-bd97-4206-b088-2c29e5119da6" - ] - }, - { - "type": "attack-action", - "id": "attack-action--2f9114f6-e715-448a-b0b7-3ccce0f95f7a", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: PowerShell", - "technique_id": "T1059.001", - "description": "Attackers executed PowerShell commands on the AD ", - "confidence": 100, - "effect_refs": [ - "attack-action--45e8b0a1-83a5-41dc-8186-7d6d4c8a7c0a" - ] - }, - { - "type": "process", - "id": "process--6a0cd876-3fd3-4557-9dfc-7d004cf217ae", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "command_line": "Powershell.exe get-adcomputer -filter * -properties * | select name,operatingsystem,ipv4address >" - }, - { - "type": "attack-action", - "id": "attack-action--792aaa39-bd97-4206-b088-2c29e5119da6", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Account Manipulation", - "technique_id": "T1098", - "description": "Actors changed the password for the local administrator account on several hosts", - "confidence": 100, - "effect_refs": [ - "attack-action--99406b0d-2c64-4f78-a80b-f50898876197" - ] - }, - { - "type": "attack-action", - "id": "attack-action--99406b0d-2c64-4f78-a80b-f50898876197", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "OS Credential Dumping: LSASS Memory", - "technique_id": "T1003.001", - "description": "Actors tried to dump the LSASS process with task manager", - "confidence": 100 - }, - { - "type": "note", - "id": "note--ed71e0af-94b7-40ae-a434-81b815dea5c8", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "content": "dumping the LSASS process was stopped by additional AV that was installed on the systems", - "object_refs": [ - "attack-action--99406b0d-2c64-4f78-a80b-f50898876197" - ] - }, - { - "type": "relationship", - "id": "relationship--36a60183-9cdf-4cee-9011-cc231c8945b7", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "relationship_type": "related-to", - "source_ref": "attack-action--b6143619-dac3-4f9c-ae0a-605961bef9c7", - "target_ref": "vulnerability--924ed7f2-54ae-42ad-b1af-94734ff368e0" - }, - { - "type": "relationship", - "id": "relationship--05bb1b67-e758-49ca-832b-7df7ae0dc963", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "relationship_type": "related-to", - "source_ref": "attack-action--b6143619-dac3-4f9c-ae0a-605961bef9c7", - "target_ref": "infrastructure--b7ee6cab-d421-4ea9-8f97-d529c383e7fe" - }, - { - "type": "relationship", - "id": "relationship--015096d7-4500-40dd-9f6d-8956f25be696", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "relationship_type": "related-to", - "source_ref": "attack-action--56ca6034-001b-4c5d-99b4-4f9bd3db56ba", - "target_ref": "directory--02b1765f-0d2e-4991-8ba8-1053ef09de2c" - }, - { - "type": "relationship", - "id": "relationship--cc9336f6-a127-41ec-8457-959a542a0003", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "relationship_type": "related-to", - "source_ref": "attack-action--cfae690b-64c4-405f-84f1-5e8b65da3f83", - "target_ref": "malware--89e310ac-f996-4bc7-9ee7-84b527178fa7" - }, - { - "type": "relationship", - "id": "relationship--73882cb2-1dd1-41e3-8ba3-2a360ffe00e4", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "relationship_type": "related-to", - "source_ref": "attack-action--3fbadab6-0484-4754-85af-fe99f575677e", - "target_ref": "malware--31658705-f1fd-4d16-a928-ecc093820ed4" - }, - { - "type": "relationship", - "id": "relationship--c2b27a21-0360-4565-b037-23ed07e8ecba", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "relationship_type": "related-to", - "source_ref": "malware--31658705-f1fd-4d16-a928-ecc093820ed4", - "target_ref": "malware--ac51c325-5c08-4c3d-b89e-c31b1a171a84" - }, - { - "type": "relationship", - "id": "relationship--8c128a59-8252-466b-b3e7-117ce6c613de", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "relationship_type": "related-to", - "source_ref": "malware--31658705-f1fd-4d16-a928-ecc093820ed4", - "target_ref": "malware--d8f8e9a7-0c82-4094-a811-348661a542ac" - }, - { - "type": "relationship", - "id": "relationship--52d23424-eb4a-4f72-98e3-187cfaef04a6", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "relationship_type": "related-to", - "source_ref": "malware--31658705-f1fd-4d16-a928-ecc093820ed4", - "target_ref": "tool--d783a8af-533c-4ecf-a097-698326a213ed" - }, - { - "type": "relationship", - "id": "relationship--748d5279-c459-43e6-9fd1-b43ba09d6288", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.548Z", - "modified": "2023-02-07T20:05:21.548Z", - "relationship_type": "related-to", - "source_ref": "malware--31658705-f1fd-4d16-a928-ecc093820ed4", - "target_ref": "malware--ab4c411d-58e9-4f99-b0f7-0f67f1f43159" - }, - { - "type": "relationship", - "id": "relationship--008aea3e-eb97-4a72-bccb-be391ff6a260", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.549Z", - "modified": "2023-02-07T20:05:21.549Z", - "relationship_type": "related-to", - "source_ref": "attack-action--de68b787-80bb-424d-8d70-32b0cec8c94f", - "target_ref": "malware--ad11d63f-b48d-4c18-b7ff-0baf8edca7e3" - }, - { - "type": "relationship", - "id": "relationship--d00f3bd8-3249-47f6-8938-007820ad0cf1", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.549Z", - "modified": "2023-02-07T20:05:21.549Z", - "relationship_type": "related-to", - "source_ref": "attack-action--de68b787-80bb-424d-8d70-32b0cec8c94f", - "target_ref": "user-account--8b025fd8-d5a5-408a-8b29-c6795ba84c37" - }, - { - "type": "relationship", - "id": "relationship--48db4155-f2d6-42ec-8428-900cf6f8fcf0", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.549Z", - "modified": "2023-02-07T20:05:21.549Z", - "relationship_type": "related-to", - "source_ref": "attack-action--57e36a89-fa92-470c-9d78-a90d8bd938a7", - "target_ref": "user-account--039865eb-337f-4941-92c5-14de002c7753" - }, - { - "type": "relationship", - "id": "relationship--0b8963ec-2c46-4c8f-80c8-3f14a6941154", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.549Z", - "modified": "2023-02-07T20:05:21.549Z", - "relationship_type": "related-to", - "source_ref": "ipv4-addr--903efce3-4a7d-4272-9c33-7868fc767876", - "target_ref": "malware--31658705-f1fd-4d16-a928-ecc093820ed4" - }, - { - "type": "relationship", - "id": "relationship--30846561-0b69-4a28-8021-5d06dc9bdb2a", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.549Z", - "modified": "2023-02-07T20:05:21.549Z", - "relationship_type": "related-to", - "source_ref": "ipv4-addr--c51c9009-568d-46c6-8fac-09b4ce1e848c", - "target_ref": "malware--89e310ac-f996-4bc7-9ee7-84b527178fa7" - }, - { - "type": "relationship", - "id": "relationship--38cc7c0c-ab22-417c-b6e5-cfe0eae6efb1", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.549Z", - "modified": "2023-02-07T20:05:21.549Z", - "relationship_type": "related-to", - "source_ref": "attack-action--0606c44c-4fcf-4d24-837c-e78341f77183", - "target_ref": "malware--5e38cef0-6735-40f6-97dd-1b549424788e" - }, - { - "type": "relationship", - "id": "relationship--a8d02440-9478-4bf7-9416-de2a0a8e4f56", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.549Z", - "modified": "2023-02-07T20:05:21.549Z", - "relationship_type": "related-to", - "source_ref": "attack-action--0606c44c-4fcf-4d24-837c-e78341f77183", - "target_ref": "tool--5b7f7115-8d96-4f17-ab2f-b305b476f8c1" - }, - { - "type": "relationship", - "id": "relationship--b101e931-5de9-47bc-a5f2-ac0a24b0d4af", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.549Z", - "modified": "2023-02-07T20:05:21.549Z", - "relationship_type": "related-to", - "source_ref": "attack-action--0606c44c-4fcf-4d24-837c-e78341f77183", - "target_ref": "tool--6f3d8f4c-e92c-42aa-b065-351f552fe10c" - }, - { - "type": "relationship", - "id": "relationship--e2cf4e6a-5804-4f38-9c2a-45f3dab8fe22", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.549Z", - "modified": "2023-02-07T20:05:21.549Z", - "relationship_type": "related-to", - "source_ref": "attack-action--ee829570-2ca7-4948-a3de-a667f81fa2f5", - "target_ref": "malware--a6988ce0-635c-47fc-9d91-a4d919e97950" - }, - { - "type": "relationship", - "id": "relationship--5433f462-3179-4092-bb0c-fe76e55e424d", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.549Z", - "modified": "2023-02-07T20:05:21.549Z", - "relationship_type": "related-to", - "source_ref": "attack-action--4beb5555-7460-4636-a2e4-096a01b54186", - "target_ref": "url--5cb4ac20-de90-4aba-8467-fe57ba5af2a8" - }, - { - "type": "relationship", - "id": "relationship--8f60442e-8fbd-45e2-b6b6-9b97c1fa263b", - "spec_version": "2.1", - "created": "2023-02-07T20:05:21.549Z", - "modified": "2023-02-07T20:05:21.549Z", - "relationship_type": "related-to", - "source_ref": "attack-action--4beb5555-7460-4636-a2e4-096a01b54186", - "target_ref": "url--3e9fd4ff-625f-42e3-8285-762835bd6b50" - } - ] -} \ No newline at end of file diff --git a/corpus/Cobalt Kitty Campaign.json b/corpus/Cobalt Kitty Campaign.json deleted file mode 100644 index dc93d4e4..00000000 --- a/corpus/Cobalt Kitty Campaign.json +++ /dev/null @@ -1,1070 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--385a280c-da40-4c82-bb57-7d6a3b5126e7", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--cc1b4136-b914-402e-ba05-bb16768d4a13", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--a1e7909a-0e52-41f9-bf1b-9fd101cbe64e", - "start_refs": [ - "attack-action--7e43c3eb-f609-4a53-beb3-40829afb89aa", - "attack-action--398ab58e-b755-4251-9dc5-293817d349ea", - "attack-action--508bc600-bbf4-4e31-a789-8971f51dc581" - ], - "name": "Cobalt Kitty Campaign", - "description": "Cobalt Kitty campaign conducted by OceanLotus.", - "author": [ - [ - "name", - "Eric Kannampuzha" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "ekannampuzha@mitre.org" - ] - ], - "scope": "campaign", - "external_references": [ - { - "source_name": "Cybereason", - "description": "Article", - "url": "https://www.cybereason.com/blog/operation-cobalt-kitty-apt" - }, - { - "source_name": "CrowdStrike", - "description": "Adversary Focus", - "url": "https://adversary.crowdstrike.com/en-US/adversary/ocean-buffalo/" - }, - { - "source_name": "MITRE", - "description": "ATT&CK Group", - "url": "https://attack.mitre.org/groups/G0050/" - } - ] - }, - { - "type": "identity", - "id": "identity--a1e7909a-0e52-41f9-bf1b-9fd101cbe64e", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "Eric Kannampuzha", - "identity_class": "individual", - "contact_information": "ekannampuzha@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--7e43c3eb-f609-4a53-beb3-40829afb89aa", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Phishing: Spearphishing Link", - "technique_id": "T1566.002", - "description": "Link to a malicious site that downloads a fake Flash Installer delivering Cobalt Strike beacon.", - "confidence": 100, - "effect_refs": [ - "attack-action--d3d7d621-23f1-4536-8777-aa37cfa4789f" - ] - }, - { - "type": "attack-action", - "id": "attack-action--398ab58e-b755-4251-9dc5-293817d349ea", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Deobfuscate/Decode Files or Information", - "technique_id": "T1140", - "description": "Obfuscated and XOR'ed PowerShell is decoded to download additional obfuscated PowerShell payloads", - "confidence": 100, - "effect_refs": [ - "attack-action--96bb23ee-9fa2-4442-b49c-4b2dcc49d043", - "attack-action--788fab85-7ed0-42d7-aed2-cec8ac099f32" - ] - }, - { - "type": "attack-action", - "id": "attack-action--508bc600-bbf4-4e31-a789-8971f51dc581", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Phishing: Spearphishing Attachment", - "technique_id": "T1566.001", - "description": "Word documents with malicious macros downloading Cobalt Strike payloads", - "confidence": 100, - "effect_refs": [ - "attack-action--217d8b41-0faf-415e-be60-1489e39d3ee5" - ] - }, - { - "type": "attack-action", - "id": "attack-action--217d8b41-0faf-415e-be60-1489e39d3ee5", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Scheduled Task/Job: Scheduled Task", - "technique_id": "T1053.005", - "description": "Two scheduled tasks are created that download additional payloads", - "confidence": 100, - "effect_refs": [ - "attack-operator--5c3ac180-7cb9-42a6-98de-66e906effc2b" - ] - }, - { - "type": "attack-action", - "id": "attack-action--d3d7d621-23f1-4536-8777-aa37cfa4789f", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: PowerShell", - "technique_id": "T1059.001", - "description": "Obfuscated PowerShell scripts delivering Cobalt Strike beacons are downloaded", - "confidence": 100, - "effect_refs": [ - "attack-operator--5c3ac180-7cb9-42a6-98de-66e906effc2b" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3488c178-ef07-4ba9-9007-6ca8aaff51c9", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder", - "technique_id": "T1547.001", - "description": "Windows Registry Autorun is used to execute VBScript and PowerShell scripts residing in the ProgramData folder", - "confidence": 100, - "effect_refs": [ - "attack-operator--c75d6f51-0b7c-4b90-bd97-943385d84391" - ] - }, - { - "type": "attack-action", - "id": "attack-action--96bb23ee-9fa2-4442-b49c-4b2dcc49d043", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: PowerShell", - "technique_id": "T1059.001", - "description": "Obfuscated PowerShell scripts that executes a Cobalt Strike beacon", - "confidence": 100, - "effect_refs": [ - "attack-operator--8e2a58eb-6a0c-486b-b318-8527f5c3357a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--8589d97f-43fd-4d11-83a0-41e5902cfe9f", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Hide Artifacts: NTFS File Attributes", - "technique_id": "T1564.001", - "description": "Payloads for persistence were hidden in NTFS Alternate Data Streams", - "confidence": 100, - "effect_refs": [ - "attack-operator--c75d6f51-0b7c-4b90-bd97-943385d84391" - ] - }, - { - "type": "attack-action", - "id": "attack-action--a19ca663-f6ef-4925-bef4-94248349f2e6", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Scheduled Task/Job: Scheduled Task", - "technique_id": "T1053.005", - "description": "Scheduled tasks are created that load malicious PowerShell payloads using DLL hijacking with a Google Update binary", - "confidence": 100, - "effect_refs": [ - "attack-operator--c75d6f51-0b7c-4b90-bd97-943385d84391" - ] - }, - { - "type": "attack-action", - "id": "attack-action--ac381463-471d-4ccb-9177-ebd834ed5706", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Create or Modify System Process: Windows Service", - "technique_id": "T1059.005", - "description": "Windows services were created and/or modified to load PowerShell scripts", - "confidence": 100, - "effect_refs": [ - "attack-operator--c75d6f51-0b7c-4b90-bd97-943385d84391" - ] - }, - { - "type": "attack-action", - "id": "attack-action--a229d676-e14f-46ee-9bc4-22e769c9abad", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Office Application Startup", - "technique_id": "T1137", - "description": "Malicious Outlook backdoor macros were to used to communicate with C2 servers and exfiltrate data", - "confidence": 100, - "effect_refs": [ - "attack-operator--c75d6f51-0b7c-4b90-bd97-943385d84391" - ] - }, - { - "type": "attack-action", - "id": "attack-action--53f217bc-c353-4ada-b782-7391aaee5685", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Phantom DLL Hijacking", - "description": "A malicious DLL file was implanted where the Windows Search Service would run and load the DLL", - "confidence": 100, - "effect_refs": [ - "attack-action--4c1cd5fd-27ee-4600-901a-5897e05d1b58" - ] - }, - { - "type": "attack-action", - "id": "attack-action--4c1cd5fd-27ee-4600-901a-5897e05d1b58", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Signed Binary Proxy Execution: Regsvr32", - "technique_id": "T1218.010", - "description": "Regsvr32.exe is used to download COM scriplets for malicious execution", - "confidence": 100, - "effect_refs": [ - "attack-action--bad6fe95-996c-432e-9362-e187a87ba485", - "attack-action--a19b78e2-9d90-46a7-bb55-7dc533edee63", - "attack-action--2129fd6d-9887-4a29-b550-3a598b50f641" - ] - }, - { - "type": "attack-action", - "id": "attack-action--436a56c4-7998-45f2-8f4e-3e4709e3e80c", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Remote System Discovery", - "technique_id": "T1018", - "description": "Network scanning was performed against entire ranges to gain information on open ports, services, and operating systems for remote systems", - "confidence": 100, - "effect_refs": [ - "attack-operator--445fd1d0-da6d-4b9d-9bf2-35465cf2774c" - ] - }, - { - "type": "attack-action", - "id": "attack-action--a19b78e2-9d90-46a7-bb55-7dc533edee63", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data Obfuscation: Protocol Impersonation", - "technique_id": "T1001.003", - "description": "Cobalt Strike's malleable C2 profiles were used to impersonate Amazon, Google Safe Browsing, Pandora, and OSCP traffic", - "confidence": 100, - "effect_refs": [ - "attack-operator--f7a7356a-a39f-438a-9a59-cd6654f88363" - ] - }, - { - "type": "attack-action", - "id": "attack-action--bad6fe95-996c-432e-9362-e187a87ba485", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Application Layer Protocol: DNS", - "technique_id": "T1071.004", - "description": "DNS tunneling was used for C2 communication and data exfiltration", - "confidence": 100, - "effect_refs": [ - "attack-operator--f7a7356a-a39f-438a-9a59-cd6654f88363" - ] - }, - { - "type": "attack-action", - "id": "attack-action--2129fd6d-9887-4a29-b550-3a598b50f641", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Application Layer Protocol: Mail Protocols", - "technique_id": "T1071.003", - "description": "Malicious Outlook macros were created to utilize email for C2 communication and data exfiltration", - "confidence": 100, - "effect_refs": [ - "attack-operator--f7a7356a-a39f-438a-9a59-cd6654f88363" - ] - }, - { - "type": "attack-action", - "id": "attack-action--e70b0b83-e9b0-4188-a1c1-c049cec1c48e", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Information Discovery", - "technique_id": "T1082", - "description": "The attackers used several tools built into the Windows OS to gather information on the environment’s users. ", - "confidence": 100, - "effect_refs": [ - "attack-operator--445fd1d0-da6d-4b9d-9bf2-35465cf2774c" - ] - }, - { - "type": "attack-action", - "id": "attack-action--90c24039-8903-407d-a9a8-9960faf084e2", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Network Configuration Discovery", - "technique_id": "T1016", - "description": "The attackers used several tools built into the Windows OS to gather information on the environment’s network configurations.", - "confidence": 100, - "effect_refs": [ - "attack-operator--a414b5c1-9edb-455d-b737-72205d43b17a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--47a28c6a-51bc-4144-afd3-8117e2ce6828", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Network Service Scanning", - "technique_id": "T1046", - "description": "Network scanning was performed against entire ranges to gain information on open ports, services, and operating systems", - "confidence": 100, - "effect_refs": [ - "attack-operator--445fd1d0-da6d-4b9d-9bf2-35465cf2774c" - ] - }, - { - "type": "attack-action", - "id": "attack-action--7ec57638-9eba-4456-af50-1a0e4804510d", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "OS Credential Dumping: LSA Secrets", - "technique_id": "T1003.004", - "description": "Modified version of Mimikatz was used to dump credentials", - "effect_refs": [ - "attack-action--c7ef4391-eb20-443b-91c2-cceaf0b06458", - "attack-action--2a0d98d7-92cc-4087-93ad-ff1db995bec6", - "attack-action--6c5276a7-4e5c-4807-957b-d1673f27aec5", - "attack-action--03fd7c2f-1eab-4468-8d67-7a331b75c261" - ] - }, - { - "type": "attack-action", - "id": "attack-action--03fd7c2f-1eab-4468-8d67-7a331b75c261", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Remote Services: SMB/Windows Admin Shares", - "description": "Net.exe was used to perform lateral movement via Windows Admin Shares", - "asset_refs": [ - "attack-asset--1eccea60-8db3-4ac0-9db2-d4eef1c3b484" - ], - "effect_refs": [ - "attack-operator--65620718-41a3-43e9-842a-e169a076170a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--c7ef4391-eb20-443b-91c2-cceaf0b06458", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Windows Management Instrumentation", - "technique_id": "T1047", - "description": "WMI and 'net user' commands were used to deploy tools on remote machines", - "effect_refs": [ - "attack-operator--65620718-41a3-43e9-842a-e169a076170a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--2a0d98d7-92cc-4087-93ad-ff1db995bec6", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Use Alternate Authentication Material: Pass the Hash", - "technique_id": "T1550.002", - "description": "The attackers deployed a customized Mimikatz using stolen credentials from an administrative account, which they used to carry out a pass-the-hash attack", - "effect_refs": [ - "attack-operator--65620718-41a3-43e9-842a-e169a076170a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--6c5276a7-4e5c-4807-957b-d1673f27aec5", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Use Alternate Authentication Material: Pass the Ticket", - "technique_id": "T1550.003", - "description": "The attackers deployed a customized Mimikatz using stolen credentials from an administrative account, which they used to carry out a pass-the-ticket attack", - "effect_refs": [ - "attack-operator--65620718-41a3-43e9-842a-e169a076170a" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--f7a7356a-a39f-438a-9a59-cd6654f88363", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--47a28c6a-51bc-4144-afd3-8117e2ce6828", - "attack-action--436a56c4-7998-45f2-8f4e-3e4709e3e80c", - "attack-action--e70b0b83-e9b0-4188-a1c1-c049cec1c48e" - ] - }, - { - "type": "attack-action", - "id": "attack-action--fa7a634c-2450-499a-9bf3-a09d8e34e937", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Network Connections Discovery", - "technique_id": "T1049", - "description": "The attackers used several tools built into the Windows OS to gather information on the environment’s network connections.", - "confidence": 100, - "effect_refs": [ - "attack-operator--a414b5c1-9edb-455d-b737-72205d43b17a" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--445fd1d0-da6d-4b9d-9bf2-35465cf2774c", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--fa7a634c-2450-499a-9bf3-a09d8e34e937", - "attack-action--90c24039-8903-407d-a9a8-9960faf084e2" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--8e2a58eb-6a0c-486b-b318-8527f5c3357a", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--ac381463-471d-4ccb-9177-ebd834ed5706", - "attack-action--8589d97f-43fd-4d11-83a0-41e5902cfe9f", - "attack-action--3488c178-ef07-4ba9-9007-6ca8aaff51c9", - "attack-action--a19ca663-f6ef-4925-bef4-94248349f2e6", - "attack-action--a229d676-e14f-46ee-9bc4-22e769c9abad" - ] - }, - { - "type": "attack-action", - "id": "attack-action--788fab85-7ed0-42d7-aed2-cec8ac099f32", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: Visual Basic", - "technique_id": "T1059.005", - "description": "Attackers dropped Visual Basic and PowerShell scripts in folders that they created under the ProgramData", - "confidence": 100, - "effect_refs": [ - "attack-operator--8e2a58eb-6a0c-486b-b318-8527f5c3357a" - ] - }, - { - "type": "threat-actor", - "id": "threat-actor--f5182f82-449b-4edd-9c74-bf2ad4bcaf9d", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "OceanLotus", - "description": "APT32 is a suspected Vietnam-based threat group that has been active since at least 2012. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. Their primary objective is to collect information related to perceived threats to the Vietnamese government, but with possible geopolitical and economic espionage objectives as well. They have extensively used strategic web compromises to compromise victims.", - "threat_actor_types": [ - "Activist", - "Crime-syndicate", - "Competitor" - ], - "aliases": [ - "Ocean Buffalo", - "SeaLotus", - "APT32", - "TIN WOODLAWN", - "APT-C-00" - ], - "first_seen": "2012-01-01T00:00:00.000Z", - "roles": [ - "Agent", - "Independent" - ], - "goals": [ - "Collect information on perceived threats to the Vietnamese government; geopolitical and economic espionage" - ], - "sophistication": "Expert", - "resource_level": "Organization", - "primary_motivation": "organizational-gain", - "secondary_motivations": [ - "ideology" - ] - }, - { - "type": "campaign", - "id": "campaign--8ed0c3ff-cecd-40f1-9d6b-e3dbe955ac7a", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "Operation Cobalt Kitty", - "description": "A large-scale campaign in Asia carried out by the OceanLotus Group", - "objective": "Stealing proprietary business information" - }, - { - "type": "attack-operator", - "id": "attack-operator--5c3ac180-7cb9-42a6-98de-66e906effc2b", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "OR", - "effect_refs": [ - "attack-action--398ab58e-b755-4251-9dc5-293817d349ea" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--c75d6f51-0b7c-4b90-bd97-943385d84391", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--53f217bc-c353-4ada-b782-7391aaee5685" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--a414b5c1-9edb-455d-b737-72205d43b17a", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--7ec57638-9eba-4456-af50-1a0e4804510d" - ] - }, - { - "type": "tool", - "id": "tool--e378563e-c6df-4d01-89a9-f3545cc42517", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "Windows Management Instrumentation (WMI) ", - "tool_types": [ - "Information-gathering" - ] - }, - { - "type": "tool", - "id": "tool--38394be6-1da8-45e2-86c4-180837bd00e8", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "Arp", - "tool_types": [ - "Information-gathering" - ] - }, - { - "type": "tool", - "id": "tool--127e715e-a04a-4103-84ef-99015b27d94f", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "Ipconfig", - "tool_types": [ - "Information-gathering" - ] - }, - { - "type": "tool", - "id": "tool--09b75cde-799f-432c-9920-bbf13d0eb336", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "Netstat", - "tool_types": [ - "Information-gathering" - ] - }, - { - "type": "tool", - "id": "tool--cd07bd67-3e94-4fce-8c86-589ad7c314c0", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "net user/group/localgroup", - "tool_types": [ - "Information-gathering" - ] - }, - { - "type": "tool", - "id": "tool--0ade6c1a-d0b5-47d2-a633-b61144024874", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "Nslookup", - "tool_types": [ - "Information-gathering" - ] - }, - { - "type": "tool", - "id": "tool--b1ddb6da-5c43-440d-9189-39c740659ccc", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "Netsh", - "tool_types": [ - "Information-gathering" - ] - }, - { - "type": "tool", - "id": "tool--f2fac0de-8565-48ab-9ce8-d67dee1edeb6", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "Mimikatz", - "tool_types": [ - "credential-exploitation" - ] - }, - { - "type": "tool", - "id": "tool--6c9c4fd4-1e75-45c2-921c-a2df79fd4108", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "Net.exe", - "tool_types": [ - "remote-access" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--1eccea60-8db3-4ac0-9db2-d4eef1c3b484", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Windows Admin Shares" - }, - { - "type": "tool", - "id": "tool--1d4a5369-38f8-4b40-8390-2c3cf8f940a0", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "WMI", - "tool_types": [ - "Exploitation" - ] - }, - { - "type": "tool", - "id": "tool--a1e3e09a-26c1-439c-8985-5bdf2ed377fa", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "Net user", - "tool_types": [ - "remote-access", - "exploitation" - ] - }, - { - "type": "tool", - "id": "tool--750c2016-1016-48d8-95ea-df5b32a8f8ee", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "name": "Mimikatz", - "tool_types": [ - "credential-exploitation" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--65620718-41a3-43e9-842a-e169a076170a", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.106Z", - "modified": "2022-12-21T20:27:51.106Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND" - }, - { - "type": "relationship", - "id": "relationship--022bbe62-7429-4a4c-b8da-aa4fc03e55e0", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "attack-action--e70b0b83-e9b0-4188-a1c1-c049cec1c48e", - "target_ref": "tool--e378563e-c6df-4d01-89a9-f3545cc42517" - }, - { - "type": "relationship", - "id": "relationship--2f6c7bee-cce1-449d-be6a-f0150d9caf65", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "attack-action--e70b0b83-e9b0-4188-a1c1-c049cec1c48e", - "target_ref": "tool--127e715e-a04a-4103-84ef-99015b27d94f" - }, - { - "type": "relationship", - "id": "relationship--acf37643-92f2-4ebb-a076-8404ed4af7da", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "attack-action--e70b0b83-e9b0-4188-a1c1-c049cec1c48e", - "target_ref": "tool--38394be6-1da8-45e2-86c4-180837bd00e8" - }, - { - "type": "relationship", - "id": "relationship--b193edc4-911a-4694-8423-faf16fcaa20d", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "attack-action--90c24039-8903-407d-a9a8-9960faf084e2", - "target_ref": "tool--0ade6c1a-d0b5-47d2-a633-b61144024874" - }, - { - "type": "relationship", - "id": "relationship--879d78ff-39de-4488-bedb-bde608d4bb14", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "attack-action--90c24039-8903-407d-a9a8-9960faf084e2", - "target_ref": "tool--cd07bd67-3e94-4fce-8c86-589ad7c314c0" - }, - { - "type": "relationship", - "id": "relationship--8d93a2e4-7197-4537-9263-40270f594ffb", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "attack-action--90c24039-8903-407d-a9a8-9960faf084e2", - "target_ref": "tool--b1ddb6da-5c43-440d-9189-39c740659ccc" - }, - { - "type": "relationship", - "id": "relationship--65977652-caa7-47c7-b31a-f889260818cd", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "attack-action--7ec57638-9eba-4456-af50-1a0e4804510d", - "target_ref": "tool--f2fac0de-8565-48ab-9ce8-d67dee1edeb6" - }, - { - "type": "relationship", - "id": "relationship--5c01bb1b-b41e-431a-88e0-95f9d44530ad", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "attack-action--03fd7c2f-1eab-4468-8d67-7a331b75c261", - "target_ref": "tool--6c9c4fd4-1e75-45c2-921c-a2df79fd4108" - }, - { - "type": "relationship", - "id": "relationship--28aff09f-10fa-4138-8a4a-8d4761a608dd", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "attack-action--c7ef4391-eb20-443b-91c2-cceaf0b06458", - "target_ref": "tool--1d4a5369-38f8-4b40-8390-2c3cf8f940a0" - }, - { - "type": "relationship", - "id": "relationship--7d734ada-00dd-4239-a1c3-bcc4d9967c52", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "attack-action--c7ef4391-eb20-443b-91c2-cceaf0b06458", - "target_ref": "tool--a1e3e09a-26c1-439c-8985-5bdf2ed377fa" - }, - { - "type": "relationship", - "id": "relationship--c3ec283e-7073-4337-8806-6602a47c24cd", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "attack-action--2a0d98d7-92cc-4087-93ad-ff1db995bec6", - "target_ref": "tool--750c2016-1016-48d8-95ea-df5b32a8f8ee" - }, - { - "type": "relationship", - "id": "relationship--828a8723-10af-42fd-8485-d9861451ee55", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "attack-action--6c5276a7-4e5c-4807-957b-d1673f27aec5", - "target_ref": "tool--750c2016-1016-48d8-95ea-df5b32a8f8ee" - }, - { - "type": "relationship", - "id": "relationship--ecad827c-3d4d-40c4-9649-4d6386863936", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "attack-action--fa7a634c-2450-499a-9bf3-a09d8e34e937", - "target_ref": "tool--09b75cde-799f-432c-9920-bbf13d0eb336" - }, - { - "type": "relationship", - "id": "relationship--f55a186b-557a-4a9a-bfca-2efaad4ed01a", - "spec_version": "2.1", - "created": "2022-12-21T20:27:51.107Z", - "modified": "2022-12-21T20:27:51.107Z", - "relationship_type": "related-to", - "source_ref": "threat-actor--f5182f82-449b-4edd-9c74-bf2ad4bcaf9d", - "target_ref": "campaign--8ed0c3ff-cecd-40f1-9d6b-e3dbe955ac7a" - } - ] -} \ No newline at end of file diff --git a/corpus/Conti CISA Alert.json b/corpus/Conti CISA Alert.json deleted file mode 100644 index a2430f80..00000000 --- a/corpus/Conti CISA Alert.json +++ /dev/null @@ -1,747 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--a0831cd9-d34a-447d-9018-32c80498d878", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.366Z", - "modified": "2022-12-21T21:12:06.366Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--d2ec54a5-a9b4-44f2-b649-610ee72ccf2c", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--19927395-468b-47f6-862e-033a316c43a9", - "start_refs": [ - "attack-action--2a8b2d9c-c1cb-44e8-9c18-e146fdb28c3b" - ], - "name": "Conti CISA Alert", - "description": "Conti ransomware flow based on CISA alert.", - "author": [ - [ - "name", - "Dr. Desiree Beck" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "dbeck@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "CISA", - "description": "Alert", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa21-265a" - } - ] - }, - { - "type": "identity", - "id": "identity--19927395-468b-47f6-862e-033a316c43a9", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "name": "Dr. Desiree Beck", - "identity_class": "individual", - "contact_information": "dbeck@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--2a8b2d9c-c1cb-44e8-9c18-e146fdb28c3b", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Phishing: Spearfishing Attachment", - "technique_id": "T1566.001", - "technique_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", - "description": "Malicious Microsoft Excel file is attached to a phishing email.", - "effect_refs": [ - "attack-operator--7686e85f-53e7-4e22-b799-cd068137d4c8" - ], - "asset_refs": [ - "attack-asset--14a9c069-abae-41d2-8615-8ca20ba0ca68", - "attack-asset--12823850-2efb-44c5-be26-ac34703683b8" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--14a9c069-abae-41d2-8615-8ca20ba0ca68", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "User of Patient Zero workstation", - "description": "The user compromised by the spearfishing email." - }, - { - "type": "attack-action", - "id": "attack-action--803b8f27-1c9b-4d83-b155-b443b69672f8", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "User Execution", - "technique_id": "T1204", - "technique_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "description": "User of the Patient Zero Workstation clicks on malicious Excel file, compromising the workstation.", - "effect_refs": [ - "attack-operator--ee2f9478-ca65-4b3c-9c77-77cd2a277a91" - ] - }, - { - "type": "attack-action", - "id": "attack-action--08dfcf4a-96c4-487e-8531-3ddd7fbb6e70", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Steal or Forge Kerberos Tickets: Kerberoasting", - "technique_id": "T1558.003", - "technique_ref": "attack-pattern--f2877f7f-9a4c-4251-879f-1224e3006bee", - "description": "Actors use Kerberos attacks to attempt to get the Admin hash to conduct brute force attacks.", - "effect_refs": [ - "attack-condition--223e9388-26aa-4cd7-88a3-bc192aa13622" - ] - }, - { - "type": "attack-action", - "id": "attack-action--4c0e9ba3-e5ad-4215-8b41-6636f9ec90b2", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Lateral Movement", - "tactic_id": "TA0008", - "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", - "description": "Lateral movement to 1 statutory and 6 voluntary hospitals", - "effect_refs": [ - "attack-condition--623bc1c8-fc38-4a2d-a3d0-d925f073af53" - ] - }, - { - "type": "attack-action", - "id": "attack-action--fda03654-388a-45e1-b3c5-36a0593aec6d", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data Encrypted for Impact", - "technique_id": "T1486", - "technique_ref": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0", - "description": "Threat actors encrypt sensitive data by detonating Conti ransomware.", - "asset_refs": [ - "attack-asset--bce29a7e-123b-4e98-a7ae-f3590236d856" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--6c3bf979-882d-49ad-8cb5-43a59f42d32e", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltrated Data", - "description": "Data exfiltrated by threat actor." - }, - { - "type": "attack-action", - "id": "attack-action--8956f5e4-bfaf-4709-83fa-309275967a30", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltration", - "tactic_id": "TA0010", - "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", - "description": "Threat actors often use the open-source Rclone command line program for data exfiltration, such as Rclone.", - "asset_refs": [ - "attack-asset--6c3bf979-882d-49ad-8cb5-43a59f42d32e" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--bce29a7e-123b-4e98-a7ae-f3590236d856", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Encrypted Data", - "description": "Data encrypted by Conti ransomware." - }, - { - "type": "attack-condition", - "id": "attack-condition--f8f14cd5-8cb3-41eb-a7de-d13c92afd312", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "User of Patient Zero workstation is compromised", - "on_true_refs": [ - "attack-operator--1ee1b30d-1a96-46e4-844f-25c964d11a1e" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--a32b0dae-0b41-472b-9c23-fd234955beca", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Patient Zero workstation is compromised", - "on_true_refs": [ - "attack-operator--08dc8731-d318-407e-8bbc-07db47df076d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--57dca417-5fce-4cb6-9392-c23d24ba8c83", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Fake Software", - "description": "Fake software promoted via search engine optimization", - "effect_refs": [ - "attack-operator--7686e85f-53e7-4e22-b799-cd068137d4c8" - ], - "asset_refs": [ - "attack-asset--14a9c069-abae-41d2-8615-8ca20ba0ca68" - ] - }, - { - "type": "attack-action", - "id": "attack-action--0cf0c85b-c2e5-4dfd-9a92-547357784bd1", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Social Engineering", - "description": "Actors may get user information via phone calls", - "effect_refs": [ - "attack-operator--7686e85f-53e7-4e22-b799-cd068137d4c8" - ], - "asset_refs": [ - "attack-asset--14a9c069-abae-41d2-8615-8ca20ba0ca68" - ] - }, - { - "type": "attack-action", - "id": "attack-action--e51a777f-14ba-4aac-8e6d-d95b93389173", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Phishing: Spearfishing Link", - "technique_id": "T1566.002", - "technique_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", - "description": "Malicious Microsoft Excel file is attached to a phishing email.", - "effect_refs": [ - "attack-operator--7686e85f-53e7-4e22-b799-cd068137d4c8" - ], - "asset_refs": [ - "attack-asset--14a9c069-abae-41d2-8615-8ca20ba0ca68" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--7686e85f-53e7-4e22-b799-cd068137d4c8", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "OR", - "effect_refs": [ - "attack-condition--f8f14cd5-8cb3-41eb-a7de-d13c92afd312" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--12823850-2efb-44c5-be26-ac34703683b8", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Microsoft Office document", - "description": "The document is a downloader-dropper. Examples include Cobalt Strike, IcedID, and TrickBot." - }, - { - "type": "attack-action", - "id": "attack-action--8c673d05-35b9-4563-a19c-612225ba58f2", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Valid Accounts", - "technique_id": "T1078", - "technique_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", - "description": "User reveals credentials", - "asset_refs": [ - "attack-asset--b25c46f7-e302-4bcc-a75f-7b97913dedeb" - ], - "effect_refs": [ - "attack-operator--ee2f9478-ca65-4b3c-9c77-77cd2a277a91" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--b25c46f7-e302-4bcc-a75f-7b97913dedeb", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "User credentials", - "description": "User credentials for a valid account" - }, - { - "type": "attack-operator", - "id": "attack-operator--1ee1b30d-1a96-46e4-844f-25c964d11a1e", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "OR", - "effect_refs": [ - "attack-action--803b8f27-1c9b-4d83-b155-b443b69672f8", - "attack-action--8c673d05-35b9-4563-a19c-612225ba58f2" - ] - }, - { - "type": "attack-action", - "id": "attack-action--7a4205e1-043e-4c6d-8a9f-89f9a3a8ec83", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Valid Accounts", - "technique_id": "T1078", - "technique_ref": "attack-pattern--b17a1a56-e99c-403c-8948-561df0cffe81", - "description": "Stolen or weak Remote Desktop Protocol (RDP) credentials", - "asset_refs": [ - "attack-asset--ad245cbc-08a4-4a73-a0fd-cd49205b5721" - ], - "effect_refs": [ - "attack-operator--ee2f9478-ca65-4b3c-9c77-77cd2a277a91" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--ad245cbc-08a4-4a73-a0fd-cd49205b5721", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "RDP account", - "description": "Compromised RDP account" - }, - { - "type": "attack-action", - "id": "attack-action--11575ef5-332b-4719-9283-ad0988becfef", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Process Discovery", - "technique_id": "T1057", - "technique_ref": "attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580", - "description": "Actors run a getuid payload before using a more aggressive payload to reduce the risk of triggering antivirus engines.", - "effect_refs": [ - "attack-operator--ad5f81ee-b495-4efb-b6f9-d62fe07cfe0b" - ] - }, - { - "type": "attack-action", - "id": "attack-action--e972b38b-5e0c-43f6-a578-f904dab23a64", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Brute Force", - "technique_id": "T1110", - "technique_ref": "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd", - "description": "Use Router Scan, a penetration testing tool, to maliciously scan for and brute force [T1110] routers, cameras, and network-attached storage devices with web interfaces.", - "effect_refs": [ - "attack-operator--ad5f81ee-b495-4efb-b6f9-d62fe07cfe0b" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--ee2f9478-ca65-4b3c-9c77-77cd2a277a91", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "OR", - "effect_refs": [ - "attack-condition--a32b0dae-0b41-472b-9c23-fd234955beca" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--08dc8731-d318-407e-8bbc-07db47df076d", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "OR", - "effect_refs": [ - "attack-action--11575ef5-332b-4719-9283-ad0988becfef", - "attack-action--08dfcf4a-96c4-487e-8531-3ddd7fbb6e70", - "attack-action--e972b38b-5e0c-43f6-a578-f904dab23a64" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--060bac6c-30cd-4cef-93e2-04c1939f3fc2", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "HSE Server is compromised", - "on_true_refs": [ - "attack-action--2a78a7b6-4cf3-4a8e-9856-e34935a18dbd", - "attack-action--9955f520-81f0-4826-a04f-e29c222cf214", - "attack-action--21b2ccee-d3ed-4866-b931-87c37f98dc93" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--ad5f81ee-b495-4efb-b6f9-d62fe07cfe0b", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "OR", - "effect_refs": [ - "attack-condition--060bac6c-30cd-4cef-93e2-04c1939f3fc2" - ] - }, - { - "type": "attack-action", - "id": "attack-action--51d84486-8f49-40aa-a3ef-65ab544dff0f", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Brute Force", - "technique_id": "T1110", - "technique_ref": "attack-pattern--a93494bb-4b80-4ea1-8695-3236a49916fd", - "description": "Actors get the Admin hash to conduct brute force attacks.", - "effect_refs": [ - "attack-operator--ad5f81ee-b495-4efb-b6f9-d62fe07cfe0b" - ] - }, - { - "type": "attack-action", - "id": "attack-action--2a78a7b6-4cf3-4a8e-9856-e34935a18dbd", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Persistence", - "tactic_id": "TA0003", - "tactic_ref": "x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92", - "description": "Threat actors exploit legitimate software to maintain persistence.", - "asset_refs": [ - "attack-asset--68bf90ee-2a96-48e3-8acc-cb3068e20db0" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--68bf90ee-2a96-48e3-8acc-cb3068e20db0", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Software", - "description": "Remote desktop software or remote monitoring and management software. " - }, - { - "type": "attack-action", - "id": "attack-action--9955f520-81f0-4826-a04f-e29c222cf214", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Privilege Escalation", - "tactic_id": "TA0004", - "tactic_ref": "x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd", - "description": "Threat actors use tools already on the victim network to obtain users' hashes and clear-text credentials", - "effect_refs": [ - "attack-condition--1a4cb2c8-008f-4bec-8659-6a4cccb638b4" - ] - }, - { - "type": "attack-action", - "id": "attack-action--21b2ccee-d3ed-4866-b931-87c37f98dc93", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploitation for Client Execution", - "technique_id": "T1203", - "technique_ref": "attack-pattern--be2dcee9-a7a7-4e38-afd6-21b31ecc3d63", - "description": "Threat actors exploit vulnerabilities in unpatched assets to escalate privileges and move laterally.", - "effect_refs": [ - "attack-condition--759ddb9f-c0a6-4fa4-bc83-f20a4ae8ea35" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--759ddb9f-c0a6-4fa4-bc83-f20a4ae8ea35", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Network Asset A is compromised", - "on_true_refs": [ - "attack-action--c3c4d3ba-ee40-437d-92a7-224bdb5cfaa0" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--1a4cb2c8-008f-4bec-8659-6a4cccb638b4", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Network Asset B is compromised", - "on_true_refs": [ - "attack-action--fda03654-388a-45e1-b3c5-36a0593aec6d", - "attack-action--8956f5e4-bfaf-4709-83fa-309275967a30", - "attack-action--4c0e9ba3-e5ad-4215-8b41-6636f9ec90b2" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--623bc1c8-fc38-4a2d-a3d0-d925f073af53", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Network Asset C is compromised" - }, - { - "type": "attack-condition", - "id": "attack-condition--223e9388-26aa-4cd7-88a3-bc192aa13622", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Admin hash is compromised", - "on_true_refs": [ - "attack-action--51d84486-8f49-40aa-a3ef-65ab544dff0f" - ] - }, - { - "type": "attack-action", - "id": "attack-action--c3c4d3ba-ee40-437d-92a7-224bdb5cfaa0", - "spec_version": "2.1", - "created": "2022-12-21T21:12:06.367Z", - "modified": "2022-12-21T21:12:06.367Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Privilege Escalation", - "tactic_id": "TA0004", - "tactic_ref": "x-mitre-tactic--5e29b093-294e-49e9-a803-dab3d73b77dd", - "description": "Threat actors exploit vulnerabilities in unpatched asset to escalate privileges.", - "effect_refs": [ - "attack-condition--1a4cb2c8-008f-4bec-8659-6a4cccb638b4" - ] - } - ] -} \ No newline at end of file diff --git a/corpus/Conti PWC.json b/corpus/Conti PWC.json deleted file mode 100644 index f1eb8920..00000000 --- a/corpus/Conti PWC.json +++ /dev/null @@ -1,375 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--5b4fe09c-0a31-48bf-914d-4438cf9dfe58", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--d2ec54a5-a9b4-44f2-b649-610ee72ccf2c", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--acae0f65-bdd6-44a4-92b0-44137e15df66", - "start_refs": [ - "attack-action--2a8b2d9c-c1cb-44e8-9c18-e146fdb28c3b" - ], - "name": "Conti PWC", - "description": "Conti ransomware flow based on PWC report.", - "author": [ - [ - "name", - "Dr. Desiree Beck" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "dbeck@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "PricewaterhouseCoopers", - "description": "Report", - "url": "https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf" - } - ] - }, - { - "type": "identity", - "id": "identity--acae0f65-bdd6-44a4-92b0-44137e15df66", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "name": "Dr. Desiree Beck", - "identity_class": "individual", - "contact_information": "dbeck@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--2a8b2d9c-c1cb-44e8-9c18-e146fdb28c3b", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Phishing: Spearfishing Attachment", - "technique_id": "T1566.001", - "technique_ref": "attack-pattern--2e34237d-8574-43f6-aace-ae2915de8597", - "description": "Malicious Microsoft Excel file is attached to a phishing email.", - "asset_refs": [ - "attack-asset--14a9c069-abae-41d2-8615-8ca20ba0ca68" - ], - "effect_refs": [ - "attack-condition--f8f14cd5-8cb3-41eb-a7de-d13c92afd312" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--14a9c069-abae-41d2-8615-8ca20ba0ca68", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "User of Patient Zero Workstation", - "description": "The user compromised by the spearfishing email." - }, - { - "type": "attack-action", - "id": "attack-action--803b8f27-1c9b-4d83-b155-b443b69672f8", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "User Execution", - "technique_id": "T1204", - "technique_ref": "attack-pattern--8c32eb4d-805f-4fc5-bf60-c4d476c131b5", - "description": "User of the Patient Zero Workstation clicks on malicious Excel file, compromising the workstation.", - "effect_refs": [ - "attack-condition--a32b0dae-0b41-472b-9c23-fd234955beca" - ], - "asset_refs": [ - "attack-asset--3cbafcd5-d491-45e5-ace3-90578ff859e1" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--3cbafcd5-d491-45e5-ace3-90578ff859e1", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Patient Zero Workstation", - "description": "The compromised workstation." - }, - { - "type": "attack-action", - "id": "attack-action--08dfcf4a-96c4-487e-8531-3ddd7fbb6e70", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Compromise Accounts", - "technique_id": "T1586", - "technique_ref": "attack-pattern--81033c3b-16a4-46e4-8fed-9b030dd03c4a", - "description": "Compromise and abuse accounts with high privilege levels", - "effect_refs": [ - "attack-condition--b334ca8a-94c7-4566-bb2d-60ab79d5812a" - ], - "asset_refs": [ - "attack-asset--e2d9146e-0aa2-4b9d-a1c3-ebbb734af1dd" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--e2d9146e-0aa2-4b9d-a1c3-ebbb734af1dd", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "HSE Server", - "description": "The compromised server." - }, - { - "type": "attack-action", - "id": "attack-action--4c0e9ba3-e5ad-4215-8b41-6636f9ec90b2", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Lateral Movement", - "tactic_id": "TA0008", - "tactic_ref": "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e", - "description": "Lateral movement to 1 statutory and 6 voluntary hospitals", - "asset_refs": [ - "attack-asset--4bc35a27-c25f-4e77-8159-60cbcf9e555e" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--4bc35a27-c25f-4e77-8159-60cbcf9e555e", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "IT Systems", - "description": "Statutory and voluntary systems compromised." - }, - { - "type": "attack-action", - "id": "attack-action--823c7ef5-0569-4678-a773-4f465690998c", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": " File and Directory Discovery", - "technique_id": "T1083", - "technique_ref": "attack-pattern--7bc57495-ea59-4380-be31-a64af124ef18", - "description": "Browsed folders and opened files within HSE", - "asset_refs": [ - "attack-asset--6c3bf979-882d-49ad-8cb5-43a59f42d32e" - ], - "effect_refs": [ - "attack-action--8956f5e4-bfaf-4709-83fa-309275967a30" - ] - }, - { - "type": "attack-action", - "id": "attack-action--fda03654-388a-45e1-b3c5-36a0593aec6d", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data Encrypted for Impact", - "technique_id": "T1486", - "technique_ref": "attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0", - "description": "Detonate Conti ransomware", - "asset_refs": [ - "attack-asset--bce29a7e-123b-4e98-a7ae-f3590236d856" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--6c3bf979-882d-49ad-8cb5-43a59f42d32e", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltrated Data", - "description": "Data exfiltrated by the threat actor." - }, - { - "type": "attack-action", - "id": "attack-action--8956f5e4-bfaf-4709-83fa-309275967a30", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltration", - "tactic_id": "TA0010", - "tactic_ref": "x-mitre-tactic--9a4e74ab-5008-408c-84bf-a10dfbc53462", - "description": "Data is exfiltrated.", - "asset_refs": [ - "attack-asset--6c3bf979-882d-49ad-8cb5-43a59f42d32e" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--bce29a7e-123b-4e98-a7ae-f3590236d856", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Encrypted Data", - "description": "Data encrypted by Conti ransomware." - }, - { - "type": "attack-condition", - "id": "attack-condition--f8f14cd5-8cb3-41eb-a7de-d13c92afd312", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "User of Patient Zero workstation receives malicious Excel file", - "on_true_refs": [ - "attack-action--803b8f27-1c9b-4d83-b155-b443b69672f8" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--a32b0dae-0b41-472b-9c23-fd234955beca", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Patient Zero user opens the malicious Excel file, compromising the Patient Zero workstation", - "on_true_refs": [ - "attack-action--08dfcf4a-96c4-487e-8531-3ddd7fbb6e70" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--b334ca8a-94c7-4566-bb2d-60ab79d5812a", - "spec_version": "2.1", - "created": "2022-12-21T21:38:50.395Z", - "modified": "2022-12-21T21:38:50.395Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "HSE Server is compromised", - "on_true_refs": [ - "attack-action--4c0e9ba3-e5ad-4215-8b41-6636f9ec90b2", - "attack-action--fda03654-388a-45e1-b3c5-36a0593aec6d", - "attack-action--823c7ef5-0569-4678-a773-4f465690998c" - ] - } - ] -} \ No newline at end of file diff --git a/corpus/DFIR - BumbleBee Round 2.json b/corpus/DFIR - BumbleBee Round 2.json deleted file mode 100644 index 9b119982..00000000 --- a/corpus/DFIR - BumbleBee Round 2.json +++ /dev/null @@ -1,567 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--3edee771-15a4-4595-8e46-a7934a727d3d", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.786Z", - "modified": "2023-07-03T19:26:23.786Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--59ae4df4-40f2-478d-923a-88b3274cc210", - "spec_version": "2.1", - "created": "2022-10-27T17:08:29.791Z", - "modified": "2023-07-03T19:26:23.786Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--d075ca2d-8951-446c-9128-d664a52d848a", - "start_refs": [ - "attack-action--5bde19de-dfc9-4a67-b7f0-58d63b146fee", - "attack-action--a69439a7-6d16-421a-9ff7-776302391be0" - ], - "name": "DFIR - BumbleBee Round 2", - "description": "A documented BumbleBee Malware intrusion by the DFIR Report occurring in May 2022 ", - "scope": "incident", - "external_references": [ - { - "source_name": "BumbleBee: Round Two\n\n", - "description": "\"In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates.\"", - "url": "https://thedfirreport.com/2022/09/26/bumblebee-round-two/" - } - ] - }, - { - "type": "identity", - "id": "identity--d075ca2d-8951-446c-9128-d664a52d848a", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.786Z", - "modified": "2023-07-03T19:26:23.786Z", - "name": "Kevin Lo", - "contact_information": "klo@anvilogic.com" - }, - { - "type": "attack-action", - "id": "attack-action--5bde19de-dfc9-4a67-b7f0-58d63b146fee", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.786Z", - "modified": "2023-07-03T19:26:23.786Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Boot or Logon Autostart Execution: Shortcut Modification", - "technique_id": "T1547.009", - "description": "Bumblebee Initial Execution. (All dates in this flow are relative. The breach start time is not known.)", - "execution_start": "1970-01-01T12:05:00.000Z", - "effect_refs": [ - "attack-action--52551dbb-9709-4a90-b7e2-ad92c735d5cc", - "attack-action--1d4f33a8-1ae5-498a-a169-ff39bdced02f" - ], - "asset_refs": [ - "attack-asset--d168bbc0-3cba-422e-aaa1-ed45831a7ce9" - ], - "command_ref": "process--50cab0ab-6a3d-41ed-a928-e860d0f921a5" - }, - { - "type": "attack-asset", - "id": "attack-asset--d168bbc0-3cba-422e-aaa1-ed45831a7ce9", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.786Z", - "modified": "2023-07-03T19:26:23.786Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Beach Head" - }, - { - "type": "attack-action", - "id": "attack-action--1d4f33a8-1ae5-498a-a169-ff39bdced02f", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Control: Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Dropping the Bumblebee DLL", - "asset_refs": [ - "attack-asset--d168bbc0-3cba-422e-aaa1-ed45831a7ce9" - ], - "effect_refs": [ - "attack-action--3d2e236c-8c72-4882-acca-ada71a3836e6" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3d2e236c-8c72-4882-acca-ada71a3836e6", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Binary Proxy Execution: Rundll32", - "technique_id": "T1218.011", - "description": "Rundll32 executes DLL", - "asset_refs": [ - "attack-asset--d168bbc0-3cba-422e-aaa1-ed45831a7ce9" - ], - "effect_refs": [ - "attack-action--a4a665d0-8a5e-4135-8d9b-e57c996cd4a2" - ] - }, - { - "type": "attack-action", - "id": "attack-action--a4a665d0-8a5e-4135-8d9b-e57c996cd4a2", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Windows Management Instrumentation", - "technique_id": "T1047", - "description": "WMI Call for Process Injection", - "asset_refs": [ - "attack-asset--d168bbc0-3cba-422e-aaa1-ed45831a7ce9" - ], - "effect_refs": [ - "attack-action--055084d8-e6ee-440a-a3d5-895ba5fdecdf" - ] - }, - { - "type": "attack-action", - "id": "attack-action--055084d8-e6ee-440a-a3d5-895ba5fdecdf", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Process Injection", - "technique_id": "T1055", - "asset_refs": [ - "attack-asset--d168bbc0-3cba-422e-aaa1-ed45831a7ce9" - ] - }, - { - "type": "attack-action", - "id": "attack-action--52551dbb-9709-4a90-b7e2-ad92c735d5cc", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter", - "technique_id": "T1059", - "description": "12:19 UTC to 12:27 UTC: Meterpreter shell for command execution", - "execution_start": "1970-01-01T12:19:00.000Z", - "execution_end": "1970-01-01T12:27:00.000Z", - "asset_refs": [ - "attack-asset--d168bbc0-3cba-422e-aaa1-ed45831a7ce9" - ], - "effect_refs": [ - "attack-action--4f144a9a-bf93-4119-b55b-4d21ef5a10cd", - "attack-action--f636129f-0281-487f-b497-d235e2dab480", - "attack-action--1da9c661-90f5-4bca-b5f1-2798deb4acbe" - ] - }, - { - "type": "attack-action", - "id": "attack-action--1da9c661-90f5-4bca-b5f1-2798deb4acbe", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Network Share Discovery", - "technique_id": "T1135", - "description": "12:28 to 12:57 UTC Discovery from Meterpreter Sessions", - "asset_refs": [ - "attack-asset--d168bbc0-3cba-422e-aaa1-ed45831a7ce9" - ], - "effect_refs": [ - "attack-operator--f33a8aa0-fe02-4337-9203-ead996055b96" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--f33a8aa0-fe02-4337-9203-ead996055b96", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--a69439a7-6d16-421a-9ff7-776302391be0" - ] - }, - { - "type": "attack-action", - "id": "attack-action--4f144a9a-bf93-4119-b55b-4d21ef5a10cd", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Account Discovery: Domain Account", - "technique_id": "T1087.002", - "description": "12:28 to 12:57 UTC Discovery from Meterpreter Sessions", - "execution_start": "1970-01-01T12:28:00.000Z", - "execution_end": "1970-01-01T12:57:00.000Z", - "effect_refs": [ - "attack-operator--f33a8aa0-fe02-4337-9203-ead996055b96" - ], - "asset_refs": [ - "attack-asset--d168bbc0-3cba-422e-aaa1-ed45831a7ce9" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f636129f-0281-487f-b497-d235e2dab480", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Domain Trust Discovery", - "technique_id": "T1482", - "description": "12:28 to 12:57 UTC Discovery from Meterpreter Sessions", - "execution_start": "1970-01-01T12:28:00.000Z", - "execution_end": "1970-01-01T12:57:00.000Z", - "effect_refs": [ - "attack-operator--f33a8aa0-fe02-4337-9203-ead996055b96" - ], - "asset_refs": [ - "attack-asset--d168bbc0-3cba-422e-aaa1-ed45831a7ce9" - ] - }, - { - "type": "attack-action", - "id": "attack-action--a69439a7-6d16-421a-9ff7-776302391be0", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Application Layer Protocol", - "technique_id": "T1071", - "description": "18:26 UTC - 18:27 UTC  Cobalt Strike executed and initiates reconnaissance", - "execution_start": "1970-01-01T18:26:00.000Z", - "execution_end": "1970-01-01T18:27:00.000Z", - "effect_refs": [ - "attack-action--d31e9ed3-3eb9-44d1-9a53-2e2e4c3dcac2" - ], - "asset_refs": [ - "attack-asset--d168bbc0-3cba-422e-aaa1-ed45831a7ce9" - ] - }, - { - "type": "attack-action", - "id": "attack-action--d31e9ed3-3eb9-44d1-9a53-2e2e4c3dcac2", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Account Discovery", - "technique_id": "T1087", - "description": "18:26 UTC - 18:27 UTC  Cobalt Strike executed and initiates reconnaissance", - "execution_start": "1970-01-01T18:26:00.000Z", - "execution_end": "1970-01-01T18:27:00.000Z", - "effect_refs": [ - "attack-action--40029c58-c769-4dbd-a901-87ce0857e074" - ], - "asset_refs": [ - "attack-asset--d168bbc0-3cba-422e-aaa1-ed45831a7ce9" - ] - }, - { - "type": "campaign", - "id": "campaign--95f13a09-db1d-4af9-86ff-d3f063286513", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "name": "DFIR Report - BumbleBee: Round Two" - }, - { - "type": "attack-action", - "id": "attack-action--40029c58-c769-4dbd-a901-87ce0857e074", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "OS Credential Dumping: LSASS Memory", - "technique_id": "T1003.001", - "description": "18:31 UTC Credential dump with procdump and collection", - "execution_start": "1970-01-01T18:31:00.000Z", - "effect_refs": [ - "attack-action--dc4fb9cd-da86-48d8-b062-7a78f4fcccad" - ], - "asset_refs": [ - "attack-asset--d168bbc0-3cba-422e-aaa1-ed45831a7ce9" - ] - }, - { - "type": "attack-action", - "id": "attack-action--dc4fb9cd-da86-48d8-b062-7a78f4fcccad", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Remote Services: Remote Desktop Protocol", - "technique_id": "T1021.001", - "description": "18:53 UTC Lateral Movement to Server via RDP and Anydesk install", - "execution_start": "1970-01-01T18:53:00.000Z", - "effect_refs": [ - "attack-action--3cd623e4-d522-4a49-9274-80daab9d548d" - ], - "asset_refs": [ - "attack-asset--02d51e4b-f881-47c4-999c-15faa02583cf" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3cd623e4-d522-4a49-9274-80daab9d548d", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Remote Access Software", - "technique_id": "T1219", - "description": "Remote access with AnyDesk", - "effect_refs": [ - "attack-action--f988de9b-8b10-45bc-9f97-151ff552a196" - ], - "asset_refs": [ - "attack-asset--02d51e4b-f881-47c4-999c-15faa02583cf" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f988de9b-8b10-45bc-9f97-151ff552a196", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Create Account: Domain Account", - "technique_id": "T1136.002", - "description": "19:00 UTC User Added for Persistence on Server", - "execution_start": "1970-01-01T19:00:00.000Z", - "effect_refs": [ - "attack-action--a39cb9ff-6740-4503-8a22-7549753a892c" - ], - "asset_refs": [ - "attack-asset--02d51e4b-f881-47c4-999c-15faa02583cf" - ] - }, - { - "type": "attack-action", - "id": "attack-action--a39cb9ff-6740-4503-8a22-7549753a892c", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Network Configuration Discovery", - "technique_id": "T1016", - "description": "19:09 UTC AdFind executed for system reconnaissance", - "execution_start": "1970-01-01T19:09:00.000Z", - "effect_refs": [ - "attack-action--26ba213f-b338-42a5-a791-c666668db1e3" - ], - "asset_refs": [ - "attack-asset--02d51e4b-f881-47c4-999c-15faa02583cf" - ] - }, - { - "type": "attack-action", - "id": "attack-action--26ba213f-b338-42a5-a791-c666668db1e3", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Remote Access Software", - "technique_id": "T1219", - "description": "19:13 UTC AnyDesk used to browse files", - "execution_start": "1970-01-01T19:13:00.000Z", - "effect_refs": [ - "attack-action--e40758a2-cd01-4706-9edb-849dc3664091" - ], - "asset_refs": [ - "attack-asset--02d51e4b-f881-47c4-999c-15faa02583cf" - ] - }, - { - "type": "attack-action", - "id": "attack-action--e40758a2-cd01-4706-9edb-849dc3664091", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Remote Services: Remote Desktop Protocol", - "technique_id": "T1021.001", - "description": "19:17 UTC Lateral Movement to Backup Server via RDP", - "execution_start": "1970-01-01T19:17:00.000Z", - "effect_refs": [ - "attack-action--f3466114-62e4-472e-9204-1523cf78352a" - ], - "asset_refs": [ - "attack-asset--73d53409-2a4d-48af-9a8c-c15a934ff825" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f3466114-62e4-472e-9204-1523cf78352a", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter", - "technique_id": "T1059.003", - "description": "00:14 UTC Batch Script executed for system reconnaissance", - "execution_start": "1970-01-02T00:14:00.000Z", - "asset_refs": [ - "attack-asset--73d53409-2a4d-48af-9a8c-c15a934ff825" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--02d51e4b-f881-47c4-999c-15faa02583cf", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Server" - }, - { - "type": "attack-asset", - "id": "attack-asset--73d53409-2a4d-48af-9a8c-c15a934ff825", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Backup Server" - }, - { - "type": "process", - "id": "process--50cab0ab-6a3d-41ed-a928-e860d0f921a5", - "spec_version": "2.1", - "created": "2023-07-03T19:26:23.787Z", - "modified": "2023-07-03T19:26:23.787Z", - "command_line": "rundll32.exe tamirlan.dll,EdHVntqdWt" - } - ] -} \ No newline at end of file diff --git a/corpus/Equifax Breach.json b/corpus/Equifax Breach.json deleted file mode 100644 index b5d52833..00000000 --- a/corpus/Equifax Breach.json +++ /dev/null @@ -1,649 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--919260fe-2a8a-4087-8c48-8a1cf2dd2155", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--5d6dbe20-6e8a-4a91-b927-49995af62ca5", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--acbc0f38-7c39-4b7f-bd47-95007d0d0d7e", - "start_refs": [ - "attack-action--6f347c34-9d8a-48f1-889e-23752c87197b" - ], - "name": "Equifax Breach", - "description": "Attack flow on the 2017 Equifax breach.", - "author": [ - [ - "name", - "Lauren Parker" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "lparker@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "CNET", - "description": "Article", - "url": "https://www.cnet.com/news/privacy/equifaxs-hack-one-year-later-a-look-back-at-how-it-happened-and-whats-changed/" - }, - { - "source_name": "CSO", - "description": "Article", - "url": "https://www.csoonline.com/article/3444488/equifax-data-breach-faq-what-happened-who-was-affected-what-was-the-impact.html" - }, - { - "source_name": "Department of Justice", - "description": "Press Release", - "url": "https://www.justice.gov/opa/press-release/file/1246891/download" - }, - { - "source_name": "Government Accountability Office", - "description": "Congressional Request", - "url": "https://www.warren.senate.gov/imo/media/doc/2018.09.06%20GAO%20Equifax%20report.pdf" - } - ] - }, - { - "type": "identity", - "id": "identity--acbc0f38-7c39-4b7f-bd47-95007d0d0d7e", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "name": "Lauren Parker", - "identity_class": "individual", - "contact_information": "lparker@mitre.org" - }, - { - "type": "threat-actor", - "id": "threat-actor--d3193187-95c8-428c-9de5-0e2049a778e8", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "name": "Wu Zhiyong", - "description": "Member of the PLA who was indicted by DoJ for computer fraud, economic espionage, and wire fraud for hacking into credit reporting agency Equifax", - "threat_actor_types": [ - "Nation-state" - ], - "first_seen": "2017-05-13T04:00:00.000Z", - "last_seen": "2017-07-30T04:00:00.000Z", - "roles": [ - "Agent" - ], - "goals": [ - "access protected computers for economic espionage; transmit information from a protected computer to cause harm; steal, convey, and sell trade secrets from Equifax to benefit a foreign government, namely China" - ], - "sophistication": "Expert", - "resource_level": "Government", - "primary_motivation": "organizational-gain" - }, - { - "type": "threat-actor", - "id": "threat-actor--ed3f9e1b-1c65-4d72-9bb3-01e0ec01b094", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "name": "Wang Qian", - "description": "Member of the PLA who was indicted by DoJ for computer fraud, economic espionage, and wire fraud for hacking into credit reporting agency Equifax", - "threat_actor_types": [ - "Nation-state" - ], - "first_seen": "2017-05-13T04:00:00.000Z", - "last_seen": "2017-07-30T04:00:00.000Z", - "roles": [ - "Agent" - ], - "goals": [ - "access protected computers for economic espionage; transmit information from a protected computer to cause harm; steal, convey, and sell trade secrets from Equifax to benefit a foreign government, namely China" - ], - "sophistication": "Expert", - "resource_level": "Government", - "primary_motivation": "organizational-gain" - }, - { - "type": "threat-actor", - "id": "threat-actor--52e873ba-3b38-46d4-ac6f-fa5d4875d049", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "name": "Xu Ke", - "description": "Member of the PLA who was indicted by DoJ for computer fraud, economic espionage, and wire fraud for hacking into credit reporting agency Equifax", - "threat_actor_types": [ - "Nation-state" - ], - "first_seen": "2017-05-13T04:00:00.000Z", - "last_seen": "2017-07-30T04:00:00.000Z", - "roles": [ - "Agent" - ], - "goals": [ - "access protected computers for economic espionage; transmit information from a protected computer to cause harm; steal, convey, and sell trade secrets from Equifax to benefit a foreign government, namely China" - ], - "sophistication": "Expert", - "resource_level": "Government", - "primary_motivation": "organizational-gain" - }, - { - "type": "threat-actor", - "id": "threat-actor--60ee3b8c-c6f9-4ac5-ab95-7d7e5a592638", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "name": "Liu Lei", - "description": "Member of the PLA who was indicted by DoJ for computer fraud, economic espionage, and wire fraud for hacking into credit reporting agency Equifax", - "threat_actor_types": [ - "Nation-state" - ], - "first_seen": "2017-05-13T04:00:00.000Z", - "last_seen": "2017-07-30T04:00:00.000Z", - "roles": [ - "Agent" - ], - "goals": [ - "access protected computers for economic espionage; transmit information from a protected computer to cause harm; steal, convey, and sell trade secrets from Equifax to benefit a foreign government, namely China" - ], - "sophistication": "Expert", - "resource_level": "Government", - "primary_motivation": "organizational-gain" - }, - { - "type": "attack-action", - "id": "attack-action--6f347c34-9d8a-48f1-889e-23752c87197b", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Active Scanning: Vulnerability Scanning", - "technique_id": "T1595.002", - "description": " US-CERT warned about a vulnerability within Apache Struts. Attackers searched the web for systems with this vulnerability", - "confidence": 100, - "effect_refs": [ - "attack-condition--6a38d6e6-107c-4941-9848-a7a91b9560f8" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--6a38d6e6-107c-4941-9848-a7a91b9560f8", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attackers discovered vulnerable Apache Struts Web Framework on Equifax's dispute portal", - "on_true_refs": [ - "attack-action--ed1d3b65-7d96-4fb0-88c4-c2cd30623b03" - ] - }, - { - "type": "attack-action", - "id": "attack-action--ed1d3b65-7d96-4fb0-88c4-c2cd30623b03", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploit Public-Facing Application", - "technique_id": "T1190", - "description": "Attackers used software designed to exploit the Apache Struts Web Framework vulnerability to gain access to Equifax's online dispute portal ", - "confidence": 100, - "effect_refs": [ - "attack-condition--085ff46c-3c7d-43f0-8e8f-0b265e209f4d" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--085ff46c-3c7d-43f0-8e8f-0b265e209f4d", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attackers sold foothold into Equifax's network to more experience attackers", - "on_true_refs": [ - "attack-action--21be9f13-3c4b-4c97-b532-326568e19550" - ] - }, - { - "type": "attack-action", - "id": "attack-action--21be9f13-3c4b-4c97-b532-326568e19550", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Server Software Component: Web Shell", - "technique_id": "T1505.003", - "description": "New attackers exploited foothold and installed web shell onto the Online Dispute Portal ", - "confidence": 100, - "asset_refs": [ - "attack-asset--c8ab9a0b-16c8-472d-8eca-a52c2e512019" - ], - "effect_refs": [ - "attack-action--d9d6e1e2-dc1e-404f-a4fd-a1fac90c0a86", - "attack-action--98563102-bd12-43d2-829c-e6591931f1fb" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--c8ab9a0b-16c8-472d-8eca-a52c2e512019", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Online Dispute Portal" - }, - { - "type": "attack-action", - "id": "attack-action--d9d6e1e2-dc1e-404f-a4fd-a1fac90c0a86", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Gather Victim Identity Information: Credentials", - "technique_id": "T1589.001", - "description": "Attackers conducted recon on the online dispute portal to obtain valid credentials for database servers", - "confidence": 100, - "effect_refs": [ - "attack-operator--6dd662da-1e03-4873-943c-d9a8d25b306d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--98563102-bd12-43d2-829c-e6591931f1fb", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Gather Victim Network Information", - "technique_id": "T1590", - "description": "Attackers conducted recon to identify databases with PII", - "confidence": 100, - "effect_refs": [ - "attack-operator--6dd662da-1e03-4873-943c-d9a8d25b306d" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--6dd662da-1e03-4873-943c-d9a8d25b306d", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--6641e2c7-8ea1-443f-a29d-89e544be5eb9" - ] - }, - { - "type": "attack-action", - "id": "attack-action--6641e2c7-8ea1-443f-a29d-89e544be5eb9", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Encrypted Channel", - "technique_id": "T1573", - "description": "Queried databases for PII using existing encrypted channels", - "confidence": 100, - "effect_refs": [ - "attack-condition--a0f50bb1-aacd-4678-8160-c2062fef2b10" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--a0f50bb1-aacd-4678-8160-c2062fef2b10", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attackers discovered and compromised databases storing PII", - "on_true_refs": [ - "attack-action--20aa5b9f-3477-4e0a-a5d0-93b6c199be69", - "attack-action--bd230072-e0f0-4478-a209-7d7aded898f2" - ] - }, - { - "type": "attack-action", - "id": "attack-action--bd230072-e0f0-4478-a209-7d7aded898f2", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Archive Collected Data", - "technique_id": "T1560", - "description": " split and compress output files with information", - "confidence": 100, - "effect_refs": [ - "attack-operator--c1e2a2c3-c2d0-4551-9969-2d39cb6f3053" - ] - }, - { - "type": "attack-action", - "id": "attack-action--20aa5b9f-3477-4e0a-a5d0-93b6c199be69", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Deobfuscate/Decode Files or Information", - "technique_id": "T1140", - "description": "split and compress output files with information - obfuscate PII information", - "confidence": 100, - "effect_refs": [ - "attack-operator--c1e2a2c3-c2d0-4551-9969-2d39cb6f3053" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--c1e2a2c3-c2d0-4551-9969-2d39cb6f3053", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--23fade7d-fc7b-42d6-b962-fd13f8d67e88" - ] - }, - { - "type": "attack-action", - "id": "attack-action--23fade7d-fc7b-42d6-b962-fd13f8d67e88", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol", - "technique_id": "T1048.002", - "description": "Exfiltration over standard encrypted web protocols to disguise the exchanges as normal network traffic", - "confidence": 100, - "effect_refs": [ - "attack-action--e0206671-984d-49d1-bd1a-12e10966395f" - ] - }, - { - "type": "attack-action", - "id": "attack-action--e0206671-984d-49d1-bd1a-12e10966395f", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Proxy: Multi-hop Proxy", - "technique_id": "T1090.003", - "description": "attackers used multi-hop proxies in approximately thirty-four servers located in nearly twenty countries", - "confidence": 100, - "effect_refs": [ - "attack-action--61cfb4a1-6468-4095-bd42-c9e0476a9e00", - "attack-action--f4e8ee77-2e14-450d-92d4-d7a1b6595c16" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--66dbb482-b762-4299-a995-6e0ae0c48d42", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "name": "Proxies", - "description": "Adversary used multi-hop proxies", - "infrastructure_types": [ - "Anonymization" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--82e17e5c-bd8a-493a-a209-8d6b2ab86e50", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "name": "Servers", - "description": "Adversary used 34 servers located in nearly 20 countries to host multi-hop proxies for obfuscation", - "infrastructure_types": [ - "anonymization" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f4e8ee77-2e14-450d-92d4-d7a1b6595c16", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Indicator Removal on Host: File Deletion", - "technique_id": "T1070.004", - "description": "deleted the compressed files after exfiltrating the sensitive data", - "confidence": 100, - "effect_refs": [ - "attack-operator--ea57b20a-83fd-4bee-9b95-088475b31f8d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--61cfb4a1-6468-4095-bd42-c9e0476a9e00", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": " Indicator Removal on Host: Clear Windows Event Logs", - "technique_id": "T1070.001", - "description": "wiped log files on a daily basis in an effort to eliminate records of activity", - "confidence": 100, - "effect_refs": [ - "attack-operator--ea57b20a-83fd-4bee-9b95-088475b31f8d" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--ea57b20a-83fd-4bee-9b95-088475b31f8d", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND" - }, - { - "type": "vulnerability", - "id": "vulnerability--dee9a6ef-eba8-457b-bf88-2ed1ead2dbbd", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "name": "Apache Struts" - }, - { - "type": "vulnerability", - "id": "vulnerability--236a6a2c-e12c-4ed9-983b-602b7af3bc2a", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "name": "Apache Struts Web Framework" - }, - { - "type": "malware", - "id": "malware--49e4d378-bc15-4ab9-bb3f-b05e3b896bb0", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "name": "Web Shell", - "malware_types": [ - "webshell" - ], - "is_family": false, - "capabilities": [ - "communicates-with-c2", - "exfiltrates-data" - ] - }, - { - "type": "relationship", - "id": "relationship--32995d57-8773-458b-84b0-2d298fc6a671", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "relationship_type": "related-to", - "source_ref": "attack-action--6f347c34-9d8a-48f1-889e-23752c87197b", - "target_ref": "vulnerability--dee9a6ef-eba8-457b-bf88-2ed1ead2dbbd" - }, - { - "type": "relationship", - "id": "relationship--59453720-49c7-4d19-a970-29f3ea10ebc1", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "relationship_type": "related-to", - "source_ref": "attack-action--ed1d3b65-7d96-4fb0-88c4-c2cd30623b03", - "target_ref": "vulnerability--236a6a2c-e12c-4ed9-983b-602b7af3bc2a" - }, - { - "type": "relationship", - "id": "relationship--9f6a01a6-f872-4467-8cf3-b3681879ce41", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "relationship_type": "related-to", - "source_ref": "attack-action--21be9f13-3c4b-4c97-b532-326568e19550", - "target_ref": "malware--49e4d378-bc15-4ab9-bb3f-b05e3b896bb0" - }, - { - "type": "relationship", - "id": "relationship--406bccf6-add9-49fa-b601-881cf6ccd1f4", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "relationship_type": "related-to", - "source_ref": "attack-action--e0206671-984d-49d1-bd1a-12e10966395f", - "target_ref": "infrastructure--82e17e5c-bd8a-493a-a209-8d6b2ab86e50" - }, - { - "type": "relationship", - "id": "relationship--acbce95e-1183-4000-b363-693f050332fe", - "spec_version": "2.1", - "created": "2022-12-21T22:19:29.445Z", - "modified": "2022-12-21T22:19:29.445Z", - "relationship_type": "related-to", - "source_ref": "attack-action--e0206671-984d-49d1-bd1a-12e10966395f", - "target_ref": "infrastructure--66dbb482-b762-4299-a995-6e0ae0c48d42" - } - ] -} \ No newline at end of file diff --git a/corpus/FIN13 Case 2.json b/corpus/FIN13 Case 2.json deleted file mode 100644 index 10b1ec32..00000000 --- a/corpus/FIN13 Case 2.json +++ /dev/null @@ -1,1178 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--06b1c448-3dad-4084-9338-138a307f8390", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--e423964e-24b1-4caa-ac09-35a046e69639", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--158573ab-d3ea-4d13-bf2e-91952c79af45", - "start_refs": [ - "attack-action--81e5c5eb-d20d-46e2-8755-d196dce3cf55" - ], - "name": "FIN13 Case 2", - "description": "Attack flow for the FIN13 campaign targeting a bank in Peru. ", - "author": [ - [ - "name", - "Mia Sanchez" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "msanschez@mitre.org" - ] - ], - "scope": "campaign", - "external_references": [ - { - "source_name": "Mandiant", - "description": "Blog", - "url": "https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" - }, - { - "source_name": "Sygnia", - "description": "Report", - "url": "https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf" - }, - { - "source_name": "Netwitness", - "description": "Report", - "url": "https://www.netwitness.com/wp-content/uploads/FIN13-Elephant-Beetle-NetWitness.pdf" - } - ] - }, - { - "type": "identity", - "id": "identity--158573ab-d3ea-4d13-bf2e-91952c79af45", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "name": "Mia Sanchez", - "identity_class": "individual", - "contact_information": "msanschez@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--81e5c5eb-d20d-46e2-8755-d196dce3cf55", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploit Public-Facing Application", - "technique_id": "T1190", - "description": "Exploited the Log4j vulnerability to open a breach head on the DMZ ", - "confidence": 100, - "asset_refs": [ - "attack-asset--2b04b7d2-1c66-4c8a-ab0f-96a2151af77f" - ], - "effect_refs": [ - "attack-action--6a89f34f-6ad9-492f-801a-d67148b37c18" - ] - }, - { - "type": "attack-action", - "id": "attack-action--6a89f34f-6ad9-492f-801a-d67148b37c18", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1195", - "description": "The attacker immediately deployed tools on the breached DMZ", - "confidence": 100, - "effect_refs": [ - "attack-action--fcd49b6d-5dde-4cdd-b73a-a3b5031a6942" - ] - }, - { - "type": "vulnerability", - "id": "vulnerability--64913703-2b3b-4738-b0aa-e836ff1754e8", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "name": "CVE-2021-44228", - "description": "Log4j vulnerability" - }, - { - "type": "infrastructure", - "id": "infrastructure--63f316cc-2f31-4ef3-afbe-b645e01c70d6", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "name": "IP Address", - "description": "The attacker used IP address 185.193.126.27 to conduct the attack. ", - "infrastructure_types": [ - "command-and-control" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--2b04b7d2-1c66-4c8a-ab0f-96a2151af77f", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "AKATWEB Web Server", - "description": "The attacker exploited an unpatched proxy webserver" - }, - { - "type": "attack-action", - "id": "attack-action--fcd49b6d-5dde-4cdd-b73a-a3b5031a6942", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Server Software Component: Web Shell", - "technique_id": "T1505.003", - "description": "Implanted a JSP webshell", - "confidence": 100, - "asset_refs": [ - "attack-asset--66b37f83-3a98-4971-9e42-1c706ff8431a" - ], - "effect_refs": [ - "attack-action--6c480520-1fa3-436d-832f-fecd8de08f62" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--66b37f83-3a98-4971-9e42-1c706ff8431a", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "AKATWEB Web Server", - "description": "The attacker implanted a webshell on the AKATWEB server" - }, - { - "type": "attack-action", - "id": "attack-action--6c480520-1fa3-436d-832f-fecd8de08f62", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploitation for Client Execution", - "technique_id": "T1203", - "description": "Moved laterally to a DMZ segment hosting a SharePoint server probably by using a RCE vulnerability. ", - "confidence": 70, - "asset_refs": [ - "attack-asset--84ee066e-02fc-49ec-bb41-ddcdd3f4a7d1" - ], - "effect_refs": [ - "attack-action--482cf545-fe5c-4a0b-b56d-bcf5aa522006" - ] - }, - { - "type": "vulnerability", - "id": "vulnerability--5e377b2d-75e0-43bd-9f15-802f3eabf9e4", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "name": "CVE-2019-0604", - "description": "Microsoft SharePoint RCE Vulnerability" - }, - { - "type": "attack-asset", - "id": "attack-asset--84ee066e-02fc-49ec-bb41-ddcdd3f4a7d1", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Sharepoint Server", - "description": "The attacker exploited the Sharepoint Server likely with an RCE vulnerability. " - }, - { - "type": "attack-action", - "id": "attack-action--47fdc13f-2f34-4b53-8cf5-82646d3f12c7", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Active Scanning", - "technique_id": "T1595", - "description": "Executed a scan on the REMWK DMZ to find additional servers. ", - "confidence": 100, - "effect_refs": [ - "attack-condition--2842d171-01e5-4e18-bef5-350d2bdfced9" - ], - "asset_refs": [ - "attack-asset--47c6ad4a-1be9-4d4b-b938-2825042e8302" - ] - }, - { - "type": "attack-action", - "id": "attack-action--482cf545-fe5c-4a0b-b56d-bcf5aa522006", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "OS Credential Dumping: LSASS Memory", - "technique_id": "T1003.001", - "description": " Succesfully dumped the SharePoint cached credentials and sent the files to a Dropzone to crack offline. ", - "confidence": 100, - "asset_refs": [ - "attack-asset--4b538266-650b-4512-9615-1ce4ca53486c" - ], - "effect_refs": [ - "attack-action--47fdc13f-2f34-4b53-8cf5-82646d3f12c7" - ] - }, - { - "type": "tool", - "id": "tool--fb49aa4d-402b-4315-b43f-577b537c7835", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "name": "pr64.exe", - "description": "Renamed procdump, used to retrieve the cached credentials.", - "tool_types": [ - "credential-exploitation" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--4b538266-650b-4512-9615-1ce4ca53486c", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Sharepoint Credentials", - "description": "Cached credentials stored in Sharepoint server LSASS Memory. " - }, - { - "type": "attack-action", - "id": "attack-action--f5ca2849-e569-49ac-917c-5b33e1c077d7", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "OS Credential Dumping: LSASS Memory", - "technique_id": "T1003.001", - "description": " Executed another LSASS dump", - "confidence": 100, - "effect_refs": [ - "attack-condition--fdcd3bcc-7b71-48d9-b5ea-80469af42c5e" - ] - }, - { - "type": "tool", - "id": "tool--3e798e83-18cc-4c43-b6ab-082073deda7b", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "name": "pr64.exe", - "description": "Renamed procdump, used to retrieve the cached credentials.", - "tool_types": [ - "credential-exploitation" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--fdcd3bcc-7b71-48d9-b5ea-80469af42c5e", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attacker obtained domain admin credentials for SQL Servers and a service account related to a cluster (MULTICLDBSIDE)", - "on_true_refs": [ - "attack-action--a6fcee5f-d0e7-4669-8513-e0c4e3ecc058" - ] - }, - { - "type": "attack-action", - "id": "attack-action--a6fcee5f-d0e7-4669-8513-e0c4e3ecc058", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.236Z", - "modified": "2022-12-22T19:29:02.236Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Valid Accounts", - "technique_id": "T1078", - "description": "Attacker used RBMAdmin account to log into all databases on REMWK DMZ.", - "confidence": 100, - "effect_refs": [ - "attack-action--b36be7d2-2b70-44eb-abbe-9b2dd668bdad" - ] - }, - { - "type": "attack-action", - "id": "attack-action--b36be7d2-2b70-44eb-abbe-9b2dd668bdad", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data From Local System", - "technique_id": "T1005", - "description": "Attacker logged and queried all databases and dumped data containing user information. ", - "confidence": 100, - "effect_refs": [ - "attack-condition--e700dc13-bbb9-4a34-896c-26d9819d7dd7" - ], - "asset_refs": [ - "attack-asset--67bf47f0-8ae2-419d-97d9-51502ef32039" - ] - }, - { - "type": "attack-action", - "id": "attack-action--727d3aed-67d6-4886-a45b-e78b924778bc", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "File and Directory Discovery", - "technique_id": "T1083", - "description": "A VBScript was identified on the system, which scanned system shares and output the result. ", - "confidence": 100, - "effect_refs": [ - "attack-operator--54ca7834-4fcc-478e-afc5-a3a59f790eae" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f23801cb-d434-4e33-a02b-aeccbe51329f", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Remote Services", - "technique_id": "T1021", - "description": "Multiple instances of PsExec was identified on the targeted DC. One instance was referenced in a bat script, which enabled RDP in four hosts. ", - "confidence": 100, - "effect_refs": [ - "attack-operator--54ca7834-4fcc-478e-afc5-a3a59f790eae" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--54ca7834-4fcc-478e-afc5-a3a59f790eae", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-condition--b0a39171-bf4c-488d-a770-871ab5f3574b" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--b0a39171-bf4c-488d-a770-871ab5f3574b", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": " Domain controller and a number of accounts are compromised", - "on_true_refs": [ - "attack-action--ee337046-b40e-4b1d-9522-c032498034a5" - ] - }, - { - "type": "tool", - "id": "tool--39cca402-53e7-491b-b582-dc854b25eb41", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "name": "psexesvc.exe/PsExec64.exe", - "description": "The attacker used PsExec to remotely access the domain controller.", - "tool_types": [ - "remote-access" - ] - }, - { - "type": "attack-action", - "id": "attack-action--b595110b-25ff-4a38-b17f-e23a033c044c", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Active Scanning: Vulnerability Scanning", - "technique_id": "T1595.002", - "description": " Tested INTSRV machines to find one accessible from the Internet", - "confidence": 100, - "effect_refs": [ - "attack-action--5f327121-40b8-4cee-b35c-4ef4d1115919" - ], - "asset_refs": [ - "attack-asset--deb390fb-0a8e-4043-be15-30afb26b5c4c" - ] - }, - { - "type": "attack-action", - "id": "attack-action--5f327121-40b8-4cee-b35c-4ef4d1115919", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Server Software Component: Webshell", - "technique_id": "T1505.003", - "description": " Implanted a webshell ", - "confidence": 100, - "effect_refs": [ - "attack-condition--7ce821e6-6afe-4607-8a33-d834b9901678" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--deb390fb-0a8e-4043-be15-30afb26b5c4c", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": " QTJPGPA1", - "description": "Machine on INTSRV network that allowed direct access to the internet" - }, - { - "type": "attack-condition", - "id": "attack-condition--7ce821e6-6afe-4607-8a33-d834b9901678", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attacker previously discovered evidence of a Hypervisor and VMware V-Center system and evidence of a SecurID cluster for mobile banking", - "on_true_refs": [ - "attack-action--4d2a4ed1-fb36-4bfc-8163-0a92e8f64fb9" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--1025e924-fdde-4845-ac26-3a55cfefc646", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attacker has SecurID clone and previously stolen accounts", - "on_true_refs": [ - "attack-action--6981a40d-633d-4073-86c3-4548407a6e31" - ] - }, - { - "type": "attack-action", - "id": "attack-action--dc98744f-0b1b-46ab-9be5-68de533ee32c", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Server Cloning", - "description": "Attackers cloned one of the SecurID servers in the VMware center", - "confidence": 100, - "effect_refs": [ - "attack-action--08bd0251-2db7-4ea0-854d-7a320c98ae6a" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--03a8f3c1-b491-47b3-af6a-c4a108ea390b", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "QTJPGPA1", - "description": "Machine on INTSRV network used to export the image of trhe newly cloned SecurID server" - }, - { - "type": "attack-action", - "id": "attack-action--6981a40d-633d-4073-86c3-4548407a6e31", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Fraud", - "description": " Attackers targeted users of a specific online mobile service and harvested a significant amount of money ", - "confidence": 100 - }, - { - "type": "threat-actor", - "id": "threat-actor--17cf6bf2-f646-4879-a5e3-0c100c421d54", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "name": "FIN13", - "description": "FIN13 is a financially-motivated actor primarily focusing on Latin America with activity stretching back to early 2016. FIN13 has a history of highly localized targeting against the financial, retail, and hospitality industries.", - "threat_actor_types": [ - "Crime-syndicate" - ], - "aliases": [ - "Elephant Beetle", - "TG2003" - ], - "first_seen": "2016-01-01T00:00:00.000Z", - "roles": [ - "Director" - ], - "goals": [ - "financially-motivated and targeting Latin American organizations in financial, retail, and hospitality industries" - ], - "sophistication": "Advanced", - "resource_level": "Team", - "primary_motivation": "organizational-gain" - }, - { - "type": "campaign", - "id": "campaign--7c0825b3-23d9-480b-91dd-c053ee6da2a2", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "name": "FIN13 Case 2", - "description": "This attack was reported in January 2022 and targeted a bank in Peru. ", - "first_seen": "2022-01-01T00:00:00.000Z", - "objective": "stealing money for financial gain" - }, - { - "type": "attack-condition", - "id": "attack-condition--2842d171-01e5-4e18-bef5-350d2bdfced9", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attacker discovered additional servers and cracked SharePoint credentials", - "on_true_refs": [ - "attack-action--100bee83-00d2-4476-9194-8c34bd07b734" - ] - }, - { - "type": "attack-action", - "id": "attack-action--100bee83-00d2-4476-9194-8c34bd07b734", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Lateral Movement", - "tactic_id": "TA0008", - "description": "Attacker moved laterally to discovered servers using the previously extracted and cracked credentials", - "confidence": 100, - "effect_refs": [ - "attack-action--f5ca2849-e569-49ac-917c-5b33e1c077d7" - ] - }, - { - "type": "tool", - "id": "tool--e8e9d57c-b16f-40eb-b369-e5a3272f3c4b", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "name": "s0b.j", - "description": "Most likely used by attackers since jdbc files (connected with the tool) were discovered on the RBSCLPED01 system.", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--e700dc13-bbb9-4a34-896c-26d9819d7dd7", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attacker targeted a legacy Windows 2012 server (QTCBDC02)", - "on_true_refs": [ - "attack-action--f23801cb-d434-4e33-a02b-aeccbe51329f", - "attack-action--727d3aed-67d6-4886-a45b-e78b924778bc" - ] - }, - { - "type": "attack-action", - "id": "attack-action--ee337046-b40e-4b1d-9522-c032498034a5", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Lateral Movement", - "tactic_id": "TA0008", - "description": "Attacker moved laterally to the INTSRV area where the SecurID servers are located", - "confidence": 100, - "effect_refs": [ - "attack-action--b595110b-25ff-4a38-b17f-e23a033c044c" - ], - "asset_refs": [ - "attack-asset--1e1d87e9-3a2d-4dbe-86d8-72f2842799f5", - "attack-asset--0a7bc1f8-47ee-4236-8648-f84f8ce15b19" - ] - }, - { - "type": "attack-action", - "id": "attack-action--4d2a4ed1-fb36-4bfc-8163-0a92e8f64fb9", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Valid Accounts", - "technique_id": "T1078", - "description": "Attacker accessed the V-Center server using previously stolen valid accounts", - "confidence": 100, - "effect_refs": [ - "attack-action--dc98744f-0b1b-46ab-9be5-68de533ee32c" - ], - "asset_refs": [ - "attack-asset--02010746-8fbf-4a57-96fe-1ac93961296b" - ] - }, - { - "type": "attack-action", - "id": "attack-action--08bd0251-2db7-4ea0-854d-7a320c98ae6a", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltration over C2 Channel", - "technique_id": "T1041", - "description": "Attacker exported the SecurID server image over the webshell on QTJPGPA1", - "confidence": 100, - "asset_refs": [ - "attack-asset--03a8f3c1-b491-47b3-af6a-c4a108ea390b" - ], - "effect_refs": [ - "attack-condition--1025e924-fdde-4845-ac26-3a55cfefc646" - ] - }, - { - "type": "ipv4-addr", - "id": "ipv4-addr--f914bbeb-1640-455c-b6d9-b3d88d92a903", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "value": "185.193.126.27" - }, - { - "type": "malware", - "id": "malware--6c502942-6d6d-4674-9632-f2cf40d50c25", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "name": "JSP webshell", - "malware_types": [ - "webshell" - ], - "is_family": true, - "capabilities": [ - "communicates-with-c2", - "escalates-privileges", - "exfiltrates-data", - "installs-other-components", - "probes-network-environment", - "steals-authentication-credentials" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--47c6ad4a-1be9-4d4b-b938-2825042e8302", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "REMWK DMZ" - }, - { - "type": "user-account", - "id": "user-account--8e341bda-2ab2-4cdf-8c30-3002da63ead6", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "account_type": "windows-domain", - "display_name": "RBMAdmin" - }, - { - "type": "note", - "id": "note--57132ec0-55f3-4675-aa37-67af75706220", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "content": "The RBMAdmin account could have been leveraged for further access, but it is unclear if this was done.", - "authors": [ - "Lauren Parker" - ], - "object_refs": [ - "attack-action--a6fcee5f-d0e7-4669-8513-e0c4e3ecc058" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--67bf47f0-8ae2-419d-97d9-51502ef32039", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "RBSCLPED01" - }, - { - "type": "attack-asset", - "id": "attack-asset--b2265d3d-8a47-435f-a56f-9e91c58bed82", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "QTCBDC02", - "description": "Legacy Windows 2012 server" - }, - { - "type": "malware", - "id": "malware--d82c9c60-4c93-4326-b78d-279b1d92238f", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "name": "CCfix.bat", - "description": "Enabled RDP in hosts", - "malware_types": [ - "trojan" - ], - "is_family": false, - "capabilities": [ - "degrades-security-software" - ] - }, - { - "type": "file", - "id": "file--cb3c9998-2dcd-44cb-9c46-874e7bf6d000", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "name": "equipos.txt" - }, - { - "type": "attack-asset", - "id": "attack-asset--0970afdb-2bae-42a4-a70f-7c99109a9d1b", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Host names listed in equipos.txt", - "description": "QTCBDC02, QTVCTR01, QTBKSR02, QTJPGPA1" - }, - { - "type": "malware", - "id": "malware--83371fc7-80ca-452a-b203-ccdea7786b0a", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "name": "VBScript", - "malware_types": [ - "trojan" - ], - "is_family": false, - "capabilities": [ - "probes-network-environment" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--1e1d87e9-3a2d-4dbe-86d8-72f2842799f5", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "INTSRV" - }, - { - "type": "attack-asset", - "id": "attack-asset--0a7bc1f8-47ee-4236-8648-f84f8ce15b19", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "SecurID servers" - }, - { - "type": "malware", - "id": "malware--0cdd837b-42a3-4bd7-b0d4-71ce40d9724d", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "name": "Perl Reverse Shell", - "description": "Attackers used webshell to remotely connect the system with their C2", - "malware_types": [ - "webshell" - ], - "is_family": true, - "capabilities": [ - "accesses-remote-machines", - "commits-fraud", - "communicates-with-c2", - "escalates-privileges", - "exfiltrates-data" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--02010746-8fbf-4a57-96fe-1ac93961296b", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "V-Center Server" - }, - { - "type": "relationship", - "id": "relationship--40644618-bc97-469f-83be-ffe22030ad97", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "attack-action--81e5c5eb-d20d-46e2-8755-d196dce3cf55", - "target_ref": "vulnerability--64913703-2b3b-4738-b0aa-e836ff1754e8" - }, - { - "type": "relationship", - "id": "relationship--548d1570-7250-4a02-aa6e-3d8e5784985e", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "attack-action--81e5c5eb-d20d-46e2-8755-d196dce3cf55", - "target_ref": "infrastructure--63f316cc-2f31-4ef3-afbe-b645e01c70d6" - }, - { - "type": "relationship", - "id": "relationship--f6d79ca5-561f-4447-94a0-23d940152509", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "infrastructure--63f316cc-2f31-4ef3-afbe-b645e01c70d6", - "target_ref": "ipv4-addr--f914bbeb-1640-455c-b6d9-b3d88d92a903" - }, - { - "type": "relationship", - "id": "relationship--a02ee6a9-a6a3-4e6b-b074-75e91346edac", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "attack-action--fcd49b6d-5dde-4cdd-b73a-a3b5031a6942", - "target_ref": "malware--6c502942-6d6d-4674-9632-f2cf40d50c25" - }, - { - "type": "relationship", - "id": "relationship--994348ec-0c8b-491e-8dd1-72864c2717a1", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "attack-action--6c480520-1fa3-436d-832f-fecd8de08f62", - "target_ref": "vulnerability--5e377b2d-75e0-43bd-9f15-802f3eabf9e4" - }, - { - "type": "relationship", - "id": "relationship--82c96256-81db-4462-b8ee-d06eacab59c7", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "attack-action--482cf545-fe5c-4a0b-b56d-bcf5aa522006", - "target_ref": "tool--fb49aa4d-402b-4315-b43f-577b537c7835" - }, - { - "type": "relationship", - "id": "relationship--6f896ff2-13eb-434a-9b56-d4ff73f48b73", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "attack-action--f5ca2849-e569-49ac-917c-5b33e1c077d7", - "target_ref": "tool--3e798e83-18cc-4c43-b6ab-082073deda7b" - }, - { - "type": "relationship", - "id": "relationship--a3ab1b2b-ca7a-41df-b083-9c226c3745ab", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "attack-action--a6fcee5f-d0e7-4669-8513-e0c4e3ecc058", - "target_ref": "user-account--8e341bda-2ab2-4cdf-8c30-3002da63ead6" - }, - { - "type": "relationship", - "id": "relationship--c585c7f0-87ef-4b34-a7e6-b25fa84d1eea", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "attack-action--b36be7d2-2b70-44eb-abbe-9b2dd668bdad", - "target_ref": "tool--e8e9d57c-b16f-40eb-b369-e5a3272f3c4b" - }, - { - "type": "relationship", - "id": "relationship--a2d0232b-cd55-4aff-b9a4-a54b7716886b", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "attack-action--727d3aed-67d6-4886-a45b-e78b924778bc", - "target_ref": "malware--83371fc7-80ca-452a-b203-ccdea7786b0a" - }, - { - "type": "relationship", - "id": "relationship--f2ed0975-4149-4c3a-8941-19d818e3ae75", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "attack-action--f23801cb-d434-4e33-a02b-aeccbe51329f", - "target_ref": "malware--d82c9c60-4c93-4326-b78d-279b1d92238f" - }, - { - "type": "relationship", - "id": "relationship--f19ec89a-1312-4b99-b589-10f2f7bf977e", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "attack-action--f23801cb-d434-4e33-a02b-aeccbe51329f", - "target_ref": "tool--39cca402-53e7-491b-b582-dc854b25eb41" - }, - { - "type": "relationship", - "id": "relationship--29c49fe6-5d2c-40fb-88a0-83678468ff2e", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "attack-action--5f327121-40b8-4cee-b35c-4ef4d1115919", - "target_ref": "malware--0cdd837b-42a3-4bd7-b0d4-71ce40d9724d" - }, - { - "type": "relationship", - "id": "relationship--2f9ef7cd-4b04-40fc-80f8-542ee05d9c54", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "campaign--7c0825b3-23d9-480b-91dd-c053ee6da2a2", - "target_ref": "threat-actor--17cf6bf2-f646-4879-a5e3-0c100c421d54" - }, - { - "type": "relationship", - "id": "relationship--d2476839-54f0-4173-8785-2e56149cd18e", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "attack-condition--e700dc13-bbb9-4a34-896c-26d9819d7dd7", - "target_ref": "attack-asset--b2265d3d-8a47-435f-a56f-9e91c58bed82" - }, - { - "type": "relationship", - "id": "relationship--0d5d88e2-1897-4176-af41-4a54f0192a4f", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "malware--d82c9c60-4c93-4326-b78d-279b1d92238f", - "target_ref": "file--cb3c9998-2dcd-44cb-9c46-874e7bf6d000" - }, - { - "type": "relationship", - "id": "relationship--e97bd5b7-8491-4b3e-b6f9-bc24f3f81359", - "spec_version": "2.1", - "created": "2022-12-22T19:29:02.237Z", - "modified": "2022-12-22T19:29:02.237Z", - "relationship_type": "related-to", - "source_ref": "file--cb3c9998-2dcd-44cb-9c46-874e7bf6d000", - "target_ref": "attack-asset--0970afdb-2bae-42a4-a70f-7c99109a9d1b" - } - ] -} \ No newline at end of file diff --git a/corpus/Hancitor DLL.json b/corpus/Hancitor DLL.json deleted file mode 100644 index 32c53f40..00000000 --- a/corpus/Hancitor DLL.json +++ /dev/null @@ -1,1179 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--76826729-ea98-45e4-b49f-7a9b3b86b7cd", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--1a3307e2-1efe-448d-b052-e30bef5d1093", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--b7cc1724-de6e-4259-8b21-606f9ef97c4e", - "start_refs": [ - "attack-action--0fc122a5-7f3b-4a0d-81b4-f841e1d01e1c" - ], - "name": "Hancitor DLL", - "description": "Attack flow on an intrusion using the Hancitor downloader.", - "author": [ - [ - "name", - "Eric Kannampuzha" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "ekannampuzha@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "DFIR", - "description": "Report", - "url": "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/" - } - ] - }, - { - "type": "identity", - "id": "identity--b7cc1724-de6e-4259-8b21-606f9ef97c4e", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "Eric Kannampuzha", - "identity_class": "individual", - "contact_information": "ekannampuzha@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--0fc122a5-7f3b-4a0d-81b4-f841e1d01e1c", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Phishing: Spearphishing Link", - "technique_id": "T1566.002", - "description": "Email campaign aimed to trick the user into enabling macros on a malicious document; delivered via a link to Google's Feed Proxy service", - "confidence": 100, - "effect_refs": [ - "attack-action--1d851bc1-c568-463d-8e5e-270e997a65bd" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--9dc784c0-f64e-41c6-815f-d515675071f6", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "Google's Feed Proxy service", - "description": "hosted the malicious document", - "infrastructure_types": [ - "anonymization" - ] - }, - { - "type": "attack-action", - "id": "attack-action--1d851bc1-c568-463d-8e5e-270e997a65bd", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "User Execution: Malicious File", - "technique_id": "T1204.002", - "description": "User enabled macros", - "confidence": 100, - "effect_refs": [ - "attack-action--7f226db5-d7a2-4af5-aa98-b2bc3bac699a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--7f226db5-d7a2-4af5-aa98-b2bc3bac699a", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: Visual Basic", - "technique_id": "T1059.005", - "description": "Macro downloads ier.dll and executes it", - "confidence": 100, - "effect_refs": [ - "attack-action--8ec450fa-b704-40d2-8560-94d5a8fd677a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--8ec450fa-b704-40d2-8560-94d5a8fd677a", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Binary Proxy Execution: Rundll32", - "technique_id": "T1218.011", - "description": "ier.dll executed", - "confidence": 100, - "effect_refs": [ - "attack-action--5d55cc3d-c059-4937-a4c6-c1b5a48c3fc1" - ] - }, - { - "type": "attack-action", - "id": "attack-action--5d55cc3d-c059-4937-a4c6-c1b5a48c3fc1", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Hancitor downloaded 2 Cobalt Strike payloads (including a stager) and Ficker Stealer", - "confidence": 100, - "effect_refs": [ - "attack-action--264c553e-266e-4143-983b-35bee0e23a63" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--246d0643-cd96-4eef-9ceb-e198a3780450", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "Stager", - "description": "IP address of C2 associated with stager", - "infrastructure_types": [ - "command-and-control", - "staging" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--050084ef-b861-4ebb-9269-c28b064268b3", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "C2", - "description": "IP address/URL of C2 that downloaded the additional tools", - "infrastructure_types": [ - "command-and-control", - "hosting-malware" - ] - }, - { - "type": "attack-action", - "id": "attack-action--264c553e-266e-4143-983b-35bee0e23a63", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Process Injection", - "technique_id": "T1055", - "description": "Multiple instances of svchost.exe launched and injected with Cobalt Strike", - "confidence": 100, - "effect_refs": [ - "attack-condition--a2793461-43b8-4b30-966f-71295f564b75" - ] - }, - { - "type": "tool", - "id": "tool--ad23cf1d-72aa-40d7-a66a-4e95305cb0ed", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "svchost.exe", - "description": "process injection with Cobalt Strike", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-action", - "id": "attack-action--8e7ad5b8-2be1-4629-8de0-86fa2de39abf", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Gather Victim Network Information", - "technique_id": "T1590", - "description": "rundll32.exe used for port scanning, discovery commands, ping, and enumerated local access", - "confidence": 100, - "asset_refs": [ - "attack-asset--0a475772-457b-41b5-a1e6-dde74e56b10a", - "attack-asset--de81d71c-8f3f-43db-9d07-c03f5937e028", - "attack-asset--435e40bd-19a7-4099-8a32-0c268760b218", - "attack-asset--e4fb987f-6460-40a3-9a6a-bc66641eaf47" - ], - "effect_refs": [ - "attack-action--d53ce876-ead2-4d68-a864-e340bdc1aa31" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--435e40bd-19a7-4099-8a32-0c268760b218", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Port Scanning", - "description": "scanned SMB, TCP 5000, TCP 9392, and TCP 6106. Actors were looking for backup products Synology, Backup Exec, and Veeam" - }, - { - "type": "attack-asset", - "id": "attack-asset--0a475772-457b-41b5-a1e6-dde74e56b10a", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Discovery commands", - "description": "Attackers looked for domain controllers, administrators, connectivity checks, and other items." - }, - { - "type": "attack-asset", - "id": "attack-asset--de81d71c-8f3f-43db-9d07-c03f5937e028", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ping", - "description": "Actors pinged 190.114.254.116 and used the IP later in the attack", - "object_ref": "ipv4-addr--8c8019bc-8d35-48de-b21f-6b3293b7a82f" - }, - { - "type": "attack-asset", - "id": "attack-asset--e4fb987f-6460-40a3-9a6a-bc66641eaf47", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Enumerated local administrative access", - "description": "Attackers enumerated local admin access on remote systems by checking the C$ share for hosts discovered after the port scan" - }, - { - "type": "attack-action", - "id": "attack-action--d53ce876-ead2-4d68-a864-e340bdc1aa31", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Hancitor downloaded Cobalt Strike DLL and batch file on victim machine", - "confidence": 100, - "effect_refs": [ - "attack-action--615f4282-5407-44e4-b0e1-b68198baadd3" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--ea1c5706-9374-48ab-bf54-5c1572b4c4ac", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "C2 for Cobalt Strike beacons", - "description": "C2 associated with the Cobalt Strike beacon", - "infrastructure_types": [ - "command-and-control" - ] - }, - { - "type": "tool", - "id": "tool--7df9e692-418b-4d07-81bc-bd16693656b0", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "cor.bat", - "description": "batch file that executes the Cobalt Strike DLL using rundll32.exe with a specific parameter", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "attack-action", - "id": "attack-action--615f4282-5407-44e4-b0e1-b68198baadd3", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Virtualization/Sandbox Evasion", - "technique_id": "T1497", - "description": "Cobalt Strike DLL stager does not run unless it is given a specific command line parameter", - "confidence": 100, - "effect_refs": [ - "attack-action--6c4ed453-8eec-4b2b-9ff0-5b45edb1a804" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--a2793461-43b8-4b30-966f-71295f564b75", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Multiple instances of rundll32.exe spawning svchost.exe and svchost.exe spawning cmd.exe", - "on_true_refs": [ - "attack-action--8e7ad5b8-2be1-4629-8de0-86fa2de39abf" - ] - }, - { - "type": "attack-action", - "id": "attack-action--6c4ed453-8eec-4b2b-9ff0-5b45edb1a804", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Binary Proxy Execution: Rundll32", - "technique_id": "T1218.011", - "description": "cor.dll executed", - "confidence": 100, - "effect_refs": [ - "attack-action--8c95b74c-07b8-4277-989f-ff499ff32ae4" - ] - }, - { - "type": "attack-action", - "id": "attack-action--9c595315-eb12-4643-85be-33986d8c031b", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: PowerShell", - "technique_id": "T1059.001", - "description": "PowerShell loader deobfuscates shellcode and runs it in memory as a thread in the same PowerShell process; shellcode includes a PE file embedded inside", - "confidence": 100, - "effect_refs": [ - "attack-action--75818fd9-2ca6-43b1-9dd7-08be16fec19c" - ] - }, - { - "type": "tool", - "id": "tool--9f0f8035-5d6a-44e8-8c66-125db8a30a25", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "agent1.ps1", - "description": "PowerShell loader", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-action", - "id": "attack-action--8c95b74c-07b8-4277-989f-ff499ff32ae4", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Obfuscated Files or Information", - "technique_id": "T1027", - "description": "Base64-encoded PowerShell dropped onto the machine", - "confidence": 100, - "effect_refs": [ - "attack-action--9c595315-eb12-4643-85be-33986d8c031b" - ] - }, - { - "type": "attack-action", - "id": "attack-action--75818fd9-2ca6-43b1-9dd7-08be16fec19c", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "PE file is loaded into memory and executed; beacons out at regular intervals to C2 server for instructions", - "confidence": 100, - "effect_refs": [ - "attack-action--15d89326-a900-4881-9811-5881bd05fb1d" - ] - }, - { - "type": "tool", - "id": "tool--30bce16b-b3a2-4efe-9024-3a26d7df320c", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "PE file", - "tool_types": [ - "unknown" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--5cb78035-4d30-4c6e-bc3b-458b3c19fb4e", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "C2 server", - "infrastructure_types": [ - "command-and-control" - ] - }, - { - "type": "attack-action", - "id": "attack-action--15d89326-a900-4881-9811-5881bd05fb1d", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Obfuscated Files or Information: Compile After Delivery", - "technique_id": "T1027.004", - "description": "Visual C# Command Line Compiler invoked by PowerShell script; most likely instructions that the PE file retrieved from the C2 server", - "confidence": 100, - "effect_refs": [ - "attack-action--ba5d97f4-f1d8-4a42-8634-a43483c57389" - ] - }, - { - "type": "attack-action", - "id": "attack-action--ba5d97f4-f1d8-4a42-8634-a43483c57389", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Attacker used a custom implementation of Zerologon", - "confidence": 100, - "effect_refs": [ - "attack-action--5c8d3aac-79ac-4ef8-81dd-7046b5355e9c" - ] - }, - { - "type": "vulnerability", - "id": "vulnerability--2b660706-ac74-475d-af2d-7be8315a9056", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "CVE-2020-1472" - }, - { - "type": "tool", - "id": "tool--22800f67-08d5-42ce-95cf-1b39eff410c1", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "zero.exe", - "description": "custom implementation of Zerologon", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-action", - "id": "attack-action--5c8d3aac-79ac-4ef8-81dd-7046b5355e9c", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploitation for Credential Access", - "technique_id": "T1212", - "description": "Zero.exe executes and obtains the NTLM hash of a Domain Administrator account", - "confidence": 100, - "effect_refs": [ - "attack-action--42530d17-73ed-4f57-86f4-de1b3f85eae1" - ] - }, - { - "type": "attack-action", - "id": "attack-action--42530d17-73ed-4f57-86f4-de1b3f85eae1", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Use Alternate Authentication Material: Pass the Hash", - "technique_id": "T1550.002", - "description": "Attackers use the Domain Administrator's NTLM hash to authenticate to other domain controllers", - "confidence": 100, - "effect_refs": [ - "attack-action--75aac24f-ecf5-4981-9349-2e1d9c9eb38a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--75aac24f-ecf5-4981-9349-2e1d9c9eb38a", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Attackers deployed Cobalt Strike beacons on the domain controllers", - "confidence": 100, - "effect_refs": [ - "attack-action--93d9e541-add1-4515-b288-b163a60efea4" - ] - }, - { - "type": "attack-action", - "id": "attack-action--858fd8b8-6914-4c92-9a7d-66277e7224e4", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: PowerShell", - "technique_id": "T1059.001", - "description": "PowerShell executed on every Domain Controller and used the Active Directory RSAT module to get a list of computers and compiled this list into a file", - "confidence": 100, - "effect_refs": [ - "attack-action--c0a8d30d-8908-49ea-be12-61e7dc39c9a8" - ] - }, - { - "type": "tool", - "id": "tool--3380b981-3dae-4b0e-9fd9-9abee266f383", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "comp2.ps1", - "description": "PowerShell script; uses the file with the  enumerated list of computers", - "tool_types": [ - "information-gathering" - ] - }, - { - "type": "attack-action", - "id": "attack-action--c0a8d30d-8908-49ea-be12-61e7dc39c9a8", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Active Scanning: Scanning IP Blocks", - "technique_id": "T1595.001", - "description": "Executable uses IPs and hostnames from comps.txt and checks if they are online using ICMP scans", - "confidence": 100, - "effect_refs": [ - "attack-condition--55bbea0f-65dd-404a-bfeb-3751297f369e" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--55bbea0f-65dd-404a-bfeb-3751297f369e", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Online hosts are directed to check.txt file" - }, - { - "type": "tool", - "id": "tool--5d91d93a-1071-4a5d-93f5-be75d5b7d1c1", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "check.exe", - "description": "executable conducting ICMP scans, searching for online systems", - "tool_types": [ - "information-gathering" - ] - }, - { - "type": "attack-action", - "id": "attack-action--93d9e541-add1-4515-b288-b163a60efea4", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Lateral Movement", - "tactic_id": "TA0008", - "description": "Attackers moved lateral throughout the network to additional domain controllers, backup servers, and file shares using Cobalt Strike", - "confidence": 100, - "effect_refs": [ - "attack-action--858fd8b8-6914-4c92-9a7d-66277e7224e4" - ] - }, - { - "type": "malware", - "id": "malware--13146797-18cc-43b6-8bab-9a88c0e4a6e2", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "ier.dll", - "description": "Hancitor DLL file", - "malware_types": [ - "downloader", - "trojan" - ], - "is_family": true, - "capabilities": [ - "communicates-with-c2", - "exfiltrates-data", - "installs-other-components" - ] - }, - { - "type": "directory", - "id": "directory--6be350c5-1f9d-4e2b-a29a-37bd155d185f", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "path": "%APPDATA%\\Microsoft\\templates\\" - }, - { - "type": "url", - "id": "url--a6ebeb18-dc18-47f7-b64c-07ac5828c492", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "value": "4a5ikol.ru " - }, - { - "type": "ipv4-addr", - "id": "ipv4-addr--1f0a42b3-e753-41a6-8151-1b2751b4b914", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "value": "8.211.241.0" - }, - { - "type": "ipv4-addr", - "id": "ipv4-addr--2ffb5de4-b7c9-4c18-a931-6b24a5cef301", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "value": "207.148.23.64" - }, - { - "type": "malware", - "id": "malware--32f888c6-86a8-42bf-828d-44c5b398207f", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "Cobalt Strike payloads", - "malware_types": [ - "exploit-kit" - ], - "is_family": true, - "capabilities": [ - "accesses-remote-machines", - "communicates-with-c2", - "escalates-privileges", - "exfiltrates-data", - "fingerprints-host", - "installs-other-components", - "probes-network-environment", - "steals-authentication-credentials" - ] - }, - { - "type": "malware", - "id": "malware--c7408153-96a8-4a66-be6f-ac881bb187cc", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "Ficker Stealer", - "description": "steals information", - "malware_types": [ - "trojan" - ], - "is_family": true, - "capabilities": [ - "fingerprints-host", - "probes-network-environment", - "steals-authentication-credentials", - "exfiltrates-data" - ] - }, - { - "type": "tool", - "id": "tool--cafb8768-db59-4764-9ea1-702ccc4337f2", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "rundll32.exe", - "tool_types": [ - "unknown" - ] - }, - { - "type": "ipv4-addr", - "id": "ipv4-addr--8c8019bc-8d35-48de-b21f-6b3293b7a82f", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "value": "190.114.254.116" - }, - { - "type": "ipv4-addr", - "id": "ipv4-addr--4986f18c-5013-43e6-9934-3504b2a457fc", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "value": "190.114.254.116" - }, - { - "type": "malware", - "id": "malware--4e771a07-6800-4fb4-86e7-73718a3aa8bf", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "cor.dll", - "description": "Cobalt Strike DLL", - "malware_types": [ - "exploit-kit" - ], - "is_family": true, - "capabilities": [ - "accesses-remote-machines", - "communicates-with-c2", - "escalates-privileges", - "exfiltrates-data", - "fingerprints-host", - "installs-other-components", - "probes-network-environment", - "steals-authentication-credentials" - ] - }, - { - "type": "ipv4-addr", - "id": "ipv4-addr--a850619d-655c-4b2a-aaf0-60ae42998c7c", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "value": "64.235.39.32" - }, - { - "type": "malware", - "id": "malware--fe0b4d3c-79f7-4562-9fd9-73f5922bc489", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "Cobalt Strike beacons", - "malware_types": [ - "exploit-kit" - ], - "is_family": true, - "capabilities": [ - "accesses-remote-machines", - "communicates-with-c2", - "escalates-privileges", - "exfiltrates-data", - "fingerprints-host", - "installs-other-components", - "probes-network-environment", - "steals-authentication-credentials" - ] - }, - { - "type": "file", - "id": "file--88d6adf8-19db-4920-afc5-896c2ebc26e8", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "name": "comps.txt" - }, - { - "type": "relationship", - "id": "relationship--ecb11772-aa4d-4e79-b197-1e6ba9f6fb59", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--0fc122a5-7f3b-4a0d-81b4-f841e1d01e1c", - "target_ref": "infrastructure--9dc784c0-f64e-41c6-815f-d515675071f6" - }, - { - "type": "relationship", - "id": "relationship--c292b733-42b8-4d4b-a931-b93866e86328", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--7f226db5-d7a2-4af5-aa98-b2bc3bac699a", - "target_ref": "directory--6be350c5-1f9d-4e2b-a29a-37bd155d185f" - }, - { - "type": "relationship", - "id": "relationship--2dc28b21-3cf9-4711-82ea-702810e9ed64", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--7f226db5-d7a2-4af5-aa98-b2bc3bac699a", - "target_ref": "malware--13146797-18cc-43b6-8bab-9a88c0e4a6e2" - }, - { - "type": "relationship", - "id": "relationship--2fd3daf4-2219-46de-a61d-e1445f2841c3", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--5d55cc3d-c059-4937-a4c6-c1b5a48c3fc1", - "target_ref": "malware--c7408153-96a8-4a66-be6f-ac881bb187cc" - }, - { - "type": "relationship", - "id": "relationship--9799b09f-df43-4029-9694-6ab986bf4e37", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--5d55cc3d-c059-4937-a4c6-c1b5a48c3fc1", - "target_ref": "malware--32f888c6-86a8-42bf-828d-44c5b398207f" - }, - { - "type": "relationship", - "id": "relationship--d5675f15-e076-4085-a42a-8e73d60bb571", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--5d55cc3d-c059-4937-a4c6-c1b5a48c3fc1", - "target_ref": "infrastructure--050084ef-b861-4ebb-9269-c28b064268b3" - }, - { - "type": "relationship", - "id": "relationship--c795f374-2b21-4906-b260-c538725c8c25", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--5d55cc3d-c059-4937-a4c6-c1b5a48c3fc1", - "target_ref": "infrastructure--246d0643-cd96-4eef-9ceb-e198a3780450" - }, - { - "type": "relationship", - "id": "relationship--d1c9d28d-b063-46d8-a012-071356d4f6f0", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "infrastructure--246d0643-cd96-4eef-9ceb-e198a3780450", - "target_ref": "ipv4-addr--2ffb5de4-b7c9-4c18-a931-6b24a5cef301" - }, - { - "type": "relationship", - "id": "relationship--068bd712-9d7d-4b13-8e23-81bee7c578b0", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "infrastructure--050084ef-b861-4ebb-9269-c28b064268b3", - "target_ref": "url--a6ebeb18-dc18-47f7-b64c-07ac5828c492" - }, - { - "type": "relationship", - "id": "relationship--885cc548-be81-48da-b4e9-bdbf5d13f16d", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "infrastructure--050084ef-b861-4ebb-9269-c28b064268b3", - "target_ref": "ipv4-addr--1f0a42b3-e753-41a6-8151-1b2751b4b914" - }, - { - "type": "relationship", - "id": "relationship--a81f03c7-0842-4bd8-805e-b12b88243f05", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--264c553e-266e-4143-983b-35bee0e23a63", - "target_ref": "tool--ad23cf1d-72aa-40d7-a66a-4e95305cb0ed" - }, - { - "type": "relationship", - "id": "relationship--c2228b81-8cf4-4706-b1b8-747442614570", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--d53ce876-ead2-4d68-a864-e340bdc1aa31", - "target_ref": "malware--4e771a07-6800-4fb4-86e7-73718a3aa8bf" - }, - { - "type": "relationship", - "id": "relationship--d200b1ff-24d8-4c90-96c1-246c5d19616b", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--d53ce876-ead2-4d68-a864-e340bdc1aa31", - "target_ref": "infrastructure--ea1c5706-9374-48ab-bf54-5c1572b4c4ac" - }, - { - "type": "relationship", - "id": "relationship--aa863f86-588c-4715-84e8-134431892277", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--d53ce876-ead2-4d68-a864-e340bdc1aa31", - "target_ref": "tool--7df9e692-418b-4d07-81bc-bd16693656b0" - }, - { - "type": "relationship", - "id": "relationship--3db908c3-5d41-43e6-9169-afcda1489122", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "infrastructure--ea1c5706-9374-48ab-bf54-5c1572b4c4ac", - "target_ref": "ipv4-addr--4986f18c-5013-43e6-9934-3504b2a457fc" - }, - { - "type": "relationship", - "id": "relationship--53b58c49-15b7-4ab0-b0f8-781a0caa6f52", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-condition--a2793461-43b8-4b30-966f-71295f564b75", - "target_ref": "tool--cafb8768-db59-4764-9ea1-702ccc4337f2" - }, - { - "type": "relationship", - "id": "relationship--77426a54-9f02-4119-a584-daed8f7ec658", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--8c95b74c-07b8-4277-989f-ff499ff32ae4", - "target_ref": "tool--9f0f8035-5d6a-44e8-8c66-125db8a30a25" - }, - { - "type": "relationship", - "id": "relationship--34e54ab5-10fa-42af-9049-a245b86248b2", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--75818fd9-2ca6-43b1-9dd7-08be16fec19c", - "target_ref": "tool--30bce16b-b3a2-4efe-9024-3a26d7df320c" - }, - { - "type": "relationship", - "id": "relationship--be0f6dd9-acfb-4923-8c95-c0b5e30fc765", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--75818fd9-2ca6-43b1-9dd7-08be16fec19c", - "target_ref": "infrastructure--5cb78035-4d30-4c6e-bc3b-458b3c19fb4e" - }, - { - "type": "relationship", - "id": "relationship--681ff8c7-a35d-40b6-aa22-86120e50ca5a", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "infrastructure--5cb78035-4d30-4c6e-bc3b-458b3c19fb4e", - "target_ref": "ipv4-addr--a850619d-655c-4b2a-aaf0-60ae42998c7c" - }, - { - "type": "relationship", - "id": "relationship--d25c5963-1472-4cb2-9069-c8e411adf026", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--ba5d97f4-f1d8-4a42-8634-a43483c57389", - "target_ref": "vulnerability--2b660706-ac74-475d-af2d-7be8315a9056" - }, - { - "type": "relationship", - "id": "relationship--10d370fe-ea2e-4e9c-8b55-c0a3367b284d", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--ba5d97f4-f1d8-4a42-8634-a43483c57389", - "target_ref": "tool--22800f67-08d5-42ce-95cf-1b39eff410c1" - }, - { - "type": "relationship", - "id": "relationship--1f2c0b58-ff6e-48db-9fa1-8dd18448b379", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--75aac24f-ecf5-4981-9349-2e1d9c9eb38a", - "target_ref": "malware--fe0b4d3c-79f7-4562-9fd9-73f5922bc489" - }, - { - "type": "relationship", - "id": "relationship--6a1d52d2-8952-4bb2-bc7d-81be613975c6", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--858fd8b8-6914-4c92-9a7d-66277e7224e4", - "target_ref": "tool--3380b981-3dae-4b0e-9fd9-9abee266f383" - }, - { - "type": "relationship", - "id": "relationship--de701378-c30d-4082-b65f-a726ca41203f", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "tool--3380b981-3dae-4b0e-9fd9-9abee266f383", - "target_ref": "file--88d6adf8-19db-4920-afc5-896c2ebc26e8" - }, - { - "type": "relationship", - "id": "relationship--7ab28908-ee3c-45ee-9647-82689fe51859", - "spec_version": "2.1", - "created": "2022-12-22T22:09:57.949Z", - "modified": "2022-12-22T22:09:57.949Z", - "relationship_type": "related-to", - "source_ref": "attack-action--c0a8d30d-8908-49ea-be12-61e7dc39c9a8", - "target_ref": "tool--5d91d93a-1071-4a5d-93f5-be75d5b7d1c1" - } - ] -} \ No newline at end of file diff --git a/corpus/JP Morgan Breach.json b/corpus/JP Morgan Breach.json deleted file mode 100644 index 9c790f8f..00000000 --- a/corpus/JP Morgan Breach.json +++ /dev/null @@ -1,639 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--27259102-1044-4603-919e-03553059c365", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.160Z", - "modified": "2022-12-22T22:28:03.160Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--70b69944-7d6d-47da-a768-d0b8717a3433", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--e22a4761-d285-44ac-96ed-f1d14e198048", - "start_refs": [ - "attack-action--c4b5213a-588e-4f70-bb81-731b875ae7d8" - ], - "name": "JP Morgan Breach", - "description": "Attack flow on the 2014 JP Morgan breach.", - "author": [ - [ - "name", - "Lauren Parker" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "lparker@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "The Security Ledger", - "description": "Article", - "url": "https://securityledger.com/2014/10/hacked_password_behind_compromise_of_75m_jpmorgan_accounts/" - }, - { - "source_name": "SANS", - "description": "Whitepaper", - "url": "https://www.sans.org/white-papers/35822/" - }, - { - "source_name": "Computer World", - "description": "Article", - "url": "https://www.computerworld.com/article/2862675/twofactor-authentication-oversight-led-to-jpmorgan-breach-investigators-reportedly-found.html" - }, - { - "source_name": "Bloomberg", - "description": "Article", - "url": "https://www.bloomberg.com/news/articles/2014-08-29/jpmorgan-hack-said-to-span-months-via-multiple-flaws#xj4y7vzkg" - }, - { - "source_name": "Trend Micro", - "description": "Article", - "url": "https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/jp-morgan-breach-affects-millions-shows-need-for-secure-web-apps" - }, - { - "source_name": "SANS", - "description": "GIAC Paper", - "url": "https://www.giac.org/paper/gsec/36190/minimizing-damage-jp-morgans-data-breach/143120" - } - ] - }, - { - "type": "identity", - "id": "identity--e22a4761-d285-44ac-96ed-f1d14e198048", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "name": "Lauren Parker", - "identity_class": "individual", - "contact_information": "lparker@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--c4b5213a-588e-4f70-bb81-731b875ae7d8", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Phishing", - "technique_id": "T1566", - "description": "Employee interacted with phishing email on their personal computer", - "confidence": 50, - "effect_refs": [ - "attack-condition--05935c6a-636d-4ede-8575-15612d5585e5" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--05935c6a-636d-4ede-8575-15612d5585e5", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Malware placed on an employee's personal computer", - "on_true_refs": [ - "attack-action--b47629f7-445c-4605-a0a3-126bfad7d133" - ] - }, - { - "type": "attack-action", - "id": "attack-action--b47629f7-445c-4605-a0a3-126bfad7d133", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Input Capture", - "technique_id": "T1056", - "description": "employee used infected personal computer to connect to the victim system through a VPN, allowing attackers to steal login credentials of the employee", - "confidence": 100, - "asset_refs": [ - "attack-asset--0ffc28be-8471-456b-ab02-bc4238777456" - ], - "effect_refs": [ - "attack-condition--3328fd28-4441-4a1e-8e90-bf18c634f229" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--0ffc28be-8471-456b-ab02-bc4238777456", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "VPN" - }, - { - "type": "attack-condition", - "id": "attack-condition--3328fd28-4441-4a1e-8e90-bf18c634f229", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attackers collect user credentials to access the bank's network", - "on_true_refs": [ - "attack-action--f6428576-e9f7-4702-9914-a4fa4c9793d7" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f6428576-e9f7-4702-9914-a4fa4c9793d7", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploit Public-Facing Application", - "technique_id": "T1190", - "description": "Attackers used valid credentials to exploit the lack of 2-factor authentication into a web-development server", - "confidence": 100, - "asset_refs": [ - "attack-asset--9b9f5d4d-7df2-454e-ba2e-c8a821417470" - ], - "effect_refs": [ - "attack-action--5a3c9bd6-8fa0-4184-9fb6-bdff06057a1b" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--9b9f5d4d-7df2-454e-ba2e-c8a821417470", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Web-development server" - }, - { - "type": "attack-action", - "id": "attack-action--5a3c9bd6-8fa0-4184-9fb6-bdff06057a1b", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Lateral Movement", - "tactic_id": "TA0008", - "description": "moved from the web-development server to more than 100 other servers within the network", - "confidence": 100, - "asset_refs": [ - "attack-asset--b270e0f4-b644-410d-870e-bc3d3cf28d24", - "attack-asset--c7704977-2bdf-4486-92b4-7d82d4b43f54", - "attack-asset--9610b6bc-f13a-479a-92a0-5d804d8a2df3" - ], - "effect_refs": [ - "attack-action--ec2cc0ea-2b44-40ef-bc5a-53ccc45ec8b1", - "attack-action--436b5d27-34fc-45af-a0c4-6c5ac071dbf4" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--b270e0f4-b644-410d-870e-bc3d3cf28d24", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Banking data center", - "description": "compromised" - }, - { - "type": "attack-asset", - "id": "attack-asset--9610b6bc-f13a-479a-92a0-5d804d8a2df3", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Additional lines of business", - "description": "compromised, including investment banking, credit cards, and commercial and residential banking systems" - }, - { - "type": "attack-asset", - "id": "attack-asset--c7704977-2bdf-4486-92b4-7d82d4b43f54", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Additional servers", - "description": "compromised" - }, - { - "type": "vulnerability", - "id": "vulnerability--67b20076-2a37-4be8-bc74-4b125a0013e6", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "name": "CWE-308: Use of Single-factor Authentication" - }, - { - "type": "attack-action", - "id": "attack-action--ec2cc0ea-2b44-40ef-bc5a-53ccc45ec8b1", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploitation for Privilege Escalation", - "technique_id": "T1068", - "description": "attackers used multiple zero-day attacks to gain access to various systems and move throughout the network", - "confidence": 100, - "effect_refs": [ - "attack-operator--b2ddb779-301e-4f7e-abbd-c6715afe8a15" - ] - }, - { - "type": "vulnerability", - "id": "vulnerability--1fa0ee57-0549-4652-932b-2dd7a262c174", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "name": "Zero-day vulnerabilities" - }, - { - "type": "attack-action", - "id": "attack-action--436b5d27-34fc-45af-a0c4-6c5ac071dbf4", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Develop Capabilities: Malware", - "technique_id": "T1587.001", - "description": "attackers used custom malware targeting various systems/vulnerabilities to move throughout the network", - "confidence": 100, - "effect_refs": [ - "attack-operator--b2ddb779-301e-4f7e-abbd-c6715afe8a15" - ] - }, - { - "type": "tool", - "id": "tool--031e3858-57b3-490c-adcd-79174b065d72", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "name": "Custom Malware", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-action", - "id": "attack-action--22366a07-5595-46c6-a246-8713fca3724e", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Input Capture", - "technique_id": "T1056", - "description": "attackers collected credentials and other info that customers gave to the bank and vice versa", - "confidence": 100, - "effect_refs": [ - "attack-action--72910b74-d081-4b61-a66b-b0affd2d783d" - ], - "asset_refs": [ - "attack-asset--bc3b2ea4-5b4b-4b82-8319-c8b1d8a80c1d" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--b2ddb779-301e-4f7e-abbd-c6715afe8a15", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-condition--6c3867f3-fbbf-4828-af64-18971421a044" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--bc3b2ea4-5b4b-4b82-8319-c8b1d8a80c1d", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Customer Data", - "description": "compromised, including credentials and sensitive information" - }, - { - "type": "attack-action", - "id": "attack-action--72910b74-d081-4b61-a66b-b0affd2d783d", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltration", - "tactic_id": "TA0010", - "description": "attackers slowly extracted gigabytes of data over the course of several months", - "confidence": 100, - "effect_refs": [ - "attack-action--15f080d7-77c0-4583-ba2c-a866de1f2d9a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--15f080d7-77c0-4583-ba2c-a866de1f2d9a", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Proxy: Multi-hop Proxy", - "technique_id": "T1090.003", - "description": "attackers routed attacks/exfiltration through computers in several countries, including Brazil", - "confidence": 100, - "effect_refs": [ - "attack-action--4219a30c-6b2c-48a0-98f6-d864448210b9" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--ac66307f-2077-4dc1-ba05-43baac9c6a93", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "name": "Multiple Proxies", - "infrastructure_types": [ - "anonymization" - ] - }, - { - "type": "attack-action", - "id": "attack-action--4219a30c-6b2c-48a0-98f6-d864448210b9", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Redirected data", - "description": "Attackers redirected traffic to a large city in Russia", - "confidence": 100, - "effect_refs": [ - "attack-action--7a4cae41-8364-43cf-adb1-5a8f2376c833" - ] - }, - { - "type": "attack-action", - "id": "attack-action--7a4cae41-8364-43cf-adb1-5a8f2376c833", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Indicator Removal on Host", - "technique_id": "T1070", - "description": "Attackers used defense evasion techniques and deleted multiple log files", - "confidence": 100, - "asset_refs": [ - "attack-asset--c1ce4235-1c78-431d-a20e-3b12aa4acfcc" - ], - "effect_refs": [ - "attack-action--7d4a94af-cd71-42fd-8aa1-c27322d79997" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--c1ce4235-1c78-431d-a20e-3b12aa4acfcc", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Log files" - }, - { - "type": "attack-action", - "id": "attack-action--7d4a94af-cd71-42fd-8aa1-c27322d79997", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploit Public-Facing Application", - "technique_id": "T1190", - "description": "Security personnel discovered the breach when a routine scan triggered an alarm for a flaw in one of their websites for charitable race sponsored by the bank", - "confidence": 100 - }, - { - "type": "attack-condition", - "id": "attack-condition--6c3867f3-fbbf-4828-af64-18971421a044", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Successfully compromised various servers throughout the bank's network", - "on_true_refs": [ - "attack-action--22366a07-5595-46c6-a246-8713fca3724e" - ] - }, - { - "type": "location", - "id": "location--3515815d-70d7-4269-8c8f-50ee5da8cdde", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "name": "Brazil", - "description": "location of one of the proxies", - "country": "Brazil" - }, - { - "type": "location", - "id": "location--66e98888-de6a-4a76-b18e-a17ddbd9c060", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "name": "Russia", - "country": "Russia" - }, - { - "type": "relationship", - "id": "relationship--d89176d1-4e94-4208-ae4e-26d7d799e0a4", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "relationship_type": "related-to", - "source_ref": "attack-action--f6428576-e9f7-4702-9914-a4fa4c9793d7", - "target_ref": "vulnerability--67b20076-2a37-4be8-bc74-4b125a0013e6" - }, - { - "type": "relationship", - "id": "relationship--b9ade044-4f6b-4645-b249-ff3d1868dbdc", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "relationship_type": "related-to", - "source_ref": "attack-action--ec2cc0ea-2b44-40ef-bc5a-53ccc45ec8b1", - "target_ref": "vulnerability--1fa0ee57-0549-4652-932b-2dd7a262c174" - }, - { - "type": "relationship", - "id": "relationship--df085da1-105c-4907-af67-595c74b05de1", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "relationship_type": "related-to", - "source_ref": "attack-action--436b5d27-34fc-45af-a0c4-6c5ac071dbf4", - "target_ref": "tool--031e3858-57b3-490c-adcd-79174b065d72" - }, - { - "type": "relationship", - "id": "relationship--c329ea54-317f-4346-b85e-29343a9c97c3", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "relationship_type": "related-to", - "source_ref": "attack-action--15f080d7-77c0-4583-ba2c-a866de1f2d9a", - "target_ref": "infrastructure--ac66307f-2077-4dc1-ba05-43baac9c6a93" - }, - { - "type": "relationship", - "id": "relationship--f5cd9796-9f6d-49d7-83d2-fd58b2768142", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "relationship_type": "related-to", - "source_ref": "attack-action--15f080d7-77c0-4583-ba2c-a866de1f2d9a", - "target_ref": "location--3515815d-70d7-4269-8c8f-50ee5da8cdde" - }, - { - "type": "relationship", - "id": "relationship--e43dcd27-a98a-4bc5-ae20-90f27f98ef30", - "spec_version": "2.1", - "created": "2022-12-22T22:28:03.161Z", - "modified": "2022-12-22T22:28:03.161Z", - "relationship_type": "related-to", - "source_ref": "attack-action--4219a30c-6b2c-48a0-98f6-d864448210b9", - "target_ref": "location--66e98888-de6a-4a76-b18e-a17ddbd9c060" - } - ] -} \ No newline at end of file diff --git a/corpus/Mac Malware Steals Crypto.json b/corpus/Mac Malware Steals Crypto.json deleted file mode 100644 index 81746143..00000000 --- a/corpus/Mac Malware Steals Crypto.json +++ /dev/null @@ -1,526 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--0fa9a685-94b8-4687-bb25-4281996481ae", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.869Z", - "modified": "2022-12-22T22:36:14.869Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--676c8c5c-1b96-4043-89a0-aab775bc0f92", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--4bc1abca-a3e5-4f18-8c72-73b6ce6655aa", - "start_refs": [], - "name": "Mac Malware Steals Crypto", - "description": "Analysis of a malware family, OSX.DarthMiner, that targets MacOS.", - "author": [ - [ - "name", - "Eric Kannampuzha" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "ekannampuzha@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "Palo Alto", - "description": "Blog", - "url": "https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" - } - ] - }, - { - "type": "identity", - "id": "identity--4bc1abca-a3e5-4f18-8c72-73b6ce6655aa", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "name": "Eric Kannampuzha", - "identity_class": "individual", - "contact_information": "ekannampuzha@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--85e081c4-ab67-472b-b3a2-ff359bc464e2", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: Unix Shell", - "technique_id": "T1059.004", - "description": "Webshell copies the Safari browser's cookies to a folder", - "confidence": 100, - "asset_refs": [ - "attack-asset--fea3da59-f16c-4fca-b0d0-a437ff8272b0" - ], - "effect_refs": [ - "attack-action--6de07b72-bae0-4bed-a641-002b74461961" - ] - }, - { - "type": "attack-action", - "id": "attack-action--6de07b72-bae0-4bed-a641-002b74461961", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltration", - "tactic_id": "TA0010", - "description": "Uploads browser cookies to a remote server", - "confidence": 100, - "effect_refs": [ - "attack-operator--763cc208-162e-439b-84df-c4e9ea32a9e2" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--fea3da59-f16c-4fca-b0d0-a437ff8272b0", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Safari browser cookies", - "description": "Targets cookies associated with cryptocurrency exchanges and any website having \"blockchain\" in its domain name" - }, - { - "type": "infrastructure", - "id": "infrastructure--9aced747-538e-4e99-9738-60fbb466b957", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "name": "46.226.108.171:8000", - "description": "Remote Server", - "infrastructure_types": [ - "exfiltration" - ] - }, - { - "type": "tool", - "id": "tool--d2a5c2be-74d2-4eca-bd36-16a3058868a6", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "name": "curldrop", - "description": "Hosted on the remote server; allows users to upload files with curl", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-action", - "id": "attack-action--9e267c9d-ab5c-446f-b1e1-b57fe510ce86", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: Python", - "technique_id": "T1059.006", - "description": "Python script extracts saved login credentials and credit card information from Chrome's local data storage", - "confidence": 100, - "effect_refs": [ - "attack-action--77409eed-e668-4a19-bd85-9c55b48bc59d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--55bbc7ec-ffb7-4185-b180-eb5f35bc61dc", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Initial Access", - "tactic_id": "TA0001", - "description": "CookieMiner targets different web browsers", - "confidence": 100, - "effect_refs": [ - "attack-action--85e081c4-ab67-472b-b3a2-ff359bc464e2", - "attack-action--9e267c9d-ab5c-446f-b1e1-b57fe510ce86" - ] - }, - { - "type": "tool", - "id": "tool--cf4f914f-ea4d-43a8-bccd-471468562dcc", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "name": "harmlesslittlecode.py", - "description": "Python script", - "tool_types": [ - "information-gathering", - "credential-exploitation" - ] - }, - { - "type": "attack-action", - "id": "attack-action--77409eed-e668-4a19-bd85-9c55b48bc59d", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploitation for Defense Evasion", - "technique_id": "T1211", - "description": "Abuses Google Chromium's techniques for decryption and extraction to steal credit card information and saved login credentials", - "confidence": 100, - "effect_refs": [ - "attack-action--9083cb76-8b62-472b-9ae2-56c90258ce69" - ] - }, - { - "type": "attack-action", - "id": "attack-action--9083cb76-8b62-472b-9ae2-56c90258ce69", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltration", - "tactic_id": "TA0010", - "description": "Uploads stolen information to a remote server, including wallet-related file paths and private keys for the wallets", - "confidence": 100, - "effect_refs": [ - "attack-operator--763cc208-162e-439b-84df-c4e9ea32a9e2" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--763cc208-162e-439b-84df-c4e9ea32a9e2", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--5be1aafd-dc2a-4a68-aab0-745bd70b7427" - ] - }, - { - "type": "attack-action", - "id": "attack-action--5be1aafd-dc2a-4a68-aab0-745bd70b7427", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Mach-O executable used for mining cryptocurrency (Koto) on the listed mining address", - "confidence": 100, - "asset_refs": [ - "attack-asset--f46b3cad-aad1-4256-9487-5f1e060e76a7" - ], - "effect_refs": [ - "attack-action--f07bd6fe-b4cb-4d42-89f2-8235297b880a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f07bd6fe-b4cb-4d42-89f2-8235297b880a", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: Python", - "technique_id": "T1059.006", - "description": "Establishes remote control on the victim's machine", - "confidence": 100, - "effect_refs": [ - "attack-action--afbd6c13-5d78-4812-aeb5-523ae08c3053" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--609da3e1-e06b-4014-bb01-5836972cf8c6", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "name": "hxxps://ptpb[.]pw/OAZG", - "description": "location of the Python script", - "infrastructure_types": [ - "hosting-malware" - ] - }, - { - "type": "attack-action", - "id": "attack-action--afbd6c13-5d78-4812-aeb5-523ae08c3053", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Software Discovery: Security Software Discovery", - "technique_id": "T1518.001", - "description": "Checks if an application firewall (Little Snitch) is running. Terminates if this firewall is running", - "confidence": 100, - "asset_refs": [ - "attack-asset--90108ce3-8b52-4b4e-89b7-e4d0a6869e04" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--90108ce3-8b52-4b4e-89b7-e4d0a6869e04", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Little Snitch" - }, - { - "type": "infrastructure", - "id": "infrastructure--5c516cf9-609d-4c30-bf40-fbe9292abc51", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "name": "Remote Server", - "infrastructure_types": [ - "exfiltration" - ] - }, - { - "type": "note", - "id": "note--b65eea35-480d-4d94-8ca1-559f39577e13", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "content": "If iTunes is used to backup files, then attackers can collect text messages (SMSFILE) from the victim", - "object_refs": [ - "attack-action--85e081c4-ab67-472b-b3a2-ff359bc464e2" - ] - }, - { - "type": "malware", - "id": "malware--fc9b2357-e209-45f4-80f2-2fb4d101be1f", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "name": "xmrig", - "description": "Mach-O executable for mining cryptocurrency", - "malware_types": [ - "resource-exploitation" - ], - "is_family": true, - "capabilities": [] - }, - { - "type": "artifact", - "id": "artifact--d7cdf078-5fce-4a15-85b7-5dedaf775b2c", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "payload_bin": "k1GqvkK7QYEfMj3JPHieBo1m7FUkTowdq6H=" - }, - { - "type": "url", - "id": "url--64b32701-235c-4f48-8c0e-1c8b750adcfe", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "value": "hxxps://ptpb[.]pw/OAZG" - }, - { - "type": "malware", - "id": "malware--86b9c251-4f43-4166-9163-ac356a1e13b3", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "name": "EmPyre", - "description": "Python post-exploitation agent; used by the attacker to send commands remotely to the victim's machine", - "malware_types": [ - "remote-access-trojan" - ], - "is_family": false, - "capabilities": [ - "communicates-with-c2" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--f46b3cad-aad1-4256-9487-5f1e060e76a7", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Cryptocurrency Wallet", - "object_ref": "artifact--d7cdf078-5fce-4a15-85b7-5dedaf775b2c" - }, - { - "type": "relationship", - "id": "relationship--f67f0d53-23f5-4b5d-801d-2d62ac8ae606", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "relationship_type": "related-to", - "source_ref": "attack-action--6de07b72-bae0-4bed-a641-002b74461961", - "target_ref": "infrastructure--9aced747-538e-4e99-9738-60fbb466b957" - }, - { - "type": "relationship", - "id": "relationship--d4cfcc8e-2937-42c1-97b2-f241bd5b87ac", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "relationship_type": "related-to", - "source_ref": "attack-action--6de07b72-bae0-4bed-a641-002b74461961", - "target_ref": "tool--d2a5c2be-74d2-4eca-bd36-16a3058868a6" - }, - { - "type": "relationship", - "id": "relationship--f53fd258-12e3-4875-8a4d-7a3affaa7672", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "relationship_type": "related-to", - "source_ref": "attack-action--9e267c9d-ab5c-446f-b1e1-b57fe510ce86", - "target_ref": "tool--cf4f914f-ea4d-43a8-bccd-471468562dcc" - }, - { - "type": "relationship", - "id": "relationship--7a196ade-897d-4d95-9e9a-5936e96c611a", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "relationship_type": "related-to", - "source_ref": "attack-action--9083cb76-8b62-472b-9ae2-56c90258ce69", - "target_ref": "infrastructure--5c516cf9-609d-4c30-bf40-fbe9292abc51" - }, - { - "type": "relationship", - "id": "relationship--0ae5e1e0-3952-4101-a453-9bb481d30eb1", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "relationship_type": "related-to", - "source_ref": "attack-action--5be1aafd-dc2a-4a68-aab0-745bd70b7427", - "target_ref": "malware--fc9b2357-e209-45f4-80f2-2fb4d101be1f" - }, - { - "type": "relationship", - "id": "relationship--0f180e21-71f9-4fbd-91ac-9b1d844ff174", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "relationship_type": "related-to", - "source_ref": "attack-action--f07bd6fe-b4cb-4d42-89f2-8235297b880a", - "target_ref": "infrastructure--609da3e1-e06b-4014-bb01-5836972cf8c6" - }, - { - "type": "relationship", - "id": "relationship--17a8f4f7-7398-43b5-9e5f-925645615071", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "relationship_type": "related-to", - "source_ref": "attack-action--f07bd6fe-b4cb-4d42-89f2-8235297b880a", - "target_ref": "malware--86b9c251-4f43-4166-9163-ac356a1e13b3" - }, - { - "type": "relationship", - "id": "relationship--df88678e-b157-40da-a179-18649d645d8f", - "spec_version": "2.1", - "created": "2022-12-22T22:36:14.870Z", - "modified": "2022-12-22T22:36:14.870Z", - "relationship_type": "related-to", - "source_ref": "infrastructure--609da3e1-e06b-4014-bb01-5836972cf8c6", - "target_ref": "url--64b32701-235c-4f48-8c0e-1c8b750adcfe" - } - ] -} \ No newline at end of file diff --git a/corpus/Marriott Breach.json b/corpus/Marriott Breach.json deleted file mode 100644 index 73e4db12..00000000 --- a/corpus/Marriott Breach.json +++ /dev/null @@ -1,404 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--8a51774e-e718-4589-9e1a-431fd5c3fc4f", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.995Z", - "modified": "2022-12-22T22:50:48.995Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--2fe6c5db-cdc5-4506-bb55-9a1119a45d9e", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--f666f220-7051-4dcb-abc0-85ff456490e1", - "start_refs": [ - "attack-action--2bf2f95c-5d35-4c50-850a-f81c31470ca9" - ], - "name": "Marriott Breach", - "description": "A data breach at the Marriott hotel group in 2018.", - "author": [ - [ - "name", - "Lauren Parker" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "lparker@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "U.S. Senate", - "description": "Investigation", - "url": "https://www.hsgac.senate.gov/imo/media/doc/Soresnson%20Testimony.pdf" - }, - { - "source_name": "Hotel Tech Report", - "description": "Article", - "url": "https://hoteltechreport.com/news/marriott-data-breach" - }, - { - "source_name": "CSO Online", - "description": "Article", - "url": "https://www.csoonline.com/article/3441220/marriott-data-breach-faq-how-did-it-happen-and-what-was-the-impact.html" - } - ] - }, - { - "type": "identity", - "id": "identity--f666f220-7051-4dcb-abc0-85ff456490e1", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.995Z", - "modified": "2022-12-22T22:50:48.995Z", - "name": "Lauren Parker", - "identity_class": "individual", - "contact_information": "lparker@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--2bf2f95c-5d35-4c50-850a-f81c31470ca9", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Phishing", - "technique_id": "T1566", - "description": "Phishing email used to gain access to Starwood brands reservation system ", - "confidence": 50, - "effect_refs": [ - "attack-action--ccc7e534-0ab7-4301-b666-9f86f8985863", - "attack-action--9f740818-914e-44cc-8914-5c3cefc0e1d7" - ] - }, - { - "type": "threat-actor", - "id": "threat-actor--fee4c680-4992-488b-b1bb-0fc6e076a303", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "name": "Individuals on behalf of the Chinese Government", - "description": "Unknown individuals believed to be acting on behalf of the Chinese government; they exfiltrated personal information from customers", - "sophistication": "strategic", - "resource_level": "government", - "primary_motivation": "organizational-gain" - }, - { - "type": "attack-action", - "id": "attack-action--ccc7e534-0ab7-4301-b666-9f86f8985863", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Credentials from Password Stores", - "technique_id": "T1555", - "description": "Attackers obtained valid passwords/accounts to move laterally within the network", - "effect_refs": [ - "attack-condition--1c852859-2281-4682-8cc4-1a51e2f50f46" - ] - }, - { - "type": "tool", - "id": "tool--a84c8c94-f07d-48b4-862b-4b7fc5901042", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "name": "Mimikatz" - }, - { - "type": "attack-action", - "id": "attack-action--9f740818-914e-44cc-8914-5c3cefc0e1d7", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Remote Access Trojan", - "tactic_id": "unknown", - "description": "A remote access trojan was found during investigation. Generally, RATs allow an attacker to covertly access, surveil, and even gain control over a computer. However, it is unknown how attackers used the RAT in this attack.", - "effect_refs": [ - "attack-operator--1b533799-bd2f-4dd8-b24d-ea98a5a1b9e8" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--1c852859-2281-4682-8cc4-1a51e2f50f46", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attackers obtained credentials, including for an admin account", - "on_true_refs": [ - "attack-operator--1b533799-bd2f-4dd8-b24d-ea98a5a1b9e8" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--1b533799-bd2f-4dd8-b24d-ea98a5a1b9e8", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--704d2b3a-4d25-41bd-9461-260e960840dc" - ] - }, - { - "type": "attack-action", - "id": "attack-action--704d2b3a-4d25-41bd-9461-260e960840dc", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Gather Victim Network Information: Network Topology", - "technique_id": "T1590.004", - "description": "Attackers used an administrator account to query for data within the network. Attackers searched for databases with relevant customer information.", - "effect_refs": [ - "attack-condition--560b08e3-81b6-4f48-a804-783a82fd35c1" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--560b08e3-81b6-4f48-a804-783a82fd35c1", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Discovered databases ", - "on_true_refs": [ - "attack-action--65436923-b069-45f9-af06-9e67998aab8b", - "attack-action--cb29bb1b-eee2-4457-80b7-aee3c3182517" - ] - }, - { - "type": "attack-action", - "id": "attack-action--65436923-b069-45f9-af06-9e67998aab8b", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data Obfuscation", - "technique_id": "T1001", - "description": "Attackers obfuscated data that they removed from the network", - "effect_refs": [ - "attack-operator--09f14bbb-64f9-4f9e-a16a-42684794b0e1" - ] - }, - { - "type": "attack-action", - "id": "attack-action--cb29bb1b-eee2-4457-80b7-aee3c3182517", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Archive Collected Data", - "technique_id": "T1560", - "description": "Attackers obfuscated data that they removed from the network by compressing and encrypting files ", - "effect_refs": [ - "attack-operator--09f14bbb-64f9-4f9e-a16a-42684794b0e1" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--09f14bbb-64f9-4f9e-a16a-42684794b0e1", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--7239ab4c-fb5c-46b6-a2ba-637d9a2b12e9" - ] - }, - { - "type": "attack-action", - "id": "attack-action--7239ab4c-fb5c-46b6-a2ba-637d9a2b12e9", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltration", - "tactic_id": "TA0010", - "description": "Attackers exfiltrated customer data through unknown means", - "asset_refs": [ - "attack-asset--828cdfdb-8815-4383-af0d-72b0e5f81c12", - "attack-asset--b526faf5-34f3-4b40-a073-04fd16d7d82e", - "attack-asset--852df8b6-8f7e-4424-8c36-617a16643a6a" - ], - "effect_refs": [ - "attack-action--0ed7f887-8cc8-4339-b91b-f7ace1f67ad7" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--b526faf5-34f3-4b40-a073-04fd16d7d82e", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Encrypted Files" - }, - { - "type": "attack-asset", - "id": "attack-asset--852df8b6-8f7e-4424-8c36-617a16643a6a", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Guest Data" - }, - { - "type": "attack-asset", - "id": "attack-asset--828cdfdb-8815-4383-af0d-72b0e5f81c12", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Passport Information" - }, - { - "type": "attack-action", - "id": "attack-action--0ed7f887-8cc8-4339-b91b-f7ace1f67ad7", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Indicator Removal on Host: File Deletion", - "technique_id": "T1070.004", - "description": "Attackers conducted defense evasion by deleting exfiltrated files", - "asset_refs": [ - "attack-asset--b94ac867-4f80-4bf7-81ff-06b77abb1ba7" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--b94ac867-4f80-4bf7-81ff-06b77abb1ba7", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "exfiltrated files" - }, - { - "type": "relationship", - "id": "relationship--0c26a195-eee2-4a3c-8094-550b5ee7535c", - "spec_version": "2.1", - "created": "2022-12-22T22:50:48.996Z", - "modified": "2022-12-22T22:50:48.996Z", - "relationship_type": "related-to", - "source_ref": "attack-action--ccc7e534-0ab7-4301-b666-9f86f8985863", - "target_ref": "tool--a84c8c94-f07d-48b4-862b-4b7fc5901042" - } - ] -} \ No newline at end of file diff --git a/corpus/NotPetya.json b/corpus/NotPetya.json deleted file mode 100644 index 9277cf78..00000000 --- a/corpus/NotPetya.json +++ /dev/null @@ -1,1097 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--6c740aed-67c6-4839-b356-f2515badb0e5", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.198Z", - "modified": "2023-01-03T21:07:36.198Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--dd875c61-26a9-4b8b-879e-9f00346300fd", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--03b9f5a5-79e8-46c7-9eae-efb1e1add341", - "start_refs": [], - "name": "NotPetya", - "description": "Analysis of 2017 malware outbreak.", - "author": [ - [ - "name", - "Mia Sanchez" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "msanchez@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "CrowdStrike", - "description": "Article", - "url": "https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/" - }, - { - "source_name": "CrowdStrike", - "description": "Article", - "url": "https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/" - }, - { - "source_name": "LogRhythm", - "description": "Report", - "url": "https://gallery.logrhythm.com/threat-intelligence-reports/notpetya-technical-analysis-logrhythm-labs-threat-intelligence-report.pdf" - }, - { - "source_name": "Department of Justice", - "description": "Indictment", - "url": "https://www.justice.gov/opa/press-release/file/1328521/download" - } - ] - }, - { - "type": "identity", - "id": "identity--03b9f5a5-79e8-46c7-9eae-efb1e1add341", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": "Mia Sanchez", - "identity_class": "individual", - "contact_information": "msanchez@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--9ac3cd71-b8e4-4902-a134-5bbf2c3dc9b9", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Supply Chain Compromise", - "technique_id": "T1195", - "description": "Attackers added malicious functionality to the files containing software updates for M.E.Doc to collect a list of all EDRPOUs associated with computers using the M.E.Doc software and had downloaded the update file and to send a cookie back to the Update Server", - "confidence": 100, - "asset_refs": [ - "attack-asset--f16ebb0d-0c67-482a-ab1e-673bb376280c" - ], - "effect_refs": [ - "attack-action--460b67ee-7fbe-4930-a019-fe07ae742c34" - ] - }, - { - "type": "attack-action", - "id": "attack-action--698fd2b3-f021-4f74-8141-d48ba11ce09c", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Masquerading", - "technique_id": "T1036", - "description": "NotPetya drops the ransomware DLL perfc.dat, writes a resource to C:\\Windows\\dllhost.dat, and drops its ransomware splash and warning files", - "confidence": 100, - "effect_refs": [ - "attack-action--371fe05f-e6b1-41ea-84ef-2c76f8186089", - "attack-action--3d221636-c915-4e2a-903a-e10047a1f34a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--371fe05f-e6b1-41ea-84ef-2c76f8186089", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Software Discovery: Security Software Discovery", - "technique_id": "T1518.001", - "description": "Malware starts subroutine and hashes every running process on the system and sets PROC_FLAG. It is looking for three hardcoded hashes: Kaspersky, Symantec, Norton Security.", - "confidence": 100, - "effect_refs": [ - "attack-condition--d3033b02-3cdc-4554-b39f-a3853bba2c53", - "attack-condition--7f9d0200-8303-4247-aeeb-8aa9124ccb32" - ] - }, - { - "type": "attack-action", - "id": "attack-action--2010cb6c-cca8-45a4-99ca-ed2a2ace8d45", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "OS Credential Harvester", - "technique_id": "T1003.001", - "description": "Operates as a modified version of Mimikatz and uses a named pipe to extract credentials from LSASS", - "confidence": 100, - "effect_refs": [ - "attack-operator--085ac3c3-4a2a-45de-a075-b22595d089b2" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--6c666fe2-0a6c-4bb1-8da7-9955f81b187b", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Adversary obtains SeDebugPrivilege", - "on_true_refs": [ - "attack-action--2010cb6c-cca8-45a4-99ca-ed2a2ace8d45" - ] - }, - { - "type": "attack-action", - "id": "attack-action--8b0ac8bf-9642-4c25-811c-781942284dac", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Access Token Impersonation", - "technique_id": "T1134.001", - "description": "Duplicates another user's token and allows attacker to escalate privileges and impersonate another user to spread the malware", - "confidence": 100, - "effect_refs": [ - "attack-operator--085ac3c3-4a2a-45de-a075-b22595d089b2" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3d221636-c915-4e2a-903a-e10047a1f34a", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Malware Privilege Discovery", - "technique_id": "N/A", - "description": "Malware attempts to determine privilege of its running process and sets the PRIV_FLAG: SeTcbPrivilege, SeDebugPrivilege, SeShutdownPrivilege", - "confidence": 100, - "effect_refs": [ - "attack-condition--6c666fe2-0a6c-4bb1-8da7-9955f81b187b", - "attack-condition--3b06b8c3-c293-453f-8754-37b8d1e810d7" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--3b06b8c3-c293-453f-8754-37b8d1e810d7", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Adversary obtains SeTcbPrivilege", - "on_true_refs": [ - "attack-action--8b0ac8bf-9642-4c25-811c-781942284dac" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--085ac3c3-4a2a-45de-a075-b22595d089b2", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "OR", - "effect_refs": [ - "attack-condition--c6ec09c8-2806-4eb6-8f3a-8729d0364af5" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--c6ec09c8-2806-4eb6-8f3a-8729d0364af5", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "User escalated to a different account", - "on_true_refs": [ - "attack-action--f75c6409-b123-4c09-85fb-9c3a337c9fdb", - "attack-operator--ede0a454-a028-4d4a-85fb-b773d891679d" - ], - "on_false_refs": [ - "attack-action--e72f07e9-2191-4805-9f97-bdd7624b3827" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--d3033b02-3cdc-4554-b39f-a3853bba2c53", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Norton Security or Symantec not running on system, and SMBv1 vulnerable condition exists", - "on_true_refs": [ - "attack-operator--ede0a454-a028-4d4a-85fb-b773d891679d" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--ede0a454-a028-4d4a-85fb-b773d891679d", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--efe3d7fe-9a22-4b05-a5af-1eb0f42aa41f" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f75c6409-b123-4c09-85fb-9c3a337c9fdb", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Remote Services: SMB/Windows Admin Shares", - "technique_id": "T1021.002", - "description": "To move laterally, the malware logs into any version of SMB with the stolen tokens or harvested credentials and does a UNC write to Admin$ to execute malware", - "confidence": 100, - "effect_refs": [ - "attack-action--fb2b6b4f-edd2-4b53-8894-a95ddcbb5cb7" - ] - }, - { - "type": "attack-action", - "id": "attack-action--efe3d7fe-9a22-4b05-a5af-1eb0f42aa41f", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploitation of Remote Services ", - "technique_id": "T0866", - "description": "To move laterally, NotPetya tests for vulnerable SMBv1 condition (Eternal Blue/Romance exploit) and deploys an SMB backdoor", - "confidence": 100, - "effect_refs": [ - "attack-action--f519deb9-ffbf-4568-9c18-26313af17849" - ] - }, - { - "type": "attack-action", - "id": "attack-action--e72f07e9-2191-4805-9f97-bdd7624b3827", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Network Configuration Discovery", - "technique_id": "T1016", - "description": "Malware issues commands to gather list of known IP addresses and TCP endpoints and enumerate domain controllers", - "confidence": 100, - "effect_refs": [ - "attack-condition--a364596b-e618-4b47-b004-cd7e22c8395f" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--a364596b-e618-4b47-b004-cd7e22c8395f", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Adversary obtains list of IP addresses and TCP endpoints ", - "on_true_refs": [ - "attack-operator--330d9dc0-f167-4e4f-b767-9de6eb56f054" - ] - }, - { - "type": "attack-action", - "id": "attack-action--fb2b6b4f-edd2-4b53-8894-a95ddcbb5cb7", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Binary Proxy Execution: Rundll32", - "technique_id": "T1218.011", - "description": " Malware executes either using PsExec or WMIC as rundll32.exe", - "confidence": 100, - "effect_refs": [ - "attack-operator--d281113f-2715-4058-be9e-11f4058fca71" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f519deb9-ffbf-4568-9c18-26313af17849", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Process Injection", - "technique_id": "T1055", - "description": "To deploy NotPetya on the system, a staging DLL is injected into lsass.exe", - "confidence": 100, - "effect_refs": [ - "attack-action--146b0928-071a-43e8-b115-5ab2c8934fe0" - ] - }, - { - "type": "attack-action", - "id": "attack-action--146b0928-071a-43e8-b115-5ab2c8934fe0", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Binary Proxy Execution: Rundll32", - "technique_id": "T1218/011", - "description": "NotPetya written to c:/windows and executed by the staging DLL as rundll32.exe", - "confidence": 100, - "effect_refs": [ - "attack-operator--d281113f-2715-4058-be9e-11f4058fca71" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--d281113f-2715-4058-be9e-11f4058fca71", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "OR", - "effect_refs": [ - "attack-operator--330d9dc0-f167-4e4f-b767-9de6eb56f054" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--330d9dc0-f167-4e4f-b767-9de6eb56f054", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-condition--34ca6ca1-d6d9-4ad5-9bed-65718289425d" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--7f9d0200-8303-4247-aeeb-8aa9124ccb32", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Kaspersky running on system", - "on_true_refs": [ - "attack-operator--43df19e7-f897-4dec-94c8-8c4f32046618" - ], - "on_false_refs": [ - "attack-operator--94e47dc1-7ca9-4bbf-b98c-7c9857f27bfd" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--34ca6ca1-d6d9-4ad5-9bed-65718289425d", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Able to move laterally", - "on_true_refs": [ - "attack-operator--94e47dc1-7ca9-4bbf-b98c-7c9857f27bfd" - ], - "on_false_refs": [ - "attack-operator--43df19e7-f897-4dec-94c8-8c4f32046618" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--43df19e7-f897-4dec-94c8-8c4f32046618", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--088db13a-256f-46ab-9024-a83859f0065b" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--94e47dc1-7ca9-4bbf-b98c-7c9857f27bfd", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--be8a7164-7483-4c1a-8e07-ae64b5cb2be7" - ] - }, - { - "type": "attack-action", - "id": "attack-action--088db13a-256f-46ab-9024-a83859f0065b", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "N/A", - "technique_id": "N/A", - "description": "NotPetya will not encrypt the MFT and will simply overwrite the first 10 sectors of the physical disk with uninitialized data. It will still render the machine unbootable by overwriting the 2nd section of the C:\\, however, there is the possibility to recover MBR.", - "confidence": 100 - }, - { - "type": "attack-action", - "id": "attack-action--be8a7164-7483-4c1a-8e07-ae64b5cb2be7", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Pre-OS Boot: BootKit", - "technique_id": "T1542.003", - "description": "Malware reads and encodes MBR with a custom boot loader that will encrypt the MFT. ", - "confidence": 100, - "effect_refs": [ - "attack-action--cd21649c-7134-4d4b-ad33-40daaf36e9c1" - ] - }, - { - "type": "attack-action", - "id": "attack-action--cd21649c-7134-4d4b-ad33-40daaf36e9c1", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Scheduled Task/Job: Scheduled Task", - "technique_id": "T1053.005", - "description": "NotPetya creates a scheduled task that triggers a reboot 60 min after execution by default", - "confidence": 100, - "effect_refs": [ - "attack-action--c41e27f8-e094-489b-8fee-62698f187dce" - ] - }, - { - "type": "attack-action", - "id": "attack-action--fab926e5-88d8-48b4-9bf2-23aa996076d1", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data Encrypted for Impact", - "technique_id": "T1486", - "description": "The custom boot loader encrypts the MFT. NotPetya also encrypted files with specific extensions.", - "confidence": 100, - "effect_refs": [ - "attack-action--9f0ada89-d028-4c87-a1a4-4563705a70b3" - ] - }, - { - "type": "attack-action", - "id": "attack-action--9f0ada89-d028-4c87-a1a4-4563705a70b3", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Indicator Removal on Host: Clear Windows Event Logs", - "technique_id": "T1070.001", - "description": "The malware clears setup, system, security, application, and USN journal logs", - "confidence": 100, - "effect_refs": [ - "attack-action--351a47ca-c39f-43e5-8493-3bafe24a6338" - ] - }, - { - "type": "attack-action", - "id": "attack-action--c41e27f8-e094-489b-8fee-62698f187dce", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Shutdown/Reboot", - "technique_id": "T1529", - "description": "System reboots, displays decoy message", - "confidence": 100, - "effect_refs": [ - "attack-action--fab926e5-88d8-48b4-9bf2-23aa996076d1" - ] - }, - { - "type": "attack-action", - "id": "attack-action--351a47ca-c39f-43e5-8493-3bafe24a6338", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Shutdown/Reboot", - "technique_id": "T1529", - "description": "The custom boot loader initiates a disk reboot, and the NotPetya ransomware note is displayed", - "confidence": 100, - "effect_refs": [ - "attack-action--2b64c735-0355-408c-b3a9-755772cc257c" - ] - }, - { - "type": "attack-action", - "id": "attack-action--2b64c735-0355-408c-b3a9-755772cc257c", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data Destruction", - "technique_id": "T1485", - "description": "The data is not recoverable", - "confidence": 100 - }, - { - "type": "tool", - "id": "tool--acf759e0-39e6-40f1-901c-212d2e9044cd", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": "WMIC", - "description": "WMIC to run rundll32.exe", - "tool_types": [ - "unknown" - ] - }, - { - "type": "tool", - "id": "tool--ddde0280-0aaa-48cf-9b0e-c75e6d55f34a", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": "PsExec", - "description": "PsExec to run rundll32.exe", - "tool_types": [ - "unknown" - ] - }, - { - "type": "tool", - "id": "tool--e0a27f9b-b601-4254-80c0-d70131eae83a", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": "perfc.dat", - "description": "Ransomware DLL", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "threat-actor", - "id": "threat-actor--b6214cce-f8d3-4d53-9af4-d12212f60600", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": "Yuriy Sergeyevich Andrienko", - "description": "Member of Russian Military Unit 74455; developed components of NetPetya", - "sophistication": "innovator", - "resource_level": "government", - "primary_motivation": "organizational-gain" - }, - { - "type": "threat-actor", - "id": "threat-actor--743b2526-fa5b-4bee-95da-f1da91dc9a97", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": "Sergey Vladimirovich Destistov", - "description": "Member of Russian Military Unit 74455; developed components of NetPetya", - "sophistication": "innovator", - "resource_level": "government", - "primary_motivation": "organizational-gain" - }, - { - "type": "threat-actor", - "id": "threat-actor--013fe92a-9d43-4e21-9894-7aedf8b22cc4", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": "Pavel Valeryevich Frolov", - "description": "Member of Russian Military Unit 74455; developed components of NetPetya", - "sophistication": "innovator", - "resource_level": "government", - "primary_motivation": "organizational-gain" - }, - { - "type": "threat-actor", - "id": "threat-actor--6888bbce-09f7-4a91-8dd4-072691322ef4", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": "Petr Nikolayevich Pliskin`", - "description": "Member of Russian Military Unit 74455; developed components of NetPetya", - "sophistication": "innovator", - "resource_level": "government", - "primary_motivation": "organizational-gain" - }, - { - "type": "tool", - "id": "tool--12b617d9-4f78-4814-9372-354886a2e158", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": "dllhost.dat", - "description": "copy of PsExec utility, which is a telnet replacement that allows execution of processes on other systems ", - "tool_types": [ - "remote-access" - ] - }, - { - "type": "attack-action", - "id": "attack-action--605180eb-64d7-4f54-ae85-a1036cf2dbd3", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Search Open Websites/Domains", - "technique_id": "T1593", - "description": "Attackers conducted reconnaissance by learning about EDRPOU and M.E.Doc, queried EDRPOU website, and changed their computer language sets to the Ukrainian alphabet", - "confidence": 100, - "asset_refs": [ - "attack-asset--480ded6a-f369-45cf-919a-13a081ad0c59", - "attack-asset--19d7ee4b-340a-4a87-a00d-78f829d3fca0", - "attack-asset--47d3aa59-6289-4c5a-a464-38d9d7a898db", - "attack-asset--e62c8723-2e0a-42b0-abf2-01a32cfbf62a" - ], - "effect_refs": [ - "attack-action--9ac3cd71-b8e4-4902-a134-5bbf2c3dc9b9" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--480ded6a-f369-45cf-919a-13a081ad0c59", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "EDRPOU", - "description": "unique legal entity identifier, similar to a tax identification number in the US" - }, - { - "type": "attack-asset", - "id": "attack-asset--47d3aa59-6289-4c5a-a464-38d9d7a898db", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Update Server", - "description": "periodically updated M.E.Doc software", - "object_ref": "attack-asset--e62c8723-2e0a-42b0-abf2-01a32cfbf62a" - }, - { - "type": "attack-asset", - "id": "attack-asset--19d7ee4b-340a-4a87-a00d-78f829d3fca0", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "M.E.Doc", - "description": "Ukrainian accounting software that facilitated communication of tax information to the Ukrainian government", - "object_ref": "attack-asset--47d3aa59-6289-4c5a-a464-38d9d7a898db" - }, - { - "type": "attack-asset", - "id": "attack-asset--e62c8723-2e0a-42b0-abf2-01a32cfbf62a", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Certificate Website", - "description": "hosted on the Update Server; checks whether a company had a valid certificate for verifying electronic signatures" - }, - { - "type": "attack-asset", - "id": "attack-asset--f16ebb0d-0c67-482a-ab1e-673bb376280c", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Update File" - }, - { - "type": "tool", - "id": "tool--f94b1a09-8276-40cc-b8e0-7da67db6cc4c", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": "Cookie", - "description": "contained the EDRPOU list and computer username that was logged into the computer running M.E.Docs", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-action", - "id": "attack-action--460b67ee-7fbe-4930-a019-fe07ae742c34", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Supply Chain Compromise", - "technique_id": "T1195", - "description": "Attackers added malicious functionality to the files containing software updates for M.E.Doc to collect a list of all EDRPOUs associated with computers using the M.E.Doc software which would eventually deliver the NotPetya ", - "confidence": 100, - "effect_refs": [ - "attack-action--0cfbada8-ad55-4b75-a4c6-acd5e34a00d0" - ] - }, - { - "type": "attack-action", - "id": "attack-action--0cfbada8-ad55-4b75-a4c6-acd5e34a00d0", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Supply Chain Compromise", - "technique_id": "T1195", - "description": "Attackers rerouted internet traffic from computers updating M.E.Doc software via the Update Server to France-based server controlled by attackers", - "confidence": 100, - "effect_refs": [ - "attack-action--698fd2b3-f021-4f74-8141-d48ba11ce09c" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--bcbb1e31-6ed6-491b-84ff-ae39294a11ec", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": "C2", - "description": "Server based in France that delivered the NotPetya malware to victims ", - "infrastructure_types": [ - "command-and-control" - ], - "first_seen": "2017-06-27T04:00:00.000Z" - }, - { - "type": "tool", - "id": "tool--c6970936-f543-4ef5-bd2d-62edb80be7f1", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": ".tmp file", - "description": "Credential theft module", - "tool_types": [ - "credential-exploitation" - ] - }, - { - "type": "tool", - "id": "tool--003fe92e-982e-413b-a68f-0f15ffc22ff6", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": "Eternal Blue/Romance exploit", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "tool", - "id": "tool--ad9bb832-3dd1-4155-86b9-6a4b2c601d2c", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "name": "Custom boot loader", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "note", - "id": "note--5d3fb047-93cd-46c8-9f06-8c22d897fcf0", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "content": "Credentials are also harvested if the attackers gains the following privileges: SeTcbPrivilege & SeDebugPrivilege, SeShutdownPrivilege & SeDubugPrivilege, and SeTcbPrivilege & SeShutdownPrivilege & SeDebugPrivilege", - "object_refs": [ - "attack-action--2010cb6c-cca8-45a4-99ca-ed2a2ace8d45" - ] - }, - { - "type": "relationship", - "id": "relationship--24fd0dab-1a02-4b40-9ccc-46acf16a1f8d", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "relationship_type": "related-to", - "source_ref": "attack-action--9ac3cd71-b8e4-4902-a134-5bbf2c3dc9b9", - "target_ref": "tool--f94b1a09-8276-40cc-b8e0-7da67db6cc4c" - }, - { - "type": "relationship", - "id": "relationship--b878be58-8564-42ed-912e-2490934f6021", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "relationship_type": "related-to", - "source_ref": "attack-action--698fd2b3-f021-4f74-8141-d48ba11ce09c", - "target_ref": "tool--12b617d9-4f78-4814-9372-354886a2e158" - }, - { - "type": "relationship", - "id": "relationship--5655b416-dd36-4140-8893-79853690ea82", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "relationship_type": "related-to", - "source_ref": "attack-action--698fd2b3-f021-4f74-8141-d48ba11ce09c", - "target_ref": "tool--e0a27f9b-b601-4254-80c0-d70131eae83a" - }, - { - "type": "relationship", - "id": "relationship--5bad1390-7848-46bc-a507-a69f86f8bb27", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "relationship_type": "related-to", - "source_ref": "attack-action--2010cb6c-cca8-45a4-99ca-ed2a2ace8d45", - "target_ref": "tool--c6970936-f543-4ef5-bd2d-62edb80be7f1" - }, - { - "type": "relationship", - "id": "relationship--23923c7d-febb-4bf2-8aeb-ee512c6f4be3", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "relationship_type": "related-to", - "source_ref": "attack-action--efe3d7fe-9a22-4b05-a5af-1eb0f42aa41f", - "target_ref": "tool--003fe92e-982e-413b-a68f-0f15ffc22ff6" - }, - { - "type": "relationship", - "id": "relationship--6ffb40b6-b748-4414-aaef-190d582da17d", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "relationship_type": "related-to", - "source_ref": "attack-action--fb2b6b4f-edd2-4b53-8894-a95ddcbb5cb7", - "target_ref": "tool--ddde0280-0aaa-48cf-9b0e-c75e6d55f34a" - }, - { - "type": "relationship", - "id": "relationship--d5076f82-2791-4b83-8479-9f37638a3761", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "relationship_type": "related-to", - "source_ref": "attack-action--fb2b6b4f-edd2-4b53-8894-a95ddcbb5cb7", - "target_ref": "tool--acf759e0-39e6-40f1-901c-212d2e9044cd" - }, - { - "type": "relationship", - "id": "relationship--f8a72777-f431-42a9-996d-6ecb69f09b57", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "relationship_type": "related-to", - "source_ref": "attack-action--be8a7164-7483-4c1a-8e07-ae64b5cb2be7", - "target_ref": "tool--ad9bb832-3dd1-4155-86b9-6a4b2c601d2c" - }, - { - "type": "relationship", - "id": "relationship--9e44a8da-2893-4bb3-acbe-508a67d18951", - "spec_version": "2.1", - "created": "2023-01-03T21:07:36.199Z", - "modified": "2023-01-03T21:07:36.199Z", - "relationship_type": "related-to", - "source_ref": "attack-action--0cfbada8-ad55-4b75-a4c6-acd5e34a00d0", - "target_ref": "infrastructure--bcbb1e31-6ed6-491b-84ff-ae39294a11ec" - } - ] -} \ No newline at end of file diff --git a/corpus/Ragnar Locker.json b/corpus/Ragnar Locker.json deleted file mode 100644 index 5b4298e2..00000000 --- a/corpus/Ragnar Locker.json +++ /dev/null @@ -1,840 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--e7993890-2819-4140-90df-2563bd3e3879", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.755Z", - "modified": "2023-01-03T22:31:05.755Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--058d93c8-baa2-46fb-b620-29d0fb2da0b5", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--fbcdf7ab-4b78-434b-96d9-ce1b36d291c8", - "start_refs": [ - "attack-action--3e22a477-71cd-4aef-94da-33cdde6da4d8", - "attack-action--dac00d37-82b6-4474-b753-88c12a3b9486", - "attack-condition--bdcb1a7b-ad10-41af-8a4d-ef0b009df0d5" - ], - "name": "Ragnar Locker", - "description": "Profile of a ransomware group", - "author": [ - [ - "name", - "Mia Sanchez" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "msanchez@mitre.org" - ] - ], - "scope": "threat actor", - "external_references": [ - { - "source_name": "Acronis", - "description": "Article", - "url": "https://www.acronis.com/en-us/blog/posts/ragnar-locker/" - }, - { - "source_name": "Avertium", - "description": "Article", - "url": "https://www.avertium.com/resources/threat-reports/ragnar-locker-ransomware-attacks-analysis" - }, - { - "source_name": "Milton Security", - "description": "CVE", - "url": "https://www.miltonsecurity.com/company/blog/cve-2017-0213-windows-com-privilege-escalation-vulnerability" - }, - { - "source_name": "Sophos", - "description": "Article", - "url": "https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/" - }, - { - "source_name": "Zscaler", - "description": "Article", - "url": "https://www.zscaler.com/blogs/security-research/threatlabz-ransomware-review-advent-double-extortion" - } - ] - }, - { - "type": "identity", - "id": "identity--fbcdf7ab-4b78-434b-96d9-ce1b36d291c8", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "name": "Mia Sanchez", - "identity_class": "individual", - "contact_information": "msanchez@mitre.org" - }, - { - "type": "threat-actor", - "id": "threat-actor--38c0871a-8385-4a6c-bcc3-525b2cca5cfd", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "name": "Ragnar Locker", - "description": "Name of a ransomware and a ransomware gang; breached energy, critical manufacturing, financial services, government, and information technology sectors; the ransomware gang is a part of a ransomware family, working with multiple ransomware variants and threat actor groups", - "first_seen": "2019-12-01T05:00:00.000Z", - "sophistication": "advanced", - "resource_level": "organization", - "primary_motivation": "organizational-gain" - }, - { - "type": "attack-action", - "id": "attack-action--3e22a477-71cd-4aef-94da-33cdde6da4d8", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Brute Force", - "technique_id": "T1110", - "description": " Attackers brute force passwords for the RDP service", - "confidence": 100, - "effect_refs": [ - "attack-operator--2cab6c72-de7c-4a71-98d7-242af3ce40a6" - ] - }, - { - "type": "attack-action", - "id": "attack-action--dac00d37-82b6-4474-b753-88c12a3b9486", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Valid Accounts", - "technique_id": "T1078", - "description": "Attackers purchased stolen credentials from the black market for the victim's RDP service", - "confidence": 100, - "effect_refs": [ - "attack-operator--2cab6c72-de7c-4a71-98d7-242af3ce40a6" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--bdcb1a7b-ad10-41af-8a4d-ef0b009df0d5", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attacker compromises the victim's RDP service", - "on_true_refs": [ - "attack-action--5342b2fd-c6dd-42ec-a6e0-3ed811f73850" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--2cab6c72-de7c-4a71-98d7-242af3ce40a6", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-condition--bdcb1a7b-ad10-41af-8a4d-ef0b009df0d5" - ] - }, - { - "type": "attack-action", - "id": "attack-action--5342b2fd-c6dd-42ec-a6e0-3ed811f73850", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Event Triggered Execution: Component Object Model Hijacking", - "technique_id": "T1546.015", - "description": "Attacker exploited a vulnerability in the Windows COM Aggregate Marshaler", - "confidence": 100, - "effect_refs": [ - "attack-condition--6279c87c-9f2c-4d51-9cd6-435fbf25ba03" - ] - }, - { - "type": "vulnerability", - "id": "vulnerability--46d6c525-3d83-49a3-b7ee-61cb20432849", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "name": "CVE-2017-0213", - "description": "vulnerability within Windows COM Aggregate Marshaler to run arbitrary code with elevated privileges" - }, - { - "type": "attack-condition", - "id": "attack-condition--6279c87c-9f2c-4d51-9cd6-435fbf25ba03", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attacker elevates privileges to administrator-level access", - "on_true_refs": [ - "attack-action--7f17b0e9-c97d-4d47-a0e1-7764a470c166" - ], - "on_false_refs": [ - "attack-action--4c86708e-d142-4521-909d-3e3ce918042f" - ] - }, - { - "type": "tool", - "id": "tool--a041a237-8038-45d2-8264-c86a777710fd", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "name": "Special Application", - "description": "To exploit CVE-2017-0213, the attackers run a specially crafted application", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "attack-action", - "id": "attack-action--a8c21650-07b5-4afd-b75a-7ab04eb40029", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Location Discovery: System Language Discovery", - "technique_id": "T1614.001", - "description": "Attackers check for locale information. If the machine’s default language matches one on the CIS list, the ransomware process is terminated with the “666” exit code.", - "confidence": 100, - "effect_refs": [ - "attack-action--47d7d677-d9ca-41fc-a6c4-f9911e056b35" - ] - }, - { - "type": "attack-action", - "id": "attack-action--4c86708e-d142-4521-909d-3e3ce918042f", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Domain Policy Modification: Group Policy Modification", - "technique_id": "T1484.001", - "description": "Attackers use GPO to move laterally", - "confidence": 100, - "effect_refs": [ - "attack-operator--70d4f064-5327-4139-88a9-fe6ee09ae73b" - ] - }, - { - "type": "tool", - "id": "tool--b5850e52-5d84-4ae3-8e3e-43b8b5b4b659", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "name": "msiexec.exe", - "description": "Attackers use Microsoft Installer to pass parameters to a remote web server ", - "tool_types": [ - "remote-access", - "exploitation" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--5e1c6ff4-a5b2-4cba-be87-c05e026729d6", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "name": "Remote Web Server", - "infrastructure_types": [ - "hosting-malware" - ] - }, - { - "type": "tool", - "id": "tool--ab5ee969-33ca-4ead-bc33-90106dd462d9", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "name": "MSI package", - "description": "downloaded MSI package contained the following: working installation of an old Oracle VirtualBox hypervisor (Sun xVM VirtualBox version 3.0.4 from Aug 5, 2009) & a virtual disk image (VDI) named micro.vdi (image is stripped-down version of Windows XP SP3 OS called MicroXP v0.82) that includes the Ragnar Locker ransomware", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-action", - "id": "attack-action--7f17b0e9-c97d-4d47-a0e1-7764a470c166", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: PowerShell", - "technique_id": "T1059.001", - "description": "Attackers use PowerShell to move laterally", - "confidence": 100, - "effect_refs": [ - "attack-operator--70d4f064-5327-4139-88a9-fe6ee09ae73b" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--70d4f064-5327-4139-88a9-fe6ee09ae73b", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "OR", - "effect_refs": [ - "attack-condition--9f7b70da-99ce-43a6-98dd-dd05fe6a35c3" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--9f7b70da-99ce-43a6-98dd-dd05fe6a35c3", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attackers move laterally across the network, infecting other computers", - "on_true_refs": [ - "attack-action--e0c4c51e-004b-4b3f-91a0-0c6d45683f38" - ] - }, - { - "type": "attack-action", - "id": "attack-action--e0c4c51e-004b-4b3f-91a0-0c6d45683f38", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Binary Proxy Execution: Msiexec", - "technique_id": "T1218.007", - "description": "Attackers used GPO to execute Microsoft Installer ", - "confidence": 100, - "effect_refs": [ - "attack-action--a157005f-50a2-45e4-9e7b-ea713e9bbcc8" - ] - }, - { - "type": "attack-action", - "id": "attack-action--258682c6-fad0-4daf-964b-41b1e6cb6fdd", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Attackers run an executable, batch file, and support files", - "confidence": 100, - "effect_refs": [ - "attack-action--7f8a1ea9-0e16-4229-b40d-148ffafe2ea6", - "attack-action--d6fcccf3-4f43-4b5a-b966-c24853916163", - "attack-action--80af5404-8374-4dc8-a254-8503c30b7bcd", - "attack-action--b6f6bf27-9a31-4bd8-a89d-3121e6dc3f7d", - "attack-action--3fc6b75b-3de3-4879-a5dd-a4c211e3cd3e" - ] - }, - { - "type": "attack-action", - "id": "attack-action--47d7d677-d9ca-41fc-a6c4-f9911e056b35", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Hide Artifacts: Run Virtual Instance", - "technique_id": "T1564.006", - "description": "The attacker deploys a VirtualBox VM and loads a Windows XP image", - "confidence": 100, - "effect_refs": [ - "attack-action--065964e1-07c5-468b-ba47-7b59dd3784a2" - ] - }, - { - "type": "attack-action", - "id": "attack-action--065964e1-07c5-468b-ba47-7b59dd3784a2", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Peripheral Device Discovery", - "technique_id": "T1120", - "description": "The VM image maps all local drives as read/writable into the virtual machine. This allows the ransomware process running inside the VM to encrypt all files. ", - "confidence": 100, - "effect_refs": [ - "attack-action--c4d26264-450d-4fd0-8ae2-64708b5c267c" - ] - }, - { - "type": "tool", - "id": "tool--882bf627-a833-43fc-aa06-e5a5591322fc", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "name": "Executable", - "description": "va.exe - runs the batch script", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "tool", - "id": "tool--861f6ca6-9684-4f9c-b2be-18b895e85382", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.756Z", - "modified": "2023-01-03T22:31:05.756Z", - "name": "Batch Script", - "description": "install.bat", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "attack-action", - "id": "attack-action--d6fcccf3-4f43-4b5a-b966-c24853916163", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Execution", - "tactic_id": "TA0002", - "description": "Batch file registers and runs VirtualBox application extensions - VBoxC.dll and VBoxRT.dll", - "confidence": 100, - "effect_refs": [ - "attack-operator--f07207cf-51bc-4f9f-bf2b-7e7f37aabc7d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--7f8a1ea9-0e16-4229-b40d-148ffafe2ea6", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Defense Evasion", - "tactic_id": "TA0005", - "description": "Batch file stops Windows Shell Hardware Detection (to disable the Windows AutoPlay notification functionality) ", - "confidence": 100, - "effect_refs": [ - "attack-operator--f07207cf-51bc-4f9f-bf2b-7e7f37aabc7d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--b6f6bf27-9a31-4bd8-a89d-3121e6dc3f7d", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Reconnaissance", - "tactic_id": "TA0043", - "description": "Batch script enumerates local disks and connects removable drives and mapped network drives to be accessed within the virtual machine", - "confidence": 100, - "effect_refs": [ - "attack-operator--f07207cf-51bc-4f9f-bf2b-7e7f37aabc7d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--80af5404-8374-4dc8-a254-8503c30b7bcd", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Service Stop", - "technique_id": "T1489", - "description": "Batch file terminates many processes/servers and remote management software, closes opened files, and disables AntiVirus software", - "confidence": 100, - "effect_refs": [ - "attack-operator--f07207cf-51bc-4f9f-bf2b-7e7f37aabc7d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--c4d26264-450d-4fd0-8ae2-64708b5c267c", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltration over Web Service", - "technique_id": "T1567", - "description": "The ransomware steals files and uploads them to one or more servers in case the victim refuses to pay the ransom", - "confidence": 100, - "effect_refs": [ - "attack-action--cdcf257c-acd6-4a62-9b9a-f10aca957af5" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3fc6b75b-3de3-4879-a5dd-a4c211e3cd3e", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Inhibit System Recovery", - "technique_id": "T1490", - "description": "The batch file deletes volume shadow copies (so older unencrypted versions of files cannot be restored)", - "confidence": 100, - "effect_refs": [ - "attack-operator--f07207cf-51bc-4f9f-bf2b-7e7f37aabc7d" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--f07207cf-51bc-4f9f-bf2b-7e7f37aabc7d", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--a8c21650-07b5-4afd-b75a-7ab04eb40029" - ] - }, - { - "type": "attack-action", - "id": "attack-action--33285dd9-ae14-4bfd-9fdc-7e235da39487", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data Encrypted for Impact", - "technique_id": "T1486", - "description": "Ragnar Locker begins the encryption process in 64 simultaneous threads. The encrypted file contains the encrypted Salsa20 key data (40+32 bytes) with the signature ‘_RAGNAR_’ added to the footer at the very end.", - "confidence": 100, - "effect_refs": [ - "attack-condition--448cf0df-edca-4dea-a55e-54dfac087ece" - ] - }, - { - "type": "attack-action", - "id": "attack-action--a157005f-50a2-45e4-9e7b-ea713e9bbcc8", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Attackers install a 122MB crafted, unsigned MSI package from the remote web server", - "confidence": 100, - "effect_refs": [ - "attack-condition--2ead9766-c614-475f-9cbf-7337f4bb240d" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--2ead9766-c614-475f-9cbf-7337f4bb240d", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Virtualization software and vdi located in a newly created directory", - "on_true_refs": [ - "attack-action--258682c6-fad0-4daf-964b-41b1e6cb6fdd" - ] - }, - { - "type": "tool", - "id": "tool--05df012d-5f72-4f85-af36-51ca022ccf03", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "name": "VirtualBox", - "tool_types": [ - "unknown" - ] - }, - { - "type": "tool", - "id": "tool--7ebc622f-6a40-4bea-9e0d-f17f88b9083c", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "name": "micro.vdi", - "description": "stripped-down Windows XP image containing ransomware", - "tool_types": [ - "unknown" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--d853ec10-42cc-4bc1-863e-c67283989e7b", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "name": "Servers", - "description": "Receive sensitive files from victim", - "infrastructure_types": [ - "exfiltration" - ] - }, - { - "type": "attack-action", - "id": "attack-action--cdcf257c-acd6-4a62-9b9a-f10aca957af5", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.757Z", - "modified": "2023-01-03T22:31:05.757Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Obfuscated Files or Information", - "technique_id": "T1027", - "description": "Attackers protect the ransomware code with junk code and encryption", - "confidence": 100, - "effect_refs": [ - "attack-action--33285dd9-ae14-4bfd-9fdc-7e235da39487" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--448cf0df-edca-4dea-a55e-54dfac087ece", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.758Z", - "modified": "2023-01-03T22:31:05.758Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Ransomware successfully encrypts files and displays the ransomware note" - }, - { - "type": "relationship", - "id": "relationship--fb4ba15e-fc8b-4f39-93f5-af5efaac4f55", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.759Z", - "modified": "2023-01-03T22:31:05.759Z", - "relationship_type": "related-to", - "source_ref": "attack-action--5342b2fd-c6dd-42ec-a6e0-3ed811f73850", - "target_ref": "vulnerability--46d6c525-3d83-49a3-b7ee-61cb20432849" - }, - { - "type": "relationship", - "id": "relationship--1a882a60-aa42-48d5-b4f2-596ec9e77815", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.760Z", - "modified": "2023-01-03T22:31:05.760Z", - "relationship_type": "related-to", - "source_ref": "attack-action--5342b2fd-c6dd-42ec-a6e0-3ed811f73850", - "target_ref": "tool--a041a237-8038-45d2-8264-c86a777710fd" - }, - { - "type": "relationship", - "id": "relationship--d87b6a5e-e8a1-4837-b3ae-10c14f393dbf", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.760Z", - "modified": "2023-01-03T22:31:05.760Z", - "relationship_type": "related-to", - "source_ref": "attack-action--e0c4c51e-004b-4b3f-91a0-0c6d45683f38", - "target_ref": "tool--b5850e52-5d84-4ae3-8e3e-43b8b5b4b659" - }, - { - "type": "relationship", - "id": "relationship--9ff70a46-b654-4e3e-9ef4-530e17795a0b", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.760Z", - "modified": "2023-01-03T22:31:05.760Z", - "relationship_type": "related-to", - "source_ref": "attack-action--258682c6-fad0-4daf-964b-41b1e6cb6fdd", - "target_ref": "tool--861f6ca6-9684-4f9c-b2be-18b895e85382" - }, - { - "type": "relationship", - "id": "relationship--5edcb1e6-f076-4eee-a657-29e1bccee7f3", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.760Z", - "modified": "2023-01-03T22:31:05.760Z", - "relationship_type": "related-to", - "source_ref": "attack-action--258682c6-fad0-4daf-964b-41b1e6cb6fdd", - "target_ref": "tool--882bf627-a833-43fc-aa06-e5a5591322fc" - }, - { - "type": "relationship", - "id": "relationship--6d8a6aaa-939f-49cf-8cd0-4caebc83902c", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.760Z", - "modified": "2023-01-03T22:31:05.760Z", - "relationship_type": "related-to", - "source_ref": "attack-action--47d7d677-d9ca-41fc-a6c4-f9911e056b35", - "target_ref": "tool--7ebc622f-6a40-4bea-9e0d-f17f88b9083c" - }, - { - "type": "relationship", - "id": "relationship--7422d639-ad21-4c49-906c-83071da3108d", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.760Z", - "modified": "2023-01-03T22:31:05.760Z", - "relationship_type": "related-to", - "source_ref": "attack-action--47d7d677-d9ca-41fc-a6c4-f9911e056b35", - "target_ref": "tool--05df012d-5f72-4f85-af36-51ca022ccf03" - }, - { - "type": "relationship", - "id": "relationship--9dbd6ec8-ba75-4b76-999a-797e7dc0a740", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.760Z", - "modified": "2023-01-03T22:31:05.760Z", - "relationship_type": "related-to", - "source_ref": "attack-action--c4d26264-450d-4fd0-8ae2-64708b5c267c", - "target_ref": "infrastructure--d853ec10-42cc-4bc1-863e-c67283989e7b" - }, - { - "type": "relationship", - "id": "relationship--2f769552-9308-402d-bc88-77f5163218ef", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.761Z", - "modified": "2023-01-03T22:31:05.761Z", - "relationship_type": "related-to", - "source_ref": "attack-action--a157005f-50a2-45e4-9e7b-ea713e9bbcc8", - "target_ref": "infrastructure--5e1c6ff4-a5b2-4cba-be87-c05e026729d6" - }, - { - "type": "relationship", - "id": "relationship--1f16ee1f-b3ad-4404-8893-613d2c839774", - "spec_version": "2.1", - "created": "2023-01-03T22:31:05.761Z", - "modified": "2023-01-03T22:31:05.761Z", - "relationship_type": "related-to", - "source_ref": "attack-action--a157005f-50a2-45e4-9e7b-ea713e9bbcc8", - "target_ref": "tool--ab5ee969-33ca-4ead-bc33-90106dd462d9" - } - ] -} \ No newline at end of file diff --git a/corpus/SWIFT Heist.json b/corpus/SWIFT Heist.json deleted file mode 100644 index 4ab5a436..00000000 --- a/corpus/SWIFT Heist.json +++ /dev/null @@ -1,458 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--f7953e64-50d6-4a75-bda9-06b817fd1127", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.147Z", - "modified": "2023-01-04T17:57:45.147Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--f3b47305-45b4-45ac-872b-6a947b55fc58", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2023-01-04T17:57:45.151Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--e448f273-4a8d-4adf-b786-4f08d4b538fd", - "start_refs": [ - "attack-action--d958677e-8790-4ad2-8b04-8d71489f7ac2", - "attack-action--d6d5a619-e4ca-4e52-ac42-7b27c389d27d" - ], - "name": "SWIFT Heist", - "description": "A financial crime involving the SWIFT banking network.", - "author": [ - [ - "name", - "Lauren Parker" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "lparker@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "Cyber UK", - "description": "Article", - "url": "https://cyber.uk/areas-of-cyber-security/nation-state-hackers-case-study-bangladesh-bank-heist/" - }, - { - "source_name": "NYTimes", - "description": "Article", - "url": "https://www.nytimes.com/interactive/2018/05/03/magazine/money-issue-bangladesh-billion-dollar-bank-heist.html?mtrref=undefined&gwh=39B90281F7FE0DFD1876E89D17BFE7C5&gwt=pay&assetType=PAYWALL" - }, - { - "source_name": "Wired", - "description": "Article", - "url": "https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/" - }, - { - "source_name": "Reuters", - "description": "Article", - "url": "https://www.reuters.com/investigates/special-report/cyber-heist-federal" - } - ] - }, - { - "type": "identity", - "id": "identity--e448f273-4a8d-4adf-b786-4f08d4b538fd", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.148Z", - "modified": "2023-01-04T17:57:45.148Z", - "name": "Lauren Parker", - "identity_class": "individual", - "contact_information": "lparker@mitre.org" - }, - { - "type": "threat-actor", - "id": "threat-actor--8f62c6d8-e29a-4cdd-ac01-ea3781817af4", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.153Z", - "modified": "2023-01-04T17:57:45.153Z", - "name": "Maia Santos-Deguito", - "description": "Manager of Rizal Commercial Banking Corporation's (R.C.B.C.) Jupiter branch; opened accounts for Wong's associates - accounts used to receive money during attack ($81M); moved $81M into 5 different accounts", - "threat_actor_types": [ - "criminal" - ], - "roles": [ - "agent" - ], - "resource_level": "team", - "primary_motivation": "personal-gain" - }, - { - "type": "threat-actor", - "id": "threat-actor--5ca725de-6057-4c05-af7f-cf5ed0bb2b58", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.154Z", - "modified": "2023-01-04T17:57:45.154Z", - "name": "Kam Sin (Kim) Wong", - "description": "ran \"casino junkets\" in Manila and Northern Luzon; introduced Filipino associates to Jupiter branch", - "threat_actor_types": [ - "crime-syndicate" - ], - "roles": [ - "director" - ], - "resource_level": "team", - "primary_motivation": "personal-gain" - }, - { - "type": "threat-actor", - "id": "threat-actor--3aaf17e7-eec7-433f-8a48-d104c116d6a3", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.154Z", - "modified": "2023-01-04T17:57:45.154Z", - "name": "Michael and Salud Bautista", - "description": "Recived money from Santos-Deguito into their remittance firm (PhilRem); moved about $61M to Wong, Bautistas, and an associate of Wong; laundered money through different casinos", - "threat_actor_types": [ - "crime-syndicate" - ], - "aliases": [], - "roles": [ - "agent" - ], - "resource_level": "team", - "primary_motivation": "personal-gain" - }, - { - "type": "attack-action", - "id": "attack-action--d958677e-8790-4ad2-8b04-8d71489f7ac2", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.154Z", - "modified": "2023-01-04T17:57:45.154Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Phishing emails", - "technique_id": "T1566", - "description": "Suspected that phishing emails were sent to employees at Bangladesh Bank which dropped malware.", - "confidence": 50, - "effect_refs": [ - "attack-operator--90340c1f-69b1-481a-82c5-fa9768e14049" - ] - }, - { - "type": "attack-action", - "id": "attack-action--d6d5a619-e4ca-4e52-ac42-7b27c389d27d", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.154Z", - "modified": "2023-01-04T17:57:45.154Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exploited Vulnerabilities", - "technique_id": "T1068", - "description": "Suspected that attackers gained access by exploiting weakness in a new electronic payment system (real time gross settlement).", - "confidence": 30, - "effect_refs": [ - "attack-operator--90340c1f-69b1-481a-82c5-fa9768e14049" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--90340c1f-69b1-481a-82c5-fa9768e14049", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.154Z", - "modified": "2023-01-04T17:57:45.154Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "OR", - "effect_refs": [ - "attack-condition--5d98ea86-4b21-4791-8328-cfe6c2906456" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--5d98ea86-4b21-4791-8328-cfe6c2906456", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.154Z", - "modified": "2023-01-04T17:57:45.154Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Users interacted with phishing emails ", - "on_true_refs": [ - "attack-action--8d1cbde9-c24f-4d33-b9a6-a8b48edcf7bb" - ] - }, - { - "type": "attack-action", - "id": "attack-action--8d1cbde9-c24f-4d33-b9a6-a8b48edcf7bb", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.155Z", - "modified": "2023-01-04T17:57:45.155Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Stolen Credentials", - "technique_id": "T1078", - "description": "Credentials stolen for SWIFT operator at Bangladesh Bank.", - "confidence": 100, - "effect_refs": [ - "attack-action--dd27481f-2aee-41f3-b7f9-19dcc8212c16" - ] - }, - { - "type": "attack-action", - "id": "attack-action--dd27481f-2aee-41f3-b7f9-19dcc8212c16", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.155Z", - "modified": "2023-01-04T17:57:45.155Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Attackers installed 6 types of malware", - "confidence": 100, - "effect_refs": [ - "attack-condition--69eb22f3-2858-48a0-97b9-b64231821ddb" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--69eb22f3-2858-48a0-97b9-b64231821ddb", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.155Z", - "modified": "2023-01-04T17:57:45.155Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attackers tested malware (including monitoring software on the SWIFT software and deleted database files) and logged successfully into the system several times", - "on_true_refs": [ - "attack-action--c2f53907-f6f2-492f-9cbc-077106ebbc69" - ] - }, - { - "type": "attack-action", - "id": "attack-action--c2f53907-f6f2-492f-9cbc-077106ebbc69", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.155Z", - "modified": "2023-01-04T17:57:45.155Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Fraudulent payment orders", - "description": "Attackers sent fraudulent payment orders via SWIFT", - "confidence": 100, - "effect_refs": [ - "attack-condition--7e2c470d-0772-4fe5-8090-ad013452c775" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3f76a094-718d-44bc-9383-218fda3620d7", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.155Z", - "modified": "2023-01-04T17:57:45.155Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Send money to Philippines account", - "description": "Attackers used fake accounts to receive and traffic stolen funds", - "confidence": 100, - "effect_refs": [ - "attack-operator--e66b7512-df8f-4846-8ef3-1492dbf7f16e" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--7e2c470d-0772-4fe5-8090-ad013452c775", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.155Z", - "modified": "2023-01-04T17:57:45.155Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attackers established international accounts to send the money to", - "on_true_refs": [ - "attack-action--3f76a094-718d-44bc-9383-218fda3620d7", - "attack-action--8d46d723-92b3-4abb-b80e-e8fc223d8509" - ] - }, - { - "type": "attack-action", - "id": "attack-action--a0340333-a246-48d0-b405-a6d09375e706", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.155Z", - "modified": "2023-01-04T17:57:45.155Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Accounts opened illegally", - "description": "Philippines allowed attackers to open accounts using fake driving licenses", - "confidence": 100, - "effect_refs": [ - "attack-action--3f76a094-718d-44bc-9383-218fda3620d7" - ] - }, - { - "type": "attack-action", - "id": "attack-action--8d46d723-92b3-4abb-b80e-e8fc223d8509", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.155Z", - "modified": "2023-01-04T17:57:45.155Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Send money to individual accounts", - "description": "Attackers sent money to individual accounts, rather than institutions", - "confidence": 100, - "effect_refs": [ - "attack-operator--e66b7512-df8f-4846-8ef3-1492dbf7f16e" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--e66b7512-df8f-4846-8ef3-1492dbf7f16e", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.155Z", - "modified": "2023-01-04T17:57:45.155Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--61348e67-38c5-4042-8195-5717b1aa2d2b" - ] - }, - { - "type": "attack-action", - "id": "attack-action--61348e67-38c5-4042-8195-5717b1aa2d2b", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.155Z", - "modified": "2023-01-04T17:57:45.155Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Defense Evasion: Deleted Files", - "technique_id": "T1070.004", - "description": "Attackers deleted files associated with SWIFT software to prevent employees from seeing the SWIFT messages", - "confidence": 100, - "effect_refs": [ - "attack-action--90cbb515-964d-4e76-906e-10d25be6c73a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--90cbb515-964d-4e76-906e-10d25be6c73a", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.155Z", - "modified": "2023-01-04T17:57:45.155Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Defense Evasion: Disabling System", - "technique_id": "T1562.001", - "description": "Attackers used malware to disable printer, which prevented SWIFT acknowledgement messages being printed out for manual review", - "confidence": 100, - "effect_refs": [ - "attack-action--5a60a193-34ba-455e-99dc-1416ce16352e" - ] - }, - { - "type": "attack-action", - "id": "attack-action--5a60a193-34ba-455e-99dc-1416ce16352e", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.155Z", - "modified": "2023-01-04T17:57:45.155Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Defense Evasion: Changing Bank Balances", - "description": "Attackers updated bank balances in the New York Fed account to remove evidence of money being debited", - "confidence": 100 - }, - { - "type": "note", - "id": "note--000c7ed4-7142-4019-a601-e79bfe49fbef", - "spec_version": "2.1", - "created": "2023-01-04T17:57:45.155Z", - "modified": "2023-01-04T17:57:45.155Z", - "abstract": "Financial theft", - "content": "Attackers sent 34 orders over the next 4 hours, totaling nearly $1B", - "object_refs": [ - "attack-action--c2f53907-f6f2-492f-9cbc-077106ebbc69" - ] - } - ] -} \ No newline at end of file diff --git a/corpus/SearchAwesome_Adware.json b/corpus/SearchAwesome_Adware.json deleted file mode 100644 index da1999d7..00000000 --- a/corpus/SearchAwesome_Adware.json +++ /dev/null @@ -1,293 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--264c8003-a78e-45aa-aeeb-e45a62af7684", - "spec_version": "2.1", - "created": "2023-05-09T15:47:45.289Z", - "modified": "2023-05-09T15:47:45.289Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--e312fa60-4316-4433-a6eb-81e4c3111324", - "spec_version": "2.1", - "created": "2023-04-21T17:46:00.235Z", - "modified": "2023-05-09T15:47:45.289Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--de305ce2-fb74-437b-871e-c10411a63ad5", - "start_refs": [ - "attack-action--cb85f8b2-a64d-49a3-beca-c307558fe4cb" - ], - "name": "SearchAwesome Adware", - "description": "SearchAwesome adware intercepts encrypted web traffic to inject ads", - "scope": "malware", - "external_references": [ - { - "source_name": "Malwarebytes Labs", - "description": "Blog", - "url": "https://www.malwarebytes.com/blog/news/2018/10/mac-malware-intercepts-encrypted-web-traffic-for-ad-injection" - }, - { - "source_name": "Malware Behavior Catalogue", - "description": "GitHub", - "url": "https://github.com/MBCProject/mbc-markdown/blob/main/xample-malware/searchawesome.md" - } - ] - }, - { - "type": "identity", - "id": "identity--de305ce2-fb74-437b-871e-c10411a63ad5", - "spec_version": "2.1", - "created": "2023-05-09T15:47:45.289Z", - "modified": "2023-05-09T15:47:45.289Z", - "name": "Lauren Parker", - "identity_class": "individual", - "contact_information": "lparker@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--cb85f8b2-a64d-49a3-beca-c307558fe4cb", - "spec_version": "2.1", - "created": "2023-05-09T15:47:45.289Z", - "modified": "2023-05-09T15:47:45.289Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "User Execution", - "technique_id": "E1204", - "description": "The user opens a disk image file which invisibly installs its components", - "confidence": 100, - "effect_refs": [ - "attack-action--91742a64-73d0-4302-9b43-5ae374a7516a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--638fbd7e-e680-4360-86d5-29454f354071", - "spec_version": "2.1", - "created": "2023-05-09T15:47:45.289Z", - "modified": "2023-05-09T15:47:45.289Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Install Certificate", - "technique_id": "E1608", - "description": "The malware installs a certificate", - "confidence": 100, - "effect_refs": [ - "attack-action--912ab340-e636-4742-8333-f692368ef2ee" - ] - }, - { - "type": "attack-action", - "id": "attack-action--912ab340-e636-4742-8333-f692368ef2ee", - "spec_version": "2.1", - "created": "2023-05-09T15:47:45.289Z", - "modified": "2023-05-09T15:47:45.289Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Adversary-in-the-Middle", - "technique_id": "T1557", - "description": "Malware inserts itself into a chain of custody, typically within network packets", - "confidence": 100, - "effect_refs": [ - "attack-action--f6677d9d-1c87-43bf-9b55-88099a820d4d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f6677d9d-1c87-43bf-9b55-88099a820d4d", - "spec_version": "2.1", - "created": "2023-05-09T15:47:45.289Z", - "modified": "2023-05-09T15:47:45.289Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Subvert Trust Controls", - "technique_id": "T1553", - "description": "The malware uses certificates to gain access to HTTPS traffic", - "confidence": 100, - "effect_refs": [ - "attack-action--ef2455bc-724f-4abf-9b1d-6883128ae328" - ] - }, - { - "type": "attack-action", - "id": "attack-action--ef2455bc-724f-4abf-9b1d-6883128ae328", - "spec_version": "2.1", - "created": "2023-05-09T15:47:45.289Z", - "modified": "2023-05-09T15:47:45.289Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Install Additional Program", - "technique_id": "B0023", - "description": "Malware installs an open-source program called mitmproxy", - "confidence": 100, - "effect_refs": [ - "attack-action--f829939a-e8cf-4d78-891c-35135405e046" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f829939a-e8cf-4d78-891c-35135405e046", - "spec_version": "2.1", - "created": "2023-05-09T15:47:45.289Z", - "modified": "2023-05-09T15:47:45.289Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Proxy ", - "technique_id": "T1090", - "description": "Malware uses mitmproxy to intercept and modify web traffic", - "confidence": 100, - "effect_refs": [ - "attack-action--d545cf7c-c227-49e8-b3ef-6836f9431513" - ] - }, - { - "type": "attack-action", - "id": "attack-action--d545cf7c-c227-49e8-b3ef-6836f9431513", - "spec_version": "2.1", - "created": "2023-05-09T15:47:45.289Z", - "modified": "2023-05-09T15:47:45.289Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Manipulate Network Traffic", - "technique_id": "B0019", - "description": "Malware intercepts encrypted web traffic to inject ads", - "confidence": 100, - "effect_refs": [ - "attack-action--5fb732fb-80d7-4815-ba89-44d18484ed94" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3ab0e565-c92d-40c0-a0d8-5795cd1fd6a2", - "spec_version": "2.1", - "created": "2023-05-09T15:47:45.289Z", - "modified": "2023-05-09T15:47:45.289Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Browser Session Hijacking", - "technique_id": "T1185", - "description": "Malware can modify web traffic for the purpose of injecting Javascript", - "confidence": 100, - "effect_refs": [ - "attack-action--9701d9a7-0c9b-4f07-b565-b01ffd871a36" - ] - }, - { - "type": "attack-action", - "id": "attack-action--5fb732fb-80d7-4815-ba89-44d18484ed94", - "spec_version": "2.1", - "created": "2023-05-09T15:47:45.289Z", - "modified": "2023-05-09T15:47:45.289Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter", - "technique_id": "E1059", - "description": "Malware installs a script to inject a JavaScript script and modify web traffic", - "confidence": 100, - "effect_refs": [ - "attack-action--3ab0e565-c92d-40c0-a0d8-5795cd1fd6a2" - ] - }, - { - "type": "attack-action", - "id": "attack-action--91742a64-73d0-4302-9b43-5ae374a7516a", - "spec_version": "2.1", - "created": "2023-05-09T15:47:45.289Z", - "modified": "2023-05-09T15:47:45.289Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "C2 Communication: Receive Data", - "technique_id": "B0030.002", - "description": "Malware receives data from the C2 server", - "confidence": 100, - "effect_refs": [ - "attack-action--638fbd7e-e680-4360-86d5-29454f354071" - ] - }, - { - "type": "attack-action", - "id": "attack-action--9701d9a7-0c9b-4f07-b565-b01ffd871a36", - "spec_version": "2.1", - "created": "2023-05-09T15:47:45.289Z", - "modified": "2023-05-09T15:47:45.289Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Self Deletion", - "technique_id": "F0007", - "description": "Malware will monitor if a specific file gets deleted and then will delete itself", - "confidence": 100 - } - ] -} \ No newline at end of file diff --git a/corpus/Shamoon.json b/corpus/Shamoon.json deleted file mode 100644 index 5d38564f..00000000 --- a/corpus/Shamoon.json +++ /dev/null @@ -1,1177 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--225e2649-f7f1-47f4-bd5f-c48fe7c74a01", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--37caa819-ace9-4d22-8313-4ab44e46640a", - "spec_version": "2.1", - "created": "2023-04-05T18:50:21.503Z", - "modified": "2023-04-07T14:41:51.331Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--02b9fed3-5db8-4ba3-a512-0d0f1f2dba1c", - "start_refs": [ - "attack-action--45238a64-cca7-4b73-b70e-f2bb9d57f5c6", - "attack-action--1514add9-71b2-41ab-9be9-2382620367ef" - ], - "name": "Shamoon", - "scope": "malware", - "external_references": [ - { - "source_name": "McAfee", - "description": "Article", - "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" - }, - { - "source_name": "MBC", - "description": "Malware corpus", - "url": "https://github.com/MBCProject/mbc-markdown/blob/Lauren-malware-corpus/xample-malware/shamoon.md" - } - ] - }, - { - "type": "identity", - "id": "identity--02b9fed3-5db8-4ba3-a512-0d0f1f2dba1c", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "name": "Lauren Parker", - "identity_class": "individual", - "contact_information": "lparker@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--45238a64-cca7-4b73-b70e-f2bb9d57f5c6", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Shamoon is placed on the target system through unknown means", - "confidence": 70, - "effect_refs": [ - "attack-action--5042c11d-5d35-4bf0-a8c8-e8913e2505ce" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--b39f76f6-09ed-442f-b696-ac978a5487b5", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Shamoon dropper has received an appropriate argument to run", - "on_true_refs": [ - "attack-action--18ac2f5f-282e-4d62-aa93-bc7567467f76" - ] - }, - { - "type": "attack-action", - "id": "attack-action--5042c11d-5d35-4bf0-a8c8-e8913e2505ce", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Obfuscated Files or Information", - "technique_id": "T1027", - "description": "Shamoon dropper contains 3 components masked as encrypted files embedded in the PE sections", - "confidence": 100, - "effect_refs": [ - "attack-condition--b39f76f6-09ed-442f-b696-ac978a5487b5" - ] - }, - { - "type": "file", - "id": "file--e46c754c-c096-4f87-920d-ad5c92a47831", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "hashes": "MD5: \tde07c4ac94a50663851e5dabe6e50d1f;\nSHA-1: df177772518a8fcedbbc805ceed8daecc0f42fed; SHA-256: \tc3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f", - "size": "1.8 MB", - "name": "MaintenaceSrv32.exe", - "ctime": "2011-11-28T16:50:59.000Z" - }, - { - "type": "attack-action", - "id": "attack-action--536348d5-cd08-4031-82e0-612d13187348", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Deobfuscate/Decode Files or Information", - "technique_id": "T1140", - "description": "Shamoon dropper decrypts the embedded resources into the C:\\Windows\\System32 folder ", - "confidence": 100, - "effect_refs": [ - "attack-action--11e47c90-b34b-4265-b4dc-010d857a5752" - ] - }, - { - "type": "tool", - "id": "tool--c344a37f-c1ae-42a1-ac43-ba185ea4bc21", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "name": "MNU", - "description": "communication module", - "tool_types": [ - "unknown" - ] - }, - { - "type": "malware", - "id": "malware--61779767-a88b-4883-a433-b05e0cab925d", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "name": "Shamoon", - "description": "destructive malware targeting oil, gas, telecom, and energy companies and government organizations", - "malware_types": [ - "dropper", - "trojan" - ], - "is_family": true, - "capabilities": [ - "escalates-privileges", - "installs-other-components", - "anti-debugging", - "anti-vm" - ] - }, - { - "type": "malware", - "id": "malware--8330215a-4eb4-4812-87e6-1e5b14ac4205", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "name": "PIC", - "description": "64-bit version of the dropper", - "malware_types": [ - "dropper", - "trojan" - ], - "is_family": true, - "capabilities": [ - "escalates-privileges", - "installs-other-components", - "anti-debugging", - "anti-vm" - ] - }, - { - "type": "malware", - "id": "malware--c658e292-4c33-44b7-801b-c40323499950", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "name": "LNG", - "description": "wiper component", - "malware_types": [ - "wiper" - ], - "is_family": false, - "capabilities": [ - "compromises-data-availability" - ] - }, - { - "type": "attack-action", - "id": "attack-action--18ac2f5f-282e-4d62-aa93-bc7567467f76", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Deobfuscate/Decode Files or Information", - "technique_id": "T1140", - "description": "Shamoon dropper decrypts several strings in memory", - "confidence": 100, - "effect_refs": [ - "attack-action--1fe37889-9591-40d8-b20b-a3578e05f1c0" - ] - }, - { - "type": "attack-action", - "id": "attack-action--1fe37889-9591-40d8-b20b-a3578e05f1c0", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Information Discovery", - "technique_id": "T1082", - "description": "Shamoon gathers information on the System and determines whether to drop the 32-bit or 64-bit version", - "confidence": 100, - "effect_refs": [ - "attack-action--f468a33c-d9e2-4938-9412-658e256acedf", - "attack-action--bcd6b440-aa42-43c0-90a7-af7a6d29ea61" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f468a33c-d9e2-4938-9412-658e256acedf", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Shamoon drops a file key8854321.pub into the folder c:\\Windows\\Temp\\key8854321.pub", - "confidence": 100, - "effect_refs": [ - "attack-operator--adcac5fc-f2c9-439a-8ca4-82a1edba4433" - ] - }, - { - "type": "file", - "id": "file--057c8ab8-947c-47ec-8a01-8296cbbc3907", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "hashes": "MD5: 41f8cd9ac3fb6b1771177e5770537518; SHA-1: \t43ed9c1309d8bb14bd62b016a5c34a2adbe45943; SHA-256: \t9979678be7b89a9f01c2481ea6f420417e67572f52aad66ae4ccce3c65a7b504", - "size": "782 B", - "name": "key8854321.pub" - }, - { - "type": "directory", - "id": "directory--713c50dc-64a9-4854-8804-1adffd42791e", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "path": "c:\\Windows\\Temp\\key8854321.pub" - }, - { - "type": "attack-action", - "id": "attack-action--bcd6b440-aa42-43c0-90a7-af7a6d29ea61", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Deobfuscate/Decode Files or Information", - "technique_id": "T1140", - "description": "Shamoon dropper decrypts 2 files for later use", - "confidence": 100, - "effect_refs": [ - "attack-operator--adcac5fc-f2c9-439a-8ca4-82a1edba4433" - ] - }, - { - "type": "file", - "id": "file--165ada62-d185-4ba9-9c6b-6654c71e017e", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "name": "mdmnis5tQ1.pnf" - }, - { - "type": "file", - "id": "file--e342d706-bde4-4985-890c-5a679b36399e", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "name": "averbh_noav.pnf" - }, - { - "type": "directory", - "id": "directory--2ea57f2a-3c00-4f3b-811a-0a10e7685fd9", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "path": "C:\\Windows\\inf\\mdmnis5tQ1.pnf" - }, - { - "type": "directory", - "id": "directory--280eb736-0baf-4a96-97e0-65a3466cb799", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "path": "C:\\Windows\\inf\\averbh_noav.pnf" - }, - { - "type": "attack-operator", - "id": "attack-operator--adcac5fc-f2c9-439a-8ca4-82a1edba4433", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--1514add9-71b2-41ab-9be9-2382620367ef" - ] - }, - { - "type": "attack-action", - "id": "attack-action--1514add9-71b2-41ab-9be9-2382620367ef", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Services", - "technique_id": "T1569", - "description": "Shamoon enables the service RemoteRegistry to remotely modify the registry", - "confidence": 100, - "effect_refs": [ - "attack-action--0c56e942-1cb5-4335-ac0b-fe11442bcb4a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--0c56e942-1cb5-4335-ac0b-fe11442bcb4a", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Modify Registry", - "technique_id": "T1112", - "description": "Shamoon enables the registry key LocalAccountTokenFilterPolicy, which disables remote user account control", - "confidence": 100, - "effect_refs": [ - "attack-action--7573f4c7-5cef-4aaf-853b-391dc145dd81" - ] - }, - { - "type": "attack-action", - "id": "attack-action--7573f4c7-5cef-4aaf-853b-391dc145dd81", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.331Z", - "modified": "2023-04-07T14:41:51.331Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Network Share Discovery", - "technique_id": "T1135", - "description": "Malware checks if specific shares exist to copy and spread itself", - "confidence": 100, - "effect_refs": [ - "attack-action--0ab1c6fd-eb0a-4601-a629-3694f5ed5222" - ] - }, - { - "type": "attack-action", - "id": "attack-action--0ab1c6fd-eb0a-4601-a629-3694f5ed5222", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Service Discovery", - "technique_id": "T1007", - "description": "Shamoon queries LocalService to retrieve specific information related to the LocalService account", - "confidence": 100, - "effect_refs": [ - "attack-action--536348d5-cd08-4031-82e0-612d13187348" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--842a04a1-0a42-4217-9514-8787ec2e4471", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "name": "ADMIN$", - "infrastructure_types": [ - "network-share" - ] - }, - { - "type": "attack-action", - "id": "attack-action--11e47c90-b34b-4265-b4dc-010d857a5752", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Timestomp", - "technique_id": "T1070.006", - "description": "The file times are set to August 2012 as an anti-forensics trick", - "confidence": 100, - "effect_refs": [ - "attack-action--81b765cf-ba71-4818-8b1f-276aee316264" - ] - }, - { - "type": "note", - "id": "note--f9d1fe3d-0efd-4a01-aa69-a668361d0d32", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "content": "Any file Shamoon can destroy, it changes the date to August 2012", - "object_refs": [ - "attack-action--11e47c90-b34b-4265-b4dc-010d857a5752" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--aa463037-9cd7-486b-a70a-4e9c110404eb", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "name": "C$\\WINDOWS", - "infrastructure_types": [ - "network-share" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--f4146823-dc6c-4ece-add5-b99632572876", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "name": "E$\\WINDOWS", - "infrastructure_types": [ - "network-share" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--e564b7fb-d887-4ba0-a67c-7dec8bc2649f", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "name": "D$\\WINDOWS", - "infrastructure_types": [ - "network-share" - ] - }, - { - "type": "attack-action", - "id": "attack-action--81b765cf-ba71-4818-8b1f-276aee316264", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Access Token Manipulation: Token Impersonation/Theft", - "technique_id": "T1134.001", - "description": "Shamoon elevates privileges by impersonating the user's token", - "confidence": 100, - "effect_refs": [ - "attack-action--6934aee5-fb1d-456c-a0f8-020991900f6b" - ] - }, - { - "type": "attack-action", - "id": "attack-action--6934aee5-fb1d-456c-a0f8-020991900f6b", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Create or Modify System Process: Windows Service", - "technique_id": "T1543.003", - "description": "Shamoon creates a new service MaintenaceSrv with the Autostart option and runs the service with its own process", - "confidence": 100, - "effect_refs": [ - "attack-condition--5bca49d8-ee56-4134-a084-a4936d004801", - "attack-condition--d50a040d-b440-4034-8713-23c1c504a9af" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--5bca49d8-ee56-4134-a084-a4936d004801", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "The wiper has been dropped on the system and can now run", - "on_true_refs": [ - "attack-action--b18d81cf-9c59-413d-b148-45a2067adbbd" - ] - }, - { - "type": "attack-action", - "id": "attack-action--b18d81cf-9c59-413d-b148-45a2067adbbd", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Wiper is dropped into the System32 folder", - "confidence": 100, - "effect_refs": [ - "attack-action--128547af-e0f2-4185-afae-9b40736a5c56" - ] - }, - { - "type": "malware", - "id": "malware--a55fe43a-7622-4094-ae85-d86304ae71de", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "name": "netbxndxlg2.exe", - "description": "This executable is the wiper component. It can have many different names and contains the wiper driver embedded within its resources. It requires a parameter to run.", - "malware_types": [ - "wiper" - ], - "is_family": true, - "capabilities": [ - "anti-forensics", - "hides-executing-driver" - ] - }, - { - "type": "directory", - "id": "directory--e8d2e666-4458-4aac-b1dc-012a94de815c", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "path": "C:\\Windows\\System32" - }, - { - "type": "attack-action", - "id": "attack-action--128547af-e0f2-4185-afae-9b40736a5c56", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Obfuscated Files or Information", - "technique_id": "T1027", - "description": "Shamoon wiper component contains the wiper driver embedded in its resources", - "confidence": 100, - "effect_refs": [ - "attack-action--697e8511-7e7e-48b3-aff7-0bf6b15bc868" - ] - }, - { - "type": "attack-action", - "id": "attack-action--697e8511-7e7e-48b3-aff7-0bf6b15bc868", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Deobfuscate/Decode Files or Information", - "technique_id": "T1140", - "description": "Shamoon wiper decrypts the wiper driver", - "confidence": 100, - "effect_refs": [ - "attack-action--ce6c04c1-c6ab-4aab-a194-ac50e51640d7" - ] - }, - { - "type": "malware", - "id": "malware--e6bee1d3-8348-4b91-a453-86e1d8e9dfc3", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "name": "hdv_725x.sys", - "description": "Wiper driver which can have multiple different names.", - "malware_types": [ - "wiper" - ], - "is_family": true, - "capabilities": [ - "compromises-data-availability", - "wipes-data" - ] - }, - { - "type": "file", - "id": "file--5d5d34f0-e5c5-44ec-99dd-a0489af7c07e", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "hashes": "MD5: \t887c614608e7cd9a691858caf468c28f; SHA-1: \tceb7876c01c75673699c74ff7fac64a5ca0e67a1; SHA-256: 391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c", - "size": "393 KB", - "name": "netbxndxlg2.exe", - "ctime": "2011-11-28T15:52:52.000Z" - }, - { - "type": "attack-action", - "id": "attack-action--ce6c04c1-c6ab-4aab-a194-ac50e51640d7", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Create or Modify System Process: Windows Service", - "technique_id": "T1543.003", - "description": "The wiper driver creates a service to run the driver", - "confidence": 100, - "command_ref": "process--e57d55da-f484-4028-b536-6c1db57e1aac", - "effect_refs": [ - "attack-action--2f8b5bc0-849b-44c2-adbd-4846bfbcf382" - ] - }, - { - "type": "process", - "id": "process--e57d55da-f484-4028-b536-6c1db57e1aac", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "command_line": "sc create hdv_725x type= kernel start= demand binpath= WINDOWS\\hdv_725x.sys 2>&1 >nul" - }, - { - "type": "attack-action", - "id": "attack-action--2f8b5bc0-849b-44c2-adbd-4846bfbcf382", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Disk Wipe", - "technique_id": "T1561", - "description": "The wiper driver overwrites every file in C:\\Windows\\System32 and all files on the system", - "confidence": 100, - "effect_refs": [ - "attack-action--3a6645fc-5ec3-426b-be28-b2faaa221b1f" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3a6645fc-5ec3-426b-be28-b2faaa221b1f", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Shutdown/Reboot", - "technique_id": "T1529", - "description": "Disk wiper forces a reboot", - "confidence": 100, - "command_ref": "process--8a2b6ded-1aab-48fd-a713-7d5cd7bf5cad" - }, - { - "type": "process", - "id": "process--8a2b6ded-1aab-48fd-a713-7d5cd7bf5cad", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "command_line": "Shutdown -r -f -t 2" - }, - { - "type": "note", - "id": "note--2506b2a8-07a9-4a3a-a7d8-5621298b9fc8", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "content": "Once reboot, the system shows a blue screen", - "object_refs": [ - "attack-action--3a6645fc-5ec3-426b-be28-b2faaa221b1f" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--d50a040d-b440-4034-8713-23c1c504a9af", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "The worm component is dropped onto the system ", - "on_true_refs": [ - "attack-action--ef1f8cce-2e33-4444-bf37-e5c1d4bc20c2" - ] - }, - { - "type": "attack-action", - "id": "attack-action--ef1f8cce-2e33-4444-bf37-e5c1d4bc20c2", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Worm is dropped into the System32 folder", - "confidence": 100, - "effect_refs": [ - "attack-action--2d0ca7f5-25c6-4f85-aab7-9694e1cb4214" - ] - }, - { - "type": "malware", - "id": "malware--b242717a-18bc-4380-bc3b-9e96a2b6e7b2", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "name": "averfx2swtvZ.exe", - "description": "Worm component can have many different names", - "malware_types": [ - "worm" - ], - "is_family": true, - "capabilities": [ - "access-remote-machines", - "infects-remote-machines", - "probes-local-network" - ] - }, - { - "type": "file", - "id": "file--538ab06b-7a80-4a90-b586-8e8e837222a6", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "hashes": "MD5: b41f586fc9c95c66f0967f1592641a85; SHA-1: \t10411f07640edcaa6104f078af09e2543aa0ca07; SHA-256: \t0694bdf9f08e4f4a09d13b7b5a68c0148ceb3fcc79442f4db2aa19dd23681afe", - "size": "260.50 KB", - "name": "averfx2swtvZ.exe", - "ctime": "2011-11-28T15:53:13.000Z" - }, - { - "type": "directory", - "id": "directory--2d04594e-97e6-419f-8846-ecc667d28350", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "path": "C:\\Windows\\System32" - }, - { - "type": "file", - "id": "file--a8a30517-52b1-4c70-9814-93e3fd456c26", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "hashes": "MD5: 92fff1d754faab445e90651dfb0ded4d; SHA- 1: \tbf3e0bc893859563811e9a481fde84fe7ecd0684; SHA-256: \t6985ef5809d0789eeff623cd2436534b818fd2843f09fa2de2b4a6e2c0e1a879", - "size": "27.14 KB", - "name": "hdv_725x.sys", - "ctime": "2011-12-28T17:51:24.000Z" - }, - { - "type": "attack-action", - "id": "attack-action--2d0ca7f5-25c6-4f85-aab7-9694e1cb4214", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Remote System Discovery", - "technique_id": "T1018", - "description": "Worm scans the local network for potential control servers to connect to", - "confidence": 100, - "effect_refs": [ - "attack-condition--ad9dc433-b702-4ef9-9a89-84f72a90fe85" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--ad9dc433-b702-4ef9-9a89-84f72a90fe85", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Worm connects to remote servers", - "on_true_refs": [ - "attack-action--dfbfce2d-4710-4333-b591-62ef89bbb868" - ] - }, - { - "type": "attack-action", - "id": "attack-action--dfbfce2d-4710-4333-b591-62ef89bbb868", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Lateral Tool Transfer", - "technique_id": "T1570", - "description": "Worm can spread the Shamoon dropper to remote systems", - "confidence": 100 - }, - { - "type": "note", - "id": "note--0b87f10c-f4f6-4d97-9d14-c8dc717bc124", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "content": "The wiper can be used independently from the dropper", - "object_refs": [ - "file--5d5d34f0-e5c5-44ec-99dd-a0489af7c07e" - ] - }, - { - "type": "note", - "id": "note--23503f72-803d-41c0-af57-db208344cd82", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "content": "Shamoon has evolved over the years. This is the name of the Shamoon service created in 2018. In 2016, the service created was NtsSrv. In 2017, the service created was NtertSrv.", - "object_refs": [ - "attack-action--6934aee5-fb1d-456c-a0f8-020991900f6b" - ] - }, - { - "type": "note", - "id": "note--7ce81b7a-c7e4-49e9-9011-cb6e8628cbb2", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "content": "The worm component may not run during the infection. The worm and the wiper are mutually exclusive components.", - "object_refs": [ - "attack-condition--d50a040d-b440-4034-8713-23c1c504a9af" - ] - }, - { - "type": "relationship", - "id": "relationship--d4e91887-39a6-4e39-81ce-5bf33694c954", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--45238a64-cca7-4b73-b70e-f2bb9d57f5c6", - "target_ref": "malware--61779767-a88b-4883-a433-b05e0cab925d" - }, - { - "type": "relationship", - "id": "relationship--935b5414-a177-4b6c-b1d3-b128542e8492", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--536348d5-cd08-4031-82e0-612d13187348", - "target_ref": "tool--c344a37f-c1ae-42a1-ac43-ba185ea4bc21" - }, - { - "type": "relationship", - "id": "relationship--c34063d7-0c79-4966-92a2-876587db3f2f", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--536348d5-cd08-4031-82e0-612d13187348", - "target_ref": "malware--8330215a-4eb4-4812-87e6-1e5b14ac4205" - }, - { - "type": "relationship", - "id": "relationship--dde370c1-08ab-4790-bfc2-bab7963a2176", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--536348d5-cd08-4031-82e0-612d13187348", - "target_ref": "malware--c658e292-4c33-44b7-801b-c40323499950" - }, - { - "type": "relationship", - "id": "relationship--18408c53-a2b8-4ef7-bcb9-c209ec619de6", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "malware--61779767-a88b-4883-a433-b05e0cab925d", - "target_ref": "file--e46c754c-c096-4f87-920d-ad5c92a47831" - }, - { - "type": "relationship", - "id": "relationship--8a94a741-f6b5-45d0-ad97-fc76fb9f4458", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--f468a33c-d9e2-4938-9412-658e256acedf", - "target_ref": "file--057c8ab8-947c-47ec-8a01-8296cbbc3907" - }, - { - "type": "relationship", - "id": "relationship--f9306054-6504-4135-b418-7827968084bb", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "file--057c8ab8-947c-47ec-8a01-8296cbbc3907", - "target_ref": "directory--713c50dc-64a9-4854-8804-1adffd42791e" - }, - { - "type": "relationship", - "id": "relationship--644a0604-cc8e-43f2-9f9e-cfe920f42391", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--bcd6b440-aa42-43c0-90a7-af7a6d29ea61", - "target_ref": "file--e342d706-bde4-4985-890c-5a679b36399e" - }, - { - "type": "relationship", - "id": "relationship--d968c7e9-784b-4a73-8217-7c8911e02c1f", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--bcd6b440-aa42-43c0-90a7-af7a6d29ea61", - "target_ref": "file--165ada62-d185-4ba9-9c6b-6654c71e017e" - }, - { - "type": "relationship", - "id": "relationship--935afa9b-96c7-48f9-bb04-c8149d082215", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "file--165ada62-d185-4ba9-9c6b-6654c71e017e", - "target_ref": "directory--2ea57f2a-3c00-4f3b-811a-0a10e7685fd9" - }, - { - "type": "relationship", - "id": "relationship--325c313b-353c-4915-83d4-027e1c8314b5", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "file--e342d706-bde4-4985-890c-5a679b36399e", - "target_ref": "directory--280eb736-0baf-4a96-97e0-65a3466cb799" - }, - { - "type": "relationship", - "id": "relationship--ea876d39-e445-4803-9d7b-a017f3135692", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--7573f4c7-5cef-4aaf-853b-391dc145dd81", - "target_ref": "infrastructure--f4146823-dc6c-4ece-add5-b99632572876" - }, - { - "type": "relationship", - "id": "relationship--fb763d01-56d9-4696-a410-3428cd2cebca", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--7573f4c7-5cef-4aaf-853b-391dc145dd81", - "target_ref": "infrastructure--e564b7fb-d887-4ba0-a67c-7dec8bc2649f" - }, - { - "type": "relationship", - "id": "relationship--c305db0a-d997-4592-ac5b-280b22fe81a1", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--7573f4c7-5cef-4aaf-853b-391dc145dd81", - "target_ref": "infrastructure--842a04a1-0a42-4217-9514-8787ec2e4471" - }, - { - "type": "relationship", - "id": "relationship--35030a67-50a5-4dcc-8c81-1e7302f54274", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--7573f4c7-5cef-4aaf-853b-391dc145dd81", - "target_ref": "infrastructure--aa463037-9cd7-486b-a70a-4e9c110404eb" - }, - { - "type": "relationship", - "id": "relationship--cf62ac6f-c6a4-4e4d-b5c5-f0d6b7eb0b91", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--b18d81cf-9c59-413d-b148-45a2067adbbd", - "target_ref": "malware--a55fe43a-7622-4094-ae85-d86304ae71de" - }, - { - "type": "relationship", - "id": "relationship--b8095159-3de1-4808-9c2f-a4df5743aa73", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "malware--a55fe43a-7622-4094-ae85-d86304ae71de", - "target_ref": "directory--e8d2e666-4458-4aac-b1dc-012a94de815c" - }, - { - "type": "relationship", - "id": "relationship--b28e1b22-b6d2-491a-9252-6a7776f7e92d", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "malware--a55fe43a-7622-4094-ae85-d86304ae71de", - "target_ref": "file--5d5d34f0-e5c5-44ec-99dd-a0489af7c07e" - }, - { - "type": "relationship", - "id": "relationship--f7d35202-592b-4dbc-8337-d8c04ed417cd", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--697e8511-7e7e-48b3-aff7-0bf6b15bc868", - "target_ref": "malware--e6bee1d3-8348-4b91-a453-86e1d8e9dfc3" - }, - { - "type": "relationship", - "id": "relationship--a04703bb-d294-4020-a6ce-45564ba7a2dc", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "malware--e6bee1d3-8348-4b91-a453-86e1d8e9dfc3", - "target_ref": "file--a8a30517-52b1-4c70-9814-93e3fd456c26" - }, - { - "type": "relationship", - "id": "relationship--5d23e738-28a5-4939-97c7-8d321d5603b2", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "attack-action--ef1f8cce-2e33-4444-bf37-e5c1d4bc20c2", - "target_ref": "malware--b242717a-18bc-4380-bc3b-9e96a2b6e7b2" - }, - { - "type": "relationship", - "id": "relationship--cf483f83-2ad9-443f-bc21-6afa9c7d938c", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "malware--b242717a-18bc-4380-bc3b-9e96a2b6e7b2", - "target_ref": "file--538ab06b-7a80-4a90-b586-8e8e837222a6" - }, - { - "type": "relationship", - "id": "relationship--48f4fc23-e505-41d6-8129-d76af41e4933", - "spec_version": "2.1", - "created": "2023-04-07T14:41:51.332Z", - "modified": "2023-04-07T14:41:51.332Z", - "relationship_type": "related-to", - "source_ref": "malware--b242717a-18bc-4380-bc3b-9e96a2b6e7b2", - "target_ref": "directory--2d04594e-97e6-419f-8846-ecc667d28350" - } - ] -} \ No newline at end of file diff --git a/corpus/SolarWinds.json b/corpus/SolarWinds.json deleted file mode 100644 index 4ca1508b..00000000 --- a/corpus/SolarWinds.json +++ /dev/null @@ -1,1179 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--9657d44f-7e7e-4046-a005-826f8f049b62", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.146Z", - "modified": "2023-01-04T19:58:12.146Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--74811f7e-911b-4400-a0e3-64703656ded4", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--bffde0e4-5ec5-49e9-8660-777cfe729c97", - "start_refs": [ - "attack-action--384373d8-dbe0-425e-aeaf-ad8c70fc11be", - "attack-action--fce268a4-4a5d-46a0-a180-eea719995110" - ], - "name": "SolarWinds", - "description": "A well-known supply chain attack against an Austin, TX software company.", - "author": [ - [ - "name", - "Lauren Parker" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "lparker@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "Picus", - "description": "Article", - "url": "https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach" - }, - { - "source_name": "Microsoft", - "description": "Article", - "url": "https://www.microsoft.com/en-us/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" - }, - { - "source_name": "Comodo Cybersecurity", - "description": "Article", - "url": "https://techtalk.comodo.com/2020/12/23/sunburst-apt-against-solarwind-mapped-to-kill-chain/" - }, - { - "source_name": "Microsoft", - "description": "Article", - "url": "https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" - } - ] - }, - { - "type": "identity", - "id": "identity--bffde0e4-5ec5-49e9-8660-777cfe729c97", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "name": "Lauren Parker", - "identity_class": "individual", - "contact_information": "lparker@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--384373d8-dbe0-425e-aeaf-ad8c70fc11be", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Develop Capabilities: Malware", - "technique_id": "T1587.001", - "description": "Attackers embedded their malicious payload on a legitimate component of the SolarWinds Orion Platform software. This component is a DLL library, SolarWinds.Orion.Core.BusinessLayer.dll", - "confidence": 100, - "effect_refs": [ - "attack-operator--b0aa9f11-7722-4a9f-becd-065964a53325" - ] - }, - { - "type": "threat-actor", - "id": "threat-actor--6eb7eb9a-f5e5-4943-8c29-316084ceb64f", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "name": "APT29", - "description": "In April 2021, the US and UK governments attributed the SolarWinds breach to the SVR, and public citations referenced APT29.", - "first_seen": "2008-01-01T00:00:00.000Z", - "roles": [ - "Director" - ], - "sophistication": "strategic", - "resource_level": "government", - "primary_motivation": "organizational-gain" - }, - { - "type": "campaign", - "id": "campaign--ec6a234a-cc7b-46fd-9600-a64e9a8c3184", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "name": "SolarWinds Breach", - "description": "Attackers compromised the infrastructure of SolarWinds, a network monitoring service. In March 2020, SolarWinds unknowingly pushed out malicious updates to thousands of private and public organizations.", - "objective": "conduct a supply chain attack to maintain long-term network access in a large number of organizations and potentially government entitites" - }, - { - "type": "attack-action", - "id": "attack-action--fce268a4-4a5d-46a0-a180-eea719995110", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Subvert Trust Controls: Code Signing", - "technique_id": "T1553.002", - "description": "To bypass application control technologies, adversaries sign their malware with valid signatures by creating, acquiring, or stealing code-signing materials. The attackers compromised the SolarWinds digital certificates, allowing them to run privileged actions and maintain a low profile", - "confidence": 100, - "effect_refs": [ - "attack-operator--b0aa9f11-7722-4a9f-becd-065964a53325" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--b0aa9f11-7722-4a9f-becd-065964a53325", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--0c739735-a984-4897-bc2f-a8737deff66f" - ] - }, - { - "type": "attack-action", - "id": "attack-action--0c739735-a984-4897-bc2f-a8737deff66f", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Supply Chain Compromise: Compromise Software Supply Chain", - "technique_id": "T1195.002", - "description": "The malicious DLL file was distributed to victims through an automated update mechanism", - "confidence": 100, - "effect_refs": [ - "attack-action--b9ac316b-c623-4fe3-8ab2-eb8673081edc" - ] - }, - { - "type": "attack-action", - "id": "attack-action--b9ac316b-c623-4fe3-8ab2-eb8673081edc", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Services: Service Execution", - "technique_id": "T1569.002", - "description": "During the SolarWinds installation or update to victim machines, the tampered DLL is loaded by legitimate executables and installed as a Windows service. The malicious code calls the function that contains the backdoor capabilities", - "confidence": 100, - "effect_refs": [ - "attack-action--68866dd4-7e92-4e0a-a8dc-aff4df1d46df", - "attack-action--231bdc8e-30ab-4d7c-8e85-2d8ce9b1278e" - ] - }, - { - "type": "attack-action", - "id": "attack-action--68866dd4-7e92-4e0a-a8dc-aff4df1d46df", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Virtualization/Sandbox Evasion: Time Based Evasion", - "technique_id": "T1497.003", - "description": " Once loaded, the backdoor runs a series of checks to ensure it is running in an actual environment. The backdoor also checks that the last write-time of the malicious DLL was 12-14 days ago", - "confidence": 100, - "effect_refs": [ - "attack-operator--f48d14a6-d389-41ad-b3b3-f4cdda81ed99" - ] - }, - { - "type": "attack-action", - "id": "attack-action--231bdc8e-30ab-4d7c-8e85-2d8ce9b1278e", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Software Discovery: Security Software Discovery", - "technique_id": "T1497.003", - "description": "The backdoor checks for a variety of antivirus/endpoint detection agents prior to execution (e.g. Windbg, Autoruns, Wireshark)", - "confidence": 100, - "effect_refs": [ - "attack-operator--f48d14a6-d389-41ad-b3b3-f4cdda81ed99" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--f48d14a6-d389-41ad-b3b3-f4cdda81ed99", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-condition--8616b44b-523e-4d70-9535-752cab08d87c" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--8616b44b-523e-4d70-9535-752cab08d87c", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "The backdoor determines it is running in a real environment, and there are no running process related to security-related software", - "on_true_refs": [ - "attack-action--b04df257-4f67-487d-a60a-077518519cab" - ], - "on_false_refs": [ - "attack-action--dc540c5c-a840-4cd1-afd3-f887297f9593" - ] - }, - { - "type": "attack-action", - "id": "attack-action--b04df257-4f67-487d-a60a-077518519cab", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Process Discovery", - "technique_id": "T1057", - "description": "The backdoor conducts basic reconnaissance on the compromised system to determine running processes to report to the C2 server.", - "confidence": 100, - "effect_refs": [ - "attack-operator--fea5f208-ab16-4c3c-88b6-4c61c5a58e05" - ] - }, - { - "type": "attack-action", - "id": "attack-action--dc540c5c-a840-4cd1-afd3-f887297f9593", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Query Registration", - "technique_id": "T1012", - "description": "The attacker obtains the MachineGuid registry value. This value is used to dynamically generate a portion of the C2 domain, along with the physical address of the interface and the domain name of the device", - "confidence": 100, - "effect_refs": [ - "attack-operator--fea5f208-ab16-4c3c-88b6-4c61c5a58e05" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--fea5f208-ab16-4c3c-88b6-4c61c5a58e05", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--bf2e8e32-d299-4094-a3ae-103a2488c931" - ] - }, - { - "type": "attack-action", - "id": "attack-action--bf2e8e32-d299-4094-a3ae-103a2488c931", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Dynamic Resolution: Domain Generation Algorithm", - "technique_id": "T1568.002", - "description": " Adversaries use DGAs to dynamically generate a C2 domain rather than relying on static IP addresses", - "confidence": 100, - "effect_refs": [ - "attack-condition--7fdffb38-02ce-45a5-9041-45610e8a7344" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--7fdffb38-02ce-45a5-9041-45610e8a7344", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "The backdoor successfully contacts the C2 server", - "on_true_refs": [ - "attack-action--4d69ebea-7c78-41b1-87bb-e75d84d5f319", - "attack-action--e738e657-299f-4290-b9f8-a6dbec1e8c51" - ], - "on_false_refs": [ - "attack-action--a5c0b555-c306-4629-a9ba-e4a8fc67105e" - ] - }, - { - "type": "attack-action", - "id": "attack-action--4d69ebea-7c78-41b1-87bb-e75d84d5f319", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data Encoding", - "technique_id": "T1132", - "description": "The C2 responds with an encoded buffer of commands for the backdoor to execute. The commands allow the attackers to run, stop, enumerate processes; read, write, enumerate files and registry keys; collect and upload information about the device; and restart the device", - "confidence": 100, - "effect_refs": [ - "attack-operator--e9d27e28-6937-4b24-a6c9-d2cd07517da1" - ] - }, - { - "type": "attack-action", - "id": "attack-action--e738e657-299f-4290-b9f8-a6dbec1e8c51", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": " Masquerading: Match Legitimate Name or Location", - "technique_id": "T1036.005", - "description": "The attackers used a legitimate hostname found within the victim's environment as the hostname on their C2 infrastructure to avoid detection. The malware also masquerades its C2 traffic as the Orion Improvement Program (OIP) Protocol", - "confidence": 100, - "effect_refs": [ - "attack-operator--e9d27e28-6937-4b24-a6c9-d2cd07517da1" - ] - }, - { - "type": "attack-action", - "id": "attack-action--a5c0b555-c306-4629-a9ba-e4a8fc67105e", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Masquerading: Match Legitimate Name or Location", - "technique_id": "T1036.005", - "description": "The executing process creates two files on disk. 1) A VBScript typically named after existing services or folders to avoid detection. 2) The second-stage TEARDROP Cobalt Strike loader written into a legitimate-looking subfolder %WinDir%", - "confidence": 100, - "effect_refs": [ - "attack-action--ff70d616-d686-4bfd-a290-0f52985f7846" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--e9d27e28-6937-4b24-a6c9-d2cd07517da1", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--b0bc5a83-a0bb-4bf9-93b9-e63638820963", - "attack-action--d5ed6bf4-dddc-435a-bd3c-114320a8e730", - "attack-action--60ff27b6-55dc-40b5-8eb7-50d340913c43", - "attack-action--57bb50a9-f2eb-4b6f-8754-efcbf4619d4b" - ] - }, - { - "type": "attack-action", - "id": "attack-action--b0bc5a83-a0bb-4bf9-93b9-e63638820963", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Defense Evasion- Impair Defenses: Disable or Modify System Firewall", - "technique_id": "T1562.004", - "description": "Attackers used NETSH to configure firewall rules that limit certain UDP outbound packets before intense reconnaissance with NSLOOKUP and ADFIND", - "confidence": 100, - "effect_refs": [ - "attack-condition--025e3263-e23a-43fd-a020-fc2b6a1c6491" - ] - }, - { - "type": "tool", - "id": "tool--c5ed82e7-96b4-4f42-83e0-2a1f10692da0", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "name": "NETSH", - "description": "Command-line scripting utility that allows users to display or modify the network configuration of the running computer", - "tool_types": [ - "unknown" - ] - }, - { - "type": "tool", - "id": "tool--e01ce937-a9cd-412b-b38b-7faff606dfce", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "name": "nslookup", - "description": "Tool to query DNS to find the mapping between hostnames and IP addresses", - "tool_types": [ - "information-gathering" - ] - }, - { - "type": "tool", - "id": "tool--adc37497-0035-4257-a920-f33140543187", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "name": "adfind", - "description": "Free command-line query tool that can be used to gather information from Active Directory", - "tool_types": [ - "information-gathering" - ] - }, - { - "type": "attack-action", - "id": "attack-action--d5ed6bf4-dddc-435a-bd3c-114320a8e730", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Domain Trust Discovery", - "technique_id": "T1482", - "description": " Attackers executed ADFIND to enumerate domains and to discover trust between federated accounts with a renamed filename chosen to blend into the environment", - "confidence": 100, - "effect_refs": [ - "attack-condition--025e3263-e23a-43fd-a020-fc2b6a1c6491" - ] - }, - { - "type": "attack-action", - "id": "attack-action--60ff27b6-55dc-40b5-8eb7-50d340913c43", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Masquerading: Rename System Utilities", - "technique_id": "T1036.003", - "description": "The attackers renamed Windows admin tools to conduct reconnaissance to avoid detection", - "confidence": 100, - "effect_refs": [ - "attack-condition--025e3263-e23a-43fd-a020-fc2b6a1c6491" - ] - }, - { - "type": "attack-action", - "id": "attack-action--57bb50a9-f2eb-4b6f-8754-efcbf4619d4b", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Process Discovery", - "technique_id": "T1057", - "description": "Attackers used WMI to discover processes, services, and signed-in users on remote systems", - "confidence": 100, - "effect_refs": [ - "attack-condition--025e3263-e23a-43fd-a020-fc2b6a1c6491" - ] - }, - { - "type": "attack-action", - "id": "attack-action--ff70d616-d686-4bfd-a290-0f52985f7846", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Event Triggered Execution: Image File Execution Options Injection", - "technique_id": "T1546", - "description": "The attackers created a IFEO Debugger registry value for dllhost.exe to trigger execution of the installation of Cobalt Strike", - "confidence": 100, - "effect_refs": [ - "attack-action--8d74fbce-5685-4392-a134-36d67f082742" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--025e3263-e23a-43fd-a020-fc2b6a1c6491", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attacker enumerates the network", - "on_true_refs": [ - "attack-action--42e110be-0852-4c33-bb32-a6bde8fc95e8", - "attack-action--1850d451-cbfd-4557-869b-386321a39a44", - "attack-action--796fb2bb-4bf5-4139-907b-56411e8d7080" - ] - }, - { - "type": "attack-action", - "id": "attack-action--1850d451-cbfd-4557-869b-386321a39a44", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Steal or Forge Kerberos Tickets: Kerberoasting", - "technique_id": "T1558.003", - "description": "Attackers obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principal Names (SPNs) to crack offline", - "confidence": 100, - "effect_refs": [ - "attack-condition--5b48c5ab-bfe1-42b5-a361-cea572b8013d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--42e110be-0852-4c33-bb32-a6bde8fc95e8", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Credentials from Password Stores", - "technique_id": "T1555", - "description": " Attackers attempted to access Group Managed Service Account (gMSA) passwords with account credentials already compromised ", - "confidence": 100, - "effect_refs": [ - "attack-condition--5b48c5ab-bfe1-42b5-a361-cea572b8013d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--796fb2bb-4bf5-4139-907b-56411e8d7080", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "OS Credential Dumping: DCSync", - "technique_id": "T1003.006", - "description": "Attackers executed a DCSync attack in which they leveraged privileged accounts to access credentials", - "confidence": 100, - "effect_refs": [ - "attack-condition--5b48c5ab-bfe1-42b5-a361-cea572b8013d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--8d74fbce-5685-4392-a134-36d67f082742", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Create or Modify System Process: Windows Service", - "technique_id": "T1543.003", - "description": "The TEARDROP malware is run through rundll32.exe, which runs as a service in the background to estabish persistence", - "confidence": 100, - "effect_refs": [ - "attack-action--ec689feb-2e71-45bd-808a-2f7a8cd78a7b" - ] - }, - { - "type": "attack-action", - "id": "attack-action--ec689feb-2e71-45bd-808a-2f7a8cd78a7b", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Modify Registry", - "technique_id": "T1112", - "description": "The VBScript removes the previously created registry value to clean up any traces of execution and deletes two more registry keys in HKEY_CURRENT_USER\\.DEFAULT", - "confidence": 100, - "effect_refs": [ - "attack-action--4737ef94-c67f-461d-a616-8d04d949a790" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--5b48c5ab-bfe1-42b5-a361-cea572b8013d", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attacker has credentials", - "on_true_refs": [ - "attack-action--fbccf7e7-4d2b-4f19-9ebb-6acab1322eb2" - ] - }, - { - "type": "attack-action", - "id": "attack-action--fbccf7e7-4d2b-4f19-9ebb-6acab1322eb2", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Defense Evasion - Impair Defenses: Disable or Modify Tools", - "technique_id": "T1562.001", - "description": "Attackers used the service control manager on a remote system to disable security monitoring processes before moving laterally. After they completed their lateral movement, they reenabled the services to avoid detection", - "confidence": 100, - "effect_refs": [ - "attack-action--f55a3f10-2a62-47f2-98b3-78d4983a2b87", - "attack-action--1ccc8112-936d-4237-9211-ebf6155d42f1" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f55a3f10-2a62-47f2-98b3-78d4983a2b87", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Scheduled Task/Job", - "technique_id": "T1053", - "description": "PowerShell remote task creation enabling lateral movement ", - "confidence": 100, - "effect_refs": [ - "attack-operator--5657cc82-defc-497d-91f0-14de0a9e8f2e" - ] - }, - { - "type": "attack-action", - "id": "attack-action--1ccc8112-936d-4237-9211-ebf6155d42f1", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Valid Accounts", - "technique_id": "T1078", - "description": "The attackers used valid accounts to move laterally", - "confidence": 100, - "effect_refs": [ - "attack-operator--5657cc82-defc-497d-91f0-14de0a9e8f2e" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--5657cc82-defc-497d-91f0-14de0a9e8f2e", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-condition--47a4f84e-4c63-49f3-8826-856d3178c0e2" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--47a4f84e-4c63-49f3-8826-856d3178c0e2", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attacker is able to move laterally", - "on_true_refs": [ - "attack-action--4737ef94-c67f-461d-a616-8d04d949a790" - ] - }, - { - "type": "attack-action", - "id": "attack-action--4737ef94-c67f-461d-a616-8d04d949a790", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Masquerading", - "technique_id": "T1036", - "description": "During lateral movement, custom-loader DLLs, including TEARDROP, were deployed into exiting Windows sub-directories. The files resemble legitimate Windows file and directory names", - "confidence": 100, - "effect_refs": [ - "attack-action--f69ad6fa-05c5-48b9-bfea-7201321c6909" - ] - }, - { - "type": "attack-action", - "id": "attack-action--f69ad6fa-05c5-48b9-bfea-7201321c6909", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Windows Management Instrumentation", - "technique_id": "T1047", - "description": "When executed during lateral movement, rundll32 ran through WMIC. The Cobalt Strike beacon was loaded onto the machine", - "confidence": 100, - "effect_refs": [ - "attack-action--fbc07276-1257-44e8-a855-3b1fa3d95290" - ] - }, - { - "type": "tool", - "id": "tool--a4b72723-7fd9-45d1-a108-1559637aa9eb", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "name": "WMIC", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-action", - "id": "attack-action--fbc07276-1257-44e8-a855-3b1fa3d95290", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Indicator Removal on Host", - "technique_id": "T1070", - "description": "According to Microsoft, the Cobalt Strike DLL was likely deleted after execution to avoid forensic discovery", - "confidence": 70, - "effect_refs": [ - "attack-action--e08ff657-a12d-4ed7-bbe5-be90b963a153" - ] - }, - { - "type": "tool", - "id": "tool--55ef0067-c0ce-4aa0-9ffd-85b1e72a4791", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "name": "AUDITPOL", - "description": "Allows users to configure and manage audit settings from an elevated command prompt", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-action", - "id": "attack-action--e08ff657-a12d-4ed7-bbe5-be90b963a153", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Defense Evasion- Impair Defenses: Disable Windows Event Logging", - "technique_id": "T1562.002", - "description": "Attackers used AUDITPOL to disable event logging while carrying out their attacks and reenabling it afterwards", - "confidence": 100, - "effect_refs": [ - "attack-action--e4055553-f146-4d1e-99d7-6910b1e2a224" - ] - }, - { - "type": "attack-action", - "id": "attack-action--e4055553-f146-4d1e-99d7-6910b1e2a224", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Checks File Space", - "description": " Attackers used fsutil to check available free space before executing collection or exfiltration, which might create large files on disk", - "confidence": 100, - "effect_refs": [ - "attack-action--0ce96a7f-cab8-4842-b19d-83db4586deca", - "attack-action--fcdef663-b82f-4509-b30d-c7222101fe8a" - ] - }, - { - "type": "tool", - "id": "tool--7845956b-77bd-4da3-82a5-08d723e0ad1c", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "name": "fsutil", - "description": "Allows users to view and manage settings of file systems, including FAT, NFTS, and REFS", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-action", - "id": "attack-action--0ce96a7f-cab8-4842-b19d-83db4586deca", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.147Z", - "modified": "2023-01-04T19:58:12.147Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data from Local System", - "technique_id": "T1005", - "description": "The attackers were able to collect sensitive data from victims", - "confidence": 100, - "effect_refs": [ - "attack-operator--5377f7c1-c57e-4c99-97d5-ffeb4c3f9778" - ] - }, - { - "type": "attack-action", - "id": "attack-action--fcdef663-b82f-4509-b30d-c7222101fe8a", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Archive Collected Data: Archive via Utility", - "technique_id": "T1005", - "description": "The attackers used the 7-zip utility to create a password-protected archive with an extension not associated with archive files", - "confidence": 100, - "effect_refs": [ - "attack-operator--5377f7c1-c57e-4c99-97d5-ffeb4c3f9778" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--5377f7c1-c57e-4c99-97d5-ffeb4c3f9778", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--337844f6-ac0f-4d25-a565-c7af73ea6dcd" - ] - }, - { - "type": "attack-action", - "id": "attack-action--337844f6-ac0f-4d25-a565-c7af73ea6dcd", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltration Over Web Service: Exfiltration to Cloud Storage", - "technique_id": "T1567.002", - "description": "The attackers mapped a OneDrive share from the command-line using the net.exe command-line utility. They also likely used other cloud services such as Google Drive", - "confidence": 100 - }, - { - "type": "malware", - "id": "malware--8d20ebff-787c-4a06-b767-9f28db02d680", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "name": "Sunburst", - "description": "FireEye named the backdoored version of the DLL file SUNBURST. This backdoor delivers different payloads, such as the memory-only dropper TEARDROP, which deploys a Cobalt Strike Beacon.", - "malware_types": [ - "backdoor", - "dropper" - ], - "is_family": false, - "capabilities": [ - "evades-av", - "installs-other-components", - "hides-executing-code", - "persists-after-system-reboot" - ] - }, - { - "type": "note", - "id": "note--72f7a185-0eb3-4177-86a3-b6eea3768a56", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "abstract": "Hiding Cobalt Strike", - "content": "According to Microsoft, each Cobalt Strike DLL was unique to each machine and avoided overlap and reuse of folder name, file name, export function names, etc. This was done to prevent full identification of all compromised assets inside a network or effective sharing of threat intel between victims", - "object_refs": [ - "attack-action--4737ef94-c67f-461d-a616-8d04d949a790" - ] - }, - { - "type": "malware", - "id": "malware--02e6f750-080a-43fb-88d4-d7b29926381e", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "name": "Teardrop", - "malware_types": [ - "trojan" - ], - "is_family": false - }, - { - "type": "note", - "id": "note--27fee65d-dfd3-40c5-89b3-72d6fadf61e9", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "abstract": "Malware Design", - "content": "According to Microsoft, SUNBURST and TEARDROP were designed to execute as separate components to avoid detection.", - "object_refs": [ - "attack-action--a5c0b555-c306-4629-a9ba-e4a8fc67105e" - ] - }, - { - "type": "relationship", - "id": "relationship--a501c849-46f5-4e76-a1bb-281f6c362149", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "relationship_type": "related-to", - "source_ref": "campaign--ec6a234a-cc7b-46fd-9600-a64e9a8c3184", - "target_ref": "threat-actor--6eb7eb9a-f5e5-4943-8c29-316084ceb64f" - }, - { - "type": "relationship", - "id": "relationship--73e12de7-5240-4af3-a28f-a0787a069d23", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "relationship_type": "related-to", - "source_ref": "attack-action--a5c0b555-c306-4629-a9ba-e4a8fc67105e", - "target_ref": "malware--02e6f750-080a-43fb-88d4-d7b29926381e" - }, - { - "type": "relationship", - "id": "relationship--d802a398-6597-4a5c-8802-f34732a3a091", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "relationship_type": "related-to", - "source_ref": "attack-action--b0bc5a83-a0bb-4bf9-93b9-e63638820963", - "target_ref": "tool--e01ce937-a9cd-412b-b38b-7faff606dfce" - }, - { - "type": "relationship", - "id": "relationship--6ad75459-bc73-4507-aeaf-8a5366804fe8", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "relationship_type": "related-to", - "source_ref": "attack-action--b0bc5a83-a0bb-4bf9-93b9-e63638820963", - "target_ref": "tool--c5ed82e7-96b4-4f42-83e0-2a1f10692da0" - }, - { - "type": "relationship", - "id": "relationship--f578ede6-caaf-403e-99b7-2b9291b1dbf6", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "relationship_type": "related-to", - "source_ref": "attack-action--b0bc5a83-a0bb-4bf9-93b9-e63638820963", - "target_ref": "tool--adc37497-0035-4257-a920-f33140543187" - }, - { - "type": "relationship", - "id": "relationship--426f56ac-ed1b-4194-ae3f-cd73eb340b4e", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "relationship_type": "related-to", - "source_ref": "attack-action--d5ed6bf4-dddc-435a-bd3c-114320a8e730", - "target_ref": "tool--adc37497-0035-4257-a920-f33140543187" - }, - { - "type": "relationship", - "id": "relationship--9771e154-0a84-4738-b2b5-9b8565e73c0c", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "relationship_type": "related-to", - "source_ref": "attack-action--f69ad6fa-05c5-48b9-bfea-7201321c6909", - "target_ref": "tool--a4b72723-7fd9-45d1-a108-1559637aa9eb" - }, - { - "type": "relationship", - "id": "relationship--1e031170-2c3c-42b2-a140-4a09da7e4572", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "relationship_type": "related-to", - "source_ref": "attack-action--e08ff657-a12d-4ed7-bbe5-be90b963a153", - "target_ref": "tool--55ef0067-c0ce-4aa0-9ffd-85b1e72a4791" - }, - { - "type": "relationship", - "id": "relationship--26c1c93a-d3cb-4113-8db6-3eef620e71fb", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "relationship_type": "related-to", - "source_ref": "attack-action--e4055553-f146-4d1e-99d7-6910b1e2a224", - "target_ref": "tool--7845956b-77bd-4da3-82a5-08d723e0ad1c" - }, - { - "type": "relationship", - "id": "relationship--030530c3-2466-4005-b032-6a92b6ee841a", - "spec_version": "2.1", - "created": "2023-01-04T19:58:12.148Z", - "modified": "2023-01-04T19:58:12.148Z", - "relationship_type": "related-to", - "source_ref": "malware--8d20ebff-787c-4a06-b767-9f28db02d680", - "target_ref": "attack-action--384373d8-dbe0-425e-aeaf-ad8c70fc11be" - } - ] -} \ No newline at end of file diff --git a/corpus/Sony Malware.json b/corpus/Sony Malware.json deleted file mode 100644 index 50763e55..00000000 --- a/corpus/Sony Malware.json +++ /dev/null @@ -1,904 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--37fc7986-f718-4baa-8b50-857dea14a4c1", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.082Z", - "modified": "2023-01-04T20:23:35.082Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--09f708d8-af6c-4bdd-8b55-5c2a5e8c27ca", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2023-01-04T20:23:35.084Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--003d812e-98de-4b9e-9367-14c0c537f0b1", - "start_refs": [ - "attack-action--7db3befa-8e5e-46c3-86af-ee1b84812499" - ], - "name": "Sony Malware", - "description": "Attack flow on the malware believed to be behind the 2014 Sony breach.", - "author": [ - [ - "name", - "Lauren Parker" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "lparker@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "ArsTechnica", - "description": "Article", - "url": "https://arstechnica.com/information-technology/2014/12/inside-the-wiper-malware-that-brought-sony-pictures-to-its-knees/" - }, - { - "source_name": "Trend Micro", - "description": "Analysis", - "url": "https://web.archive.org/web/20220120083152/https://www.trendmicro.com/en_us/research/14/l/an-analysis-of-the-destructive-malware-behind-fbi-warnings.html" - } - ] - }, - { - "type": "identity", - "id": "identity--003d812e-98de-4b9e-9367-14c0c537f0b1", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.083Z", - "modified": "2023-01-04T20:23:35.083Z", - "name": "Lauren Parker", - "identity_class": "individual", - "contact_information": "lparker@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--7db3befa-8e5e-46c3-86af-ee1b84812499", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105 ", - "description": "Malware dropper installs on the compromised system through unknown means", - "confidence": 100, - "effect_refs": [ - "attack-condition--082e47ca-0210-4d07-9558-f1acdaa8c22d" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--082e47ca-0210-4d07-9558-f1acdaa8c22d", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Malware contains XOR 0x67 encrypted user names and passwords in the overlay ", - "on_true_refs": [ - "attack-action--9daff210-f031-4171-8b2a-2a7be3b5e1f3" - ] - }, - { - "type": "attack-action", - "id": "attack-action--9daff210-f031-4171-8b2a-2a7be3b5e1f3", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Create network file share", - "description": "The malware created a network file share using %SystemRoot% environment variable (pointing to location of Windows system files, usually \\WINDOWS) ", - "confidence": 100, - "effect_refs": [ - "attack-condition--bf2abb51-2567-4167-b152-a10f53b7caea" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--bf2abb51-2567-4167-b152-a10f53b7caea", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "The encrypted user names and passwords were used to to log into the shared network", - "on_true_refs": [ - "attack-action--541eab7e-fb3a-4260-af07-6b00a7f43f12" - ] - }, - { - "type": "attack-action", - "id": "attack-action--541eab7e-fb3a-4260-af07-6b00a7f43f12", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Privilege Escalation", - "tactic_id": "TA0004", - "description": "The privileges of the newly created network share is elevated to unrestricted access", - "confidence": 100, - "effect_refs": [ - "attack-condition--72e5f0da-591d-4027-8a3e-d3323156ae26" - ] - }, - { - "type": "attack-action", - "id": "attack-action--d1a40010-d151-4afb-b3f1-318fa53e5f69", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Windows Management Instrumentation", - "technique_id": "T1047", - "description": "The malware uses WMI to communicate with other computers on the network and move laterally", - "confidence": 100, - "effect_refs": [ - "attack-action--11b62428-5bbf-4de4-9fc1-9401be43ae95" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--72e5f0da-591d-4027-8a3e-d3323156ae26", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "contains list of targeted hostnames", - "on_true_refs": [ - "attack-action--d1a40010-d151-4afb-b3f1-318fa53e5f69" - ] - }, - { - "type": "attack-action", - "id": "attack-action--11b62428-5bbf-4de4-9fc1-9401be43ae95", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Communication", - "description": "Communicates externally with a set of IP addresses located in Japan", - "confidence": 100, - "effect_refs": [ - "attack-action--6f02e06f-b1d5-4d7b-89c1-078177a8841a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--6f02e06f-b1d5-4d7b-89c1-078177a8841a", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Server Software Component: IIS Components", - "technique_id": "T1505.004", - "description": "The dropper installs a file with the same name as Microsoft's Internet Information Server (IIS). The file is actually an internal web server that listens on port 80 and displays scrolling text and a JPEG message to victims", - "confidence": 100, - "effect_refs": [ - "attack-action--28f1aff8-235d-4f40-8ea2-284b93d3d295" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--52f939cf-f8ae-4538-b5e9-e919d4c41381", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "name": "iissrv.exe", - "description": "listens on port 80", - "infrastructure_types": [ - "staging" - ] - }, - { - "type": "attack-action", - "id": "attack-action--28f1aff8-235d-4f40-8ea2-284b93d3d295", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "malware drops additional malware called igfxtrayex.exe", - "confidence": 100, - "effect_refs": [ - "attack-action--a9727af2-a940-4904-bbd0-eb4a5fe842b6" - ] - }, - { - "type": "attack-action", - "id": "attack-action--a9727af2-a940-4904-bbd0-eb4a5fe842b6", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Copies itself", - "description": "igfxtrayex.exe makes 4 copies of itself on the compromised system", - "confidence": 100, - "effect_refs": [ - "attack-action--7a6223a9-9b69-451e-86cc-bbb5e33bb7df" - ] - }, - { - "type": "attack-action", - "id": "attack-action--7a6223a9-9b69-451e-86cc-bbb5e33bb7df", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Virtualization/Sandbox Evasion: Time Based Evasion", - "technique_id": "T1497.003", - "description": "igfxtrayex.exe causes the system to sleep for 10 minutes", - "confidence": 100, - "effect_refs": [ - "attack-action--e2bc6f78-67de-45f1-a9b5-75528f46b983" - ] - }, - { - "type": "attack-action", - "id": "attack-action--e2bc6f78-67de-45f1-a9b5-75528f46b983", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: Windows Command Shell", - "technique_id": "T1059.003", - "description": "igfxtrayex.exe uses command line to launch each copy of itself to trigger different parts of its code", - "confidence": 100, - "effect_refs": [ - "attack-action--7c5dec3b-9e26-480c-839b-674df94a44d6", - "attack-action--62d37dcf-cbe8-4374-a3f3-3fedb6fe750c", - "attack-action--275e1018-3696-463d-a716-e8869c780f96" - ] - }, - { - "type": "attack-action", - "id": "attack-action--7c5dec3b-9e26-480c-839b-674df94a44d6", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Service Stop", - "technique_id": "T1489", - "description": "igfxtrayex.exe shuts down Microsoft Exchange Information Store service and makes email inaccessible", - "confidence": 100, - "effect_refs": [ - "attack-operator--0457b37c-b5fb-4ddf-b3f5-d23a163d42e5" - ] - }, - { - "type": "attack-action", - "id": "attack-action--62d37dcf-cbe8-4374-a3f3-3fedb6fe750c", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Dismounts", - "description": "dismounts Exchange's databases", - "confidence": 100, - "effect_refs": [ - "attack-operator--0457b37c-b5fb-4ddf-b3f5-d23a163d42e5" - ] - }, - { - "type": "attack-action", - "id": "attack-action--275e1018-3696-463d-a716-e8869c780f96", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data Destruction", - "technique_id": "T1485", - "description": "deletes files in all fixed or remote (network) drives", - "confidence": 100, - "effect_refs": [ - "attack-operator--0457b37c-b5fb-4ddf-b3f5-d23a163d42e5" - ], - "command_ref": "process--0a812bc9-4255-4a44-9aa0-35f7164c06d6" - }, - { - "type": "attack-action", - "id": "attack-action--eeb763dd-bd44-4b43-a596-a376bc6cbe42", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data Encoding", - "technique_id": "T1132", - "description": "3 hard-coded IP addresses (Italy, Poland, and Thailand) for C2 communication", - "confidence": 100, - "effect_refs": [ - "attack-action--40704e16-74cc-400c-90a1-d7a2ad846ff7" - ] - }, - { - "type": "tool", - "id": "tool--c67a1904-b692-409f-8385-8818be1ab05d", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "name": "taskhost{random 2 characters}.exe", - "description": "Drops and executes the component Windows\\iissvr.exe", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "tool", - "id": "tool--33a90534-9263-4173-b7a2-1b7aaf236102", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "name": "taskhost{random 2 characters}.exe", - "description": "Drops and executes Windows\\Temp\\usbdrv32.sys", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--9587db1b-5f49-4548-a528-100061f3d96d", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "name": "Hard-coded IPs", - "description": "hard-coded IPs to the C2 network", - "infrastructure_types": [ - "command-and-control" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--0457b37c-b5fb-4ddf-b3f5-d23a163d42e5", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--eeb763dd-bd44-4b43-a596-a376bc6cbe42" - ] - }, - { - "type": "attack-action", - "id": "attack-action--40704e16-74cc-400c-90a1-d7a2ad846ff7", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Disk Wipe: Disk Content Wipe", - "technique_id": "T1561.001", - "description": "Malware wipes a computer's hard drive by sector", - "confidence": 100, - "effect_refs": [ - "attack-condition--5d22574a-047e-4587-a0c1-ddc4e1af9b5a" - ] - }, - { - "type": "tool", - "id": "tool--1d1d48c6-ed66-4e8b-a205-d9ba1f2fa994", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "name": "EldoS", - "description": "Commercial disk driver that allows changes to a hard drive while in user mode. The attackers used this tool to make physical changes to the computer's hard drive.", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--5d22574a-047e-4587-a0c1-ddc4e1af9b5a", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Hard drive successfully wiped", - "on_true_refs": [ - "attack-action--8ee0bfdb-758c-4b1c-9163-52247b423516" - ] - }, - { - "type": "attack-action", - "id": "attack-action--8ee0bfdb-758c-4b1c-9163-52247b423516", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Defense Evasion", - "tactic_id": "TA0005", - "description": "Malware causes the computer to sleep for 2 hours. ", - "confidence": 100, - "effect_refs": [ - "attack-action--b72654fd-379d-414c-a956-4eaec2163dfd" - ] - }, - { - "type": "attack-action", - "id": "attack-action--b72654fd-379d-414c-a956-4eaec2163dfd", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Shutdown/Reboot", - "technique_id": "T1529", - "description": "Malware reboots computer", - "confidence": 100, - "effect_refs": [ - "attack-action--d976d733-9035-494f-8c2c-a36e5857a00a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--d976d733-9035-494f-8c2c-a36e5857a00a", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Displays wallpaper", - "description": "Malware displays a wallpaper on the computer background stating that the computer was hacked", - "confidence": 100 - }, - { - "type": "note", - "id": "note--fb7ecf9c-cf0a-47ee-ac6e-c90336753c57", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "content": "There is low confidence that this attack could be attributed to North Korea.", - "object_refs": [ - "attack-action--7db3befa-8e5e-46c3-86af-ee1b84812499" - ] - }, - { - "type": "malware", - "id": "malware--34c290cd-3098-4255-8f83-e89ca71465c1", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "name": "diskpartmg16.exe", - "description": "main installer", - "malware_types": [ - "dropper" - ], - "is_family": true, - "capabilities": [ - "escalates-privileges", - "installs-other-components" - ] - }, - { - "type": "directory", - "id": "directory--3699ee5a-049b-439b-8a45-9c53da00c840", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "path": "\\WINDOWS" - }, - { - "type": "tool", - "id": "tool--54cc0e87-a359-4491-a57a-15cbf1ec7baa", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "name": "WMI", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "location", - "id": "location--8b2fbd53-9a99-41b1-bd71-8a380785208c", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "description": "location of IP addresses", - "country": "Japan" - }, - { - "type": "note", - "id": "note--765049d9-277e-465d-8854-ca7e408ea604", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "content": "It is unknown if these IPs are potentially C2 activity.", - "object_refs": [ - "attack-action--11b62428-5bbf-4de4-9fc1-9401be43ae95" - ] - }, - { - "type": "note", - "id": "note--49b2d941-2240-4342-a206-e669447d28e8", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.085Z", - "modified": "2023-01-04T20:23:35.085Z", - "content": "File displays text and JPEG about deleted files", - "object_refs": [ - "attack-action--6f02e06f-b1d5-4d7b-89c1-078177a8841a" - ] - }, - { - "type": "malware", - "id": "malware--f5a087a8-f276-4604-9ff4-0546bb9b245e", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "name": "igfxtrayex.exe", - "malware_types": [ - "dropper", - "trojan" - ], - "is_family": true, - "capabilities": [ - "communicates-with-c2", - "infects-files", - "prevents-artifact-access", - "compromises-system-availability" - ] - }, - { - "type": "note", - "id": "note--9a87e9ac-7580-4c98-86b8-fdd0346ce32f", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "content": "It is unconfirmed if this action was used as a defense evasion technique", - "authors": [ - "Lauren Parker" - ], - "object_refs": [ - "attack-action--7a6223a9-9b69-451e-86cc-bbb5e33bb7df" - ] - }, - { - "type": "process", - "id": "process--9332f5ea-fad9-4825-a61d-e6eaf1ee496a", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "command_line": "taskhost{random 2 characters}.exe -m" - }, - { - "type": "process", - "id": "process--4888bed9-6849-477c-8a15-d8ef5d2dfdf2", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "command_line": "taskhost{random 2 characters}.exe -w" - }, - { - "type": "process", - "id": "process--0a812bc9-4255-4a44-9aa0-35f7164c06d6", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "command_line": "taskhost{random 2 characters}.exe -d" - }, - { - "type": "location", - "id": "location--af3557ed-c356-4e4c-b0a7-b96e5023eb4d", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "description": "IP in Italy that recently belonged to a HideMyAss VPN exit point", - "country": "Italy" - }, - { - "type": "location", - "id": "location--24065374-2f62-4d40-9e3b-607d7c0ef578", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "description": "IP in Poland that belonged to a Polish import-export business", - "country": "Poland" - }, - { - "type": "location", - "id": "location--4c9f8ffc-8b24-4452-a1e3-b8a5c4961f6e", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "description": "IP in Thailand belonging to a university", - "country": "Thailand" - }, - { - "type": "note", - "id": "note--b0282493-e475-416b-8aca-2a15859ef10e", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "content": "It is not confirmed that this is used as a defense evasion technique", - "authors": [ - "Lauren Parker" - ], - "object_refs": [ - "attack-action--8ee0bfdb-758c-4b1c-9163-52247b423516" - ] - }, - { - "type": "relationship", - "id": "relationship--96bfc96a-16ba-4dd2-b6b1-4d00056ea58c", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "attack-action--7db3befa-8e5e-46c3-86af-ee1b84812499", - "target_ref": "malware--34c290cd-3098-4255-8f83-e89ca71465c1" - }, - { - "type": "relationship", - "id": "relationship--617918c2-6921-45ca-a527-14c1bc23ffa6", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "attack-action--9daff210-f031-4171-8b2a-2a7be3b5e1f3", - "target_ref": "directory--3699ee5a-049b-439b-8a45-9c53da00c840" - }, - { - "type": "relationship", - "id": "relationship--00982954-2101-485a-afd5-24dbdfb0cef0", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "attack-action--d1a40010-d151-4afb-b3f1-318fa53e5f69", - "target_ref": "tool--54cc0e87-a359-4491-a57a-15cbf1ec7baa" - }, - { - "type": "relationship", - "id": "relationship--bafb2ebd-2f3c-44d9-8c14-d9883ea2e791", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "attack-action--11b62428-5bbf-4de4-9fc1-9401be43ae95", - "target_ref": "location--8b2fbd53-9a99-41b1-bd71-8a380785208c" - }, - { - "type": "relationship", - "id": "relationship--0cfcda02-f8e5-4fe6-a3f8-7e07a47fc26b", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "attack-action--6f02e06f-b1d5-4d7b-89c1-078177a8841a", - "target_ref": "infrastructure--52f939cf-f8ae-4538-b5e9-e919d4c41381" - }, - { - "type": "relationship", - "id": "relationship--39118005-3d03-422c-8009-1aa68d870179", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "attack-action--28f1aff8-235d-4f40-8ea2-284b93d3d295", - "target_ref": "malware--f5a087a8-f276-4604-9ff4-0546bb9b245e" - }, - { - "type": "relationship", - "id": "relationship--0d8555a2-a6eb-432a-85fd-27cb63321438", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "attack-action--e2bc6f78-67de-45f1-a9b5-75528f46b983", - "target_ref": "tool--33a90534-9263-4173-b7a2-1b7aaf236102" - }, - { - "type": "relationship", - "id": "relationship--fe93c72b-91a6-47f1-8010-1523d17a0830", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "attack-action--e2bc6f78-67de-45f1-a9b5-75528f46b983", - "target_ref": "tool--c67a1904-b692-409f-8385-8818be1ab05d" - }, - { - "type": "relationship", - "id": "relationship--f88a6c63-7a23-47cc-9891-430b5b27af47", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "attack-action--eeb763dd-bd44-4b43-a596-a376bc6cbe42", - "target_ref": "infrastructure--9587db1b-5f49-4548-a528-100061f3d96d" - }, - { - "type": "relationship", - "id": "relationship--612cdcc5-48d1-4b99-9157-4e568da5d6a1", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "tool--c67a1904-b692-409f-8385-8818be1ab05d", - "target_ref": "process--4888bed9-6849-477c-8a15-d8ef5d2dfdf2" - }, - { - "type": "relationship", - "id": "relationship--cdff5acc-6e25-42c2-9ad4-25aacba0d478", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "tool--33a90534-9263-4173-b7a2-1b7aaf236102", - "target_ref": "process--9332f5ea-fad9-4825-a61d-e6eaf1ee496a" - }, - { - "type": "relationship", - "id": "relationship--7b6f020c-52e7-497b-91b8-d1e1162356e5", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "infrastructure--9587db1b-5f49-4548-a528-100061f3d96d", - "target_ref": "location--4c9f8ffc-8b24-4452-a1e3-b8a5c4961f6e" - }, - { - "type": "relationship", - "id": "relationship--aff42781-da5f-42e0-b687-54a78e86a907", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "infrastructure--9587db1b-5f49-4548-a528-100061f3d96d", - "target_ref": "location--24065374-2f62-4d40-9e3b-607d7c0ef578" - }, - { - "type": "relationship", - "id": "relationship--0c18115c-c2b6-4859-98b5-0ad82de250bd", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "infrastructure--9587db1b-5f49-4548-a528-100061f3d96d", - "target_ref": "location--af3557ed-c356-4e4c-b0a7-b96e5023eb4d" - }, - { - "type": "relationship", - "id": "relationship--4fdf3c44-c2a5-4c58-8a7d-025aab23d798", - "spec_version": "2.1", - "created": "2023-01-04T20:23:35.086Z", - "modified": "2023-01-04T20:23:35.086Z", - "relationship_type": "related-to", - "source_ref": "attack-action--40704e16-74cc-400c-90a1-d7a2ad846ff7", - "target_ref": "tool--1d1d48c6-ed66-4e8b-a205-d9ba1f2fa994" - } - ] -} \ No newline at end of file diff --git a/corpus/Target Breach.json b/corpus/Target Breach.json deleted file mode 100644 index d8cc006b..00000000 --- a/corpus/Target Breach.json +++ /dev/null @@ -1,703 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--2e1c18f5-7c52-4b3b-8dd0-7cfd5eaf4072", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--dd875c61-26a9-4b8b-879e-9f00346300fd", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--f38fc949-eb1e-43f5-b0a0-b4c5003a2327", - "start_refs": [ - "attack-action--9ac3cd71-b8e4-4902-a134-5bbf2c3dc9b9", - "attack-action--d2a45c19-9a32-40ce-bcc7-a4cd4682e2e4", - "attack-condition--f5fa9530-9b51-4dd7-9c4f-81a0d54b7313" - ], - "name": "Target Breach", - "description": "Attack flow for the 2013 Target breach.", - "author": [ - [ - "name", - "Lauren Parker" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "lparker@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "ZDNET", - "description": "Article", - "url": "https://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/" - }, - { - "source_name": "SANS", - "description": "Whitepaper/Case Study", - "url": "https://sansorg.egnyte.com/dl/g5ykEMZpIk" - }, - { - "source_name": "Committee on Commerce, Science, and Transportation", - "description": "Senate Report", - "url": "https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883" - }, - { - "source_name": "Krebs on Security", - "description": "Article", - "url": "https://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/" - } - ] - }, - { - "type": "identity", - "id": "identity--f38fc949-eb1e-43f5-b0a0-b4c5003a2327", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "name": "Lauren Parker", - "identity_class": "individual", - "contact_information": "lparker@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--9ac3cd71-b8e4-4902-a134-5bbf2c3dc9b9", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Gather Victim Host Information: Client Configurations", - "technique_id": "T1592.004", - "description": "Gathered information on Target network configurations", - "confidence": 90, - "effect_refs": [ - "attack-operator--11263b9e-012f-49d6-b4d3-85894f108b4f" - ] - }, - { - "type": "attack-action", - "id": "attack-action--d2a45c19-9a32-40ce-bcc7-a4cd4682e2e4", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Search Open Websites/Domains: Search Engines", - "technique_id": "T1593.002", - "description": "Googled information on Target systems for reconnaissance", - "confidence": 90, - "effect_refs": [ - "attack-operator--11263b9e-012f-49d6-b4d3-85894f108b4f" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--f5fa9530-9b51-4dd7-9c4f-81a0d54b7313", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Identified technical configurations and 3rd party Suppliers ", - "on_true_refs": [ - "attack-action--698fd2b3-f021-4f74-8141-d48ba11ce09c" - ] - }, - { - "type": "attack-action", - "id": "attack-action--698fd2b3-f021-4f74-8141-d48ba11ce09c", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Trusted Relationship", - "technique_id": "T1199", - "description": "Targeted third-party supplier to gain access to Target's internal systems", - "confidence": 100, - "effect_refs": [ - "attack-action--371fe05f-e6b1-41ea-84ef-2c76f8186089" - ] - }, - { - "type": "attack-action", - "id": "attack-action--371fe05f-e6b1-41ea-84ef-2c76f8186089", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Phishing", - "technique_id": "T1566", - "description": "phishing attempts toward Fazio employees", - "confidence": 70, - "effect_refs": [ - "attack-condition--6c666fe2-0a6c-4bb1-8da7-9955f81b187b" - ], - "asset_refs": [ - "attack-asset--c9305dd0-51f8-4edd-93e9-5a481a25e80b" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--c9305dd0-51f8-4edd-93e9-5a481a25e80b", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Fazio systems", - "description": "compromised by attackers" - }, - { - "type": "attack-action", - "id": "attack-action--2010cb6c-cca8-45a4-99ca-ed2a2ace8d45", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Valid Accounts: Domain Accounts", - "technique_id": "T1078.002", - "description": "Attackers compromised AD credentials ", - "confidence": 100, - "asset_refs": [ - "attack-asset--de6fb678-73e8-4861-bde7-b2b76c166f31" - ], - "effect_refs": [ - "attack-action--3d2dfd9d-c7a5-40e9-aa7c-5b987d732c86", - "attack-action--8b0ac8bf-9642-4c25-811c-781942284dac" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--6c666fe2-0a6c-4bb1-8da7-9955f81b187b", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Phishing attempts successful", - "on_true_refs": [ - "attack-action--2010cb6c-cca8-45a4-99ca-ed2a2ace8d45" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--de6fb678-73e8-4861-bde7-b2b76c166f31", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ariba System", - "description": "used by Fazio employees with AD credentials" - }, - { - "type": "attack-action", - "id": "attack-action--3d2dfd9d-c7a5-40e9-aa7c-5b987d732c86", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Software Deployment Tools; Server Software Component; Exploitation for Client Execution", - "technique_id": "T1072; T1505; T1203", - "description": "Attackers compromised additional servers using various techniques, such as software vulnerabilities and compromised valid accounts", - "confidence": 100, - "asset_refs": [ - "attack-asset--17eefa4c-22c9-4653-902b-1b53e98480e8" - ], - "effect_refs": [ - "attack-operator--d662af4b-0b28-426f-af26-0e9b79339854" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--17eefa4c-22c9-4653-902b-1b53e98480e8", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Servers" - }, - { - "type": "attack-action", - "id": "attack-action--b8a0b6a3-554c-4cdc-87c0-03c916e52765", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Attackers dropped malware to Target's POS systems", - "confidence": 100, - "effect_refs": [ - "attack-condition--34892151-7072-445f-9312-c105ba550d77" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--34892151-7072-445f-9312-c105ba550d77", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Dropped malware worked successfully on POS systems and RAM scrapping portion began gathering information from card swipes", - "on_true_refs": [ - "attack-action--d87c651b-5316-414c-acd2-ef1ba840a890", - "attack-action--c4c51349-fb4e-49af-9466-9a926f84f874" - ] - }, - { - "type": "attack-action", - "id": "attack-action--8b0ac8bf-9642-4c25-811c-781942284dac", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Valid Accounts: Default Accounts", - "technique_id": "T1078.00", - "description": "Attackers may have compromised a default account on the BMC Software Management system to gain further access into Target's network and move laterally", - "confidence": 90, - "asset_refs": [ - "attack-asset--6103f692-0ae1-45e8-a3e2-53b702ef0ac0" - ], - "effect_refs": [ - "attack-operator--d662af4b-0b28-426f-af26-0e9b79339854" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--6103f692-0ae1-45e8-a3e2-53b702ef0ac0", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "BMC Software Management System" - }, - { - "type": "attack-action", - "id": "attack-action--c4c51349-fb4e-49af-9466-9a926f84f874", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Scheduled Transfer", - "technique_id": "T1029", - "description": "Every seven hours the Trojan malware checks to see if the local time is between the hours of 10 AM and 5 PM", - "confidence": 100, - "effect_refs": [ - "attack-condition--ec656f5c-4fe9-404f-8d9c-571cf3ebfa0b" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--aa1e1686-316f-4fe9-b429-c95364d411b3", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Through moving laterally, attackers discover, target, and test malware on POS systems", - "on_true_refs": [ - "attack-action--b8a0b6a3-554c-4cdc-87c0-03c916e52765" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--ec656f5c-4fe9-404f-8d9c-571cf3ebfa0b", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "The POS local time is between 10 AM and 5 PM", - "on_true_refs": [ - "attack-action--4ee6c3a1-4cbc-437d-80da-c78dd57d063a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--4ee6c3a1-4cbc-437d-80da-c78dd57d063a", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Lateral Tool Transfer", - "technique_id": "T1570 ", - "description": "Winxml.dll is sent over a temporary NetBIOS share ", - "confidence": 70, - "effect_refs": [ - "attack-action--3473c9f8-ad1c-4984-ad44-fef099578405" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3473c9f8-ad1c-4984-ad44-fef099578405", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay", - "technique_id": "T1557.001", - "description": "A temporary NetBIOS share is established to transfer POS data to an internal dump server", - "confidence": 100, - "effect_refs": [ - "attack-action--ccd71d3f-2243-4cc0-8e82-382f649073ab" - ] - }, - { - "type": "attack-action", - "id": "attack-action--ccd71d3f-2243-4cc0-8e82-382f649073ab", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data Staged: Remote Data Staging", - "technique_id": "T1074.002", - "description": "An internal dump server is created to collect POS information from multiple systems via the temporary NetBIOS share", - "confidence": 100, - "effect_refs": [ - "attack-action--08397107-cda4-4f2b-acc9-db91bf4b4e48", - "attack-action--5bc375fd-6c57-48c2-8506-4c74515137b6" - ] - }, - { - "type": "attack-action", - "id": "attack-action--08397107-cda4-4f2b-acc9-db91bf4b4e48", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Defense Evasion using Common Ports ", - "tactic_id": "TA0005", - "description": "The trojan malware transfer data to the internal dump server using common ports: 80, 139, and 443.", - "confidence": 100, - "effect_refs": [ - "attack-condition--ec656f5c-4fe9-404f-8d9c-571cf3ebfa0b" - ] - }, - { - "type": "attack-action", - "id": "attack-action--5bc375fd-6c57-48c2-8506-4c74515137b6", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Non-Application Layer Protocol", - "technique_id": "T1095", - "description": "Once data is stored on the internal dump server, an ICMP packet is sent to a remote server (possibly a C2 server) to alert attackers that data is located on the internal dump server and ready for exfiltration", - "confidence": 100, - "effect_refs": [ - "attack-action--1b6f56cd-6a8a-459c-9960-7d8af6e5d7d1" - ] - }, - { - "type": "attack-action", - "id": "attack-action--1b6f56cd-6a8a-459c-9960-7d8af6e5d7d1", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltration", - "tactic_id": "TA0010", - "description": "Attackers exfiltrate data from the internal dump server to off-site FTP servers using unknown techniques.", - "confidence": 100 - }, - { - "type": "attack-action", - "id": "attack-action--d87c651b-5316-414c-acd2-ef1ba840a890", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "Attackers dropped exfiltration malware onto Target's network", - "confidence": 100 - }, - { - "type": "attack-operator", - "id": "attack-operator--11263b9e-012f-49d6-b4d3-85894f108b4f", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-condition--f5fa9530-9b51-4dd7-9c4f-81a0d54b7313" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--d662af4b-0b28-426f-af26-0e9b79339854", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-condition--aa1e1686-316f-4fe9-b429-c95364d411b3" - ] - }, - { - "type": "tool", - "id": "tool--c492196e-a9a7-470f-bec9-113f12f656f7", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "name": "BlackPOS malware", - "description": " tailored version of the malware", - "tool_types": [ - "Exploitation" - ] - }, - { - "type": "tool", - "id": "tool--f40b3d07-9df6-4c81-abe2-d99c05c77f51", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "name": "winxml.dll", - "tool_types": [ - "Unknown" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--60671446-e542-4c46-ac89-12456629cb88", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "name": "NetBIOS Share", - "infrastructure_types": [ - "Unknown" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--2bf42bf8-6ed2-44b0-950c-cadddf754384", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "name": "Dump Server", - "infrastructure_types": [ - "Unknown" - ] - }, - { - "type": "identity", - "id": "identity--a7ce421b-e112-4070-8236-c6121ed68508", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "name": "Fazio Mechanical", - "description": "3rd party HVAC company that contracted with Target", - "roles": [ - "Third-party company" - ], - "identity_class": "Organization", - "sectors": [ - "Utilities" - ] - }, - { - "type": "relationship", - "id": "relationship--7859267a-417b-4b68-a6ff-cd6fb2c35988", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "relationship_type": "related-to", - "source_ref": "attack-action--698fd2b3-f021-4f74-8141-d48ba11ce09c", - "target_ref": "identity--a7ce421b-e112-4070-8236-c6121ed68508" - }, - { - "type": "relationship", - "id": "relationship--7e1916dc-fc35-46ac-b65e-d18f4458c317", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "relationship_type": "related-to", - "source_ref": "attack-action--b8a0b6a3-554c-4cdc-87c0-03c916e52765", - "target_ref": "tool--c492196e-a9a7-470f-bec9-113f12f656f7" - }, - { - "type": "relationship", - "id": "relationship--017fcb93-abd0-4ad1-ba90-a015780c21ec", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "relationship_type": "related-to", - "source_ref": "attack-action--4ee6c3a1-4cbc-437d-80da-c78dd57d063a", - "target_ref": "tool--f40b3d07-9df6-4c81-abe2-d99c05c77f51" - }, - { - "type": "relationship", - "id": "relationship--3b4d63db-55ab-425d-925f-b88d6d1af975", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "relationship_type": "related-to", - "source_ref": "attack-action--3473c9f8-ad1c-4984-ad44-fef099578405", - "target_ref": "infrastructure--60671446-e542-4c46-ac89-12456629cb88" - }, - { - "type": "relationship", - "id": "relationship--daf6c763-4e47-4f73-9dac-957170ff7374", - "spec_version": "2.1", - "created": "2023-01-04T20:49:27.043Z", - "modified": "2023-01-04T20:49:27.043Z", - "relationship_type": "related-to", - "source_ref": "attack-action--ccd71d3f-2243-4cc0-8e82-382f649073ab", - "target_ref": "infrastructure--2bf42bf8-6ed2-44b0-950c-cadddf754384" - } - ] -} \ No newline at end of file diff --git a/corpus/Tesla Kubernetes Breach.json b/corpus/Tesla Kubernetes Breach.json deleted file mode 100644 index 45d6c062..00000000 --- a/corpus/Tesla Kubernetes Breach.json +++ /dev/null @@ -1,315 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--1db91a92-e50e-44dd-ab83-04fabbf9ba30", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--130cfa8f-3152-4a3e-bd99-6f4230907dad", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2023-02-22T21:42:23.740Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--c09be52b-77e0-45cb-b34c-d089e3887151", - "start_refs": [ - "attack-condition--394e0f5c-534b-406d-a714-60124f89e437", - "attack-action--ec83e8c9-a209-47cb-aa05-52fae33182bb", - "attack-action--c640ab9c-44db-4eb9-a73d-8cfcafb0d844" - ], - "name": "Tesla Kubernetes Breach", - "description": "A cryptomining attack discovered on a Tesla kubernetes (k8s) cluster.", - "scope": "incident", - "external_references": [ - { - "source_name": "The Cryptojacking Epidemic", - "description": "RedLock CSI Team. Feb 20 2018.", - "url": "https://blog.redlock.io/cryptojacking-tesla" - } - ] - }, - { - "type": "identity", - "id": "identity--c09be52b-77e0-45cb-b34c-d089e3887151", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "name": "Mark Haase", - "identity_class": "individual", - "contact_information": "mhaase@mitre.org" - }, - { - "type": "attack-condition", - "id": "attack-condition--394e0f5c-534b-406d-a714-60124f89e437", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Tesla's Kubernetes dashboard is exposed to the public internet with no password required for access.", - "on_true_refs": [ - "attack-action--7edcb647-8d0c-4ba4-86e8-b2a423d9b43a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--7edcb647-8d0c-4ba4-86e8-b2a423d9b43a", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "External Remote Services", - "tactic_id": "TA0001", - "technique_id": "T1133", - "description": "The adversary logs into the Kubernetes console.", - "confidence": 90, - "effect_refs": [ - "attack-action--307e4dc4-e109-4ef1-b0f5-7eaa7816ca25", - "attack-action--fe5fea66-d2a1-4b41-a9eb-7f8eccf9704a" - ] - }, - { - "type": "attack-action", - "id": "attack-action--307e4dc4-e109-4ef1-b0f5-7eaa7816ca25", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Unsecured Credentials: Credentials In Files", - "tactic_id": "TA0006", - "technique_id": "T1552.001", - "description": "The adversary can view plaintext AWS keys in the Kubernetes console.", - "confidence": 0, - "effect_refs": [ - "attack-action--3475ec81-5b70-4f9a-a9a9-9a089216ab44" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3475ec81-5b70-4f9a-a9a9-9a089216ab44", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Valid Accounts: Cloud Accounts", - "tactic_id": "TA0004", - "technique_id": "T1078.004", - "description": "The adversary authenticates to AWS S3 using the discovered credentials.", - "confidence": 0, - "effect_refs": [ - "attack-action--5d19b518-7bcd-48d7-9d61-5e6001b130b1" - ] - }, - { - "type": "attack-action", - "id": "attack-action--5d19b518-7bcd-48d7-9d61-5e6001b130b1", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data from Cloud Storage Object", - "tactic_id": "TA0009", - "technique_id": "T1530", - "description": "The adversary can access data in private S3 buckets.", - "confidence": 0 - }, - { - "type": "attack-action", - "id": "attack-action--fe5fea66-d2a1-4b41-a9eb-7f8eccf9704a", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Deploy Container", - "tactic_id": "TA0002", - "technique_id": "T1610", - "description": "The adversary deploys a new container on the Kubernetes cluster.", - "confidence": 100, - "effect_refs": [ - "attack-operator--2523aded-6d9a-4f28-aea9-be9dd6f490e0" - ] - }, - { - "type": "attack-action", - "id": "attack-action--ec83e8c9-a209-47cb-aa05-52fae33182bb", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Acquire Infrastructure: Server", - "tactic_id": "TA0042", - "technique_id": "T1583.004", - "description": "The adversary sets up server[s] to run a cryptomining pool.", - "confidence": 90, - "effect_refs": [ - "attack-action--837bede5-db2f-40ac-b4df-9798548de067" - ] - }, - { - "type": "attack-action", - "id": "attack-action--837bede5-db2f-40ac-b4df-9798548de067", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Proxy", - "tactic_id": "TA0011", - "technique_id": "T1090", - "description": "The adversary proxies their mining pool through Cloudflare CDN.", - "confidence": 100, - "effect_refs": [ - "attack-operator--2523aded-6d9a-4f28-aea9-be9dd6f490e0" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--2523aded-6d9a-4f28-aea9-be9dd6f490e0", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--c640ab9c-44db-4eb9-a73d-8cfcafb0d844" - ] - }, - { - "type": "attack-action", - "id": "attack-action--c640ab9c-44db-4eb9-a73d-8cfcafb0d844", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Resource Highjacking", - "tactic_id": "TA0040", - "technique_id": "T1496", - "description": "The adversary runs cryptomining software in the container, configured to use their private mining pool.", - "confidence": 100 - }, - { - "type": "infrastructure", - "id": "infrastructure--7d02f022-e5dd-461a-b17b-ee25fb34304c", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "name": "Unlisted mining pool", - "description": "The mining pool is \"unlisted\" and runs on a non-standard port to evade common blocklists.", - "infrastructure_types": [ - "unknown" - ] - }, - { - "type": "note", - "id": "note--c5d127a0-59be-4ab5-9266-4b3037c7bee3", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.740Z", - "modified": "2023-02-22T21:42:23.740Z", - "abstract": "Speculation", - "content": "The authors of this post provided speculation about what the attackers could have done with the leaked credentials, but there is no evidence the adversaries even knew about the credentials.", - "object_refs": [ - "attack-action--307e4dc4-e109-4ef1-b0f5-7eaa7816ca25" - ] - }, - { - "type": "relationship", - "id": "relationship--d3a917f5-fafd-43a3-a4e9-876cd36579a9", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.741Z", - "modified": "2023-02-22T21:42:23.741Z", - "relationship_type": "related-to", - "source_ref": "attack-action--ec83e8c9-a209-47cb-aa05-52fae33182bb", - "target_ref": "infrastructure--7d02f022-e5dd-461a-b17b-ee25fb34304c" - }, - { - "type": "relationship", - "id": "relationship--4b6381be-314a-40af-a4d6-b76d99062fee", - "spec_version": "2.1", - "created": "2023-02-22T21:42:23.741Z", - "modified": "2023-02-22T21:42:23.741Z", - "relationship_type": "related-to", - "source_ref": "attack-action--c640ab9c-44db-4eb9-a73d-8cfcafb0d844", - "target_ref": "infrastructure--7d02f022-e5dd-461a-b17b-ee25fb34304c" - } - ] -} \ No newline at end of file diff --git a/corpus/Uber Breach.json b/corpus/Uber Breach.json deleted file mode 100644 index 223d407d..00000000 --- a/corpus/Uber Breach.json +++ /dev/null @@ -1,536 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--ceb844f3-dae4-4738-8914-73464181dbd8", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.371Z", - "modified": "2023-01-04T21:36:01.371Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--8ccfd5ad-9b4c-4014-8da1-e81863e3bf69", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2023-01-04T21:36:01.374Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--edece8e2-ac5b-47a6-9b2e-43b29aa2ab5b", - "start_refs": [], - "name": "Uber Breach", - "description": "A breach at Uber by the Lapsus$ group.", - "author": [ - [ - "name", - "Lauren Parker" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "lparker@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "Uber Investigating Breach of Its Computer Systems", - "description": null, - "url": "https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html" - }, - { - "source_name": "Unpacking the Uber Breach\n\n", - "description": null, - "url": "https://www.cyberark.com/resources/blog/unpacking-the-uber-breach" - }, - { - "source_name": "Uber Newsroom: Security Update", - "description": null, - "url": "https://www.uber.com/newsroom/security-update/" - }, - { - "source_name": "Uber Breach 2022 – Everything You Need to Know\n\n", - "description": null, - "url": "https://blog.gitguardian.com/uber-breach-2022/" - } - ] - }, - { - "type": "identity", - "id": "identity--edece8e2-ac5b-47a6-9b2e-43b29aa2ab5b", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.372Z", - "modified": "2023-01-04T21:36:01.372Z", - "name": "Lauren Parker", - "identity_class": "individual", - "contact_information": "lparker@mitre.org" - }, - { - "type": "threat-actor", - "id": "threat-actor--1acdb3e3-3491-4061-a1cb-098434357051", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.375Z", - "modified": "2023-01-04T21:36:01.375Z", - "name": "Lapsus$", - "description": "organized around a Telegram group; has attacked multiple well-known companies; gains access through social engineering", - "threat_actor_types": [ - "hacker" - ], - "roles": [ - "director" - ], - "sophistication": "expert", - "resource_level": "organization", - "primary_motivation": "personal-gain" - }, - { - "type": "attack-condition", - "id": "attack-condition--75170181-d3e4-4127-a2ca-7cae5904a79d", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.375Z", - "modified": "2023-01-04T21:36:01.375Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attackers likely purchased the contractors credentials on the dark web", - "on_true_refs": [ - "attack-action--95926e82-a770-4752-b6ff-cfcd3451a92f" - ] - }, - { - "type": "attack-action", - "id": "attack-action--b1b20bb1-bdb3-437f-89c7-3cce30687643", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.375Z", - "modified": "2023-01-04T21:36:01.375Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Compromise Accounts", - "technique_id": "T1586", - "description": "Unknown malware was used to compromise the accounts/credentials of an external contractor", - "confidence": 100, - "effect_refs": [ - "attack-condition--75170181-d3e4-4127-a2ca-7cae5904a79d" - ], - "asset_refs": [ - "attack-asset--c91f0115-9bef-42b4-9f65-9a836a480e6e" - ] - }, - { - "type": "attack-action", - "id": "attack-action--95926e82-a770-4752-b6ff-cfcd3451a92f", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.375Z", - "modified": "2023-01-04T21:36:01.375Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Valid Accounts", - "technique_id": "T1078", - "description": "Attacker attempted to log in to the user's Uber VPN account but were blocked due to multi-factor authentication", - "confidence": 100, - "effect_refs": [ - "attack-action--4b16b17d-0648-49d2-84b7-8ce4aa0dfd24" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--bff2a0f3-2d03-4ad0-9e44-9c5cee176278", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.375Z", - "modified": "2023-01-04T21:36:01.375Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "User accepted one of the multi-factor authentication attempts, unknowingly allowing the attackers access to the user's Uber account", - "on_true_refs": [ - "attack-action--6177c027-6e9b-4fa5-9f4a-78390af7767d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--4b16b17d-0648-49d2-84b7-8ce4aa0dfd24", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.375Z", - "modified": "2023-01-04T21:36:01.375Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Multi-Factor Authentication Request Generation", - "technique_id": "T1621", - "description": "Attackers repeatedly tried to use the user's credentials which caused MFA to spam the user requesting access to the VPN", - "confidence": 100, - "effect_refs": [ - "attack-condition--bff2a0f3-2d03-4ad0-9e44-9c5cee176278" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--c91f0115-9bef-42b4-9f65-9a836a480e6e", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.375Z", - "modified": "2023-01-04T21:36:01.375Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "VPN" - }, - { - "type": "attack-action", - "id": "attack-action--6177c027-6e9b-4fa5-9f4a-78390af7767d", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Network Share Discovery", - "technique_id": "T1135", - "description": "Winthin the Uber environment, the user had access to a network share", - "confidence": 100, - "asset_refs": [ - "attack-asset--7b89ea24-55eb-4078-b488-b5c7bb592229" - ], - "effect_refs": [ - "attack-action--06a47d7f-05a1-4c5d-969e-eeae50417206" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--7b89ea24-55eb-4078-b488-b5c7bb592229", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Network Share", - "description": "Network share was either open or misconfigured to allow broad read ACL" - }, - { - "type": "attack-action", - "id": "attack-action--06a47d7f-05a1-4c5d-969e-eeae50417206", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Unsecured Credentials: Credentials in Files", - "technique_id": "T1552.001", - "description": "Attackers discovered a PowerShell script containing hard-coded privileged accounts within the network share", - "confidence": 100, - "asset_refs": [ - "attack-asset--2d4ec197-d16e-4e3f-9313-45f6d2a39597" - ], - "effect_refs": [ - "attack-condition--7af606cf-8bea-4922-af2e-9e956def699a" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--2d4ec197-d16e-4e3f-9313-45f6d2a39597", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "PowerShell script", - "description": "located in the network share; contains hard-coded privileged credentials to Uber's PAM solution" - }, - { - "type": "attack-condition", - "id": "attack-condition--7af606cf-8bea-4922-af2e-9e956def699a", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attackers have credentials for a privileged account for Uber's PAM solution", - "on_true_refs": [ - "attack-action--d1b3bb69-a9e5-4f7e-9926-66eb7bd951db" - ] - }, - { - "type": "attack-action", - "id": "attack-action--d1b3bb69-a9e5-4f7e-9926-66eb7bd951db", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Valid Accounts", - "technique_id": "T1078", - "description": "Attackers used valid account credentials to access the PAM solution", - "confidence": 100, - "effect_refs": [ - "attack-condition--97169908-6aae-41cb-a2d6-e9960cb6ed42" - ], - "asset_refs": [ - "attack-asset--7d689c3f-b615-46ac-9af6-05397cbc0ce4" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--97169908-6aae-41cb-a2d6-e9960cb6ed42", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Attacker overtook multiple services/tools and gained access to secrets inside the secure storage", - "on_true_refs": [ - "attack-action--322cb48c-ec57-4311-94b2-489b06f18451" - ] - }, - { - "type": "attack-action", - "id": "attack-action--322cb48c-ec57-4311-94b2-489b06f18451", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Credentials from Password Stores", - "technique_id": "T1555", - "description": "Through PAM, attackers compromised access to systems using SSO and consoles, including the cloud management console", - "confidence": 100, - "asset_refs": [ - "attack-asset--adf17440-b32a-4186-a00f-6764d0aec846", - "attack-asset--730e66f3-a07c-4738-9cad-c439ce37a008", - "attack-asset--4aa0e906-d483-42fc-bb30-4e1577c26fab", - "attack-asset--16266dba-b759-4119-93b3-cce9e8baebf9", - "attack-asset--6dd42d73-5dbe-4fe6-8456-dc73c29584dd", - "attack-asset--65126a0a-4027-45aa-b7e1-3055e43ff59f", - "attack-asset--3500b0b1-a618-4cbd-82de-88db1ef29835", - "attack-asset--0788d2c3-214f-4c99-9806-2cda35595eac", - "attack-asset--4fb4c0f0-d021-4e26-9eb5-186ce97164b6" - ], - "effect_refs": [ - "attack-action--3d0c877d-840b-41c1-b50e-94133a67120b" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--adf17440-b32a-4186-a00f-6764d0aec846", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Cloud Management console", - "description": "vSphere; stores sensitive customer and financial data" - }, - { - "type": "attack-asset", - "id": "attack-asset--730e66f3-a07c-4738-9cad-c439ce37a008", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "AWS" - }, - { - "type": "attack-asset", - "id": "attack-asset--4aa0e906-d483-42fc-bb30-4e1577c26fab", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "GCP" - }, - { - "type": "attack-asset", - "id": "attack-asset--16266dba-b759-4119-93b3-cce9e8baebf9", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Google Drive" - }, - { - "type": "attack-asset", - "id": "attack-asset--6dd42d73-5dbe-4fe6-8456-dc73c29584dd", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "SentinelOne" - }, - { - "type": "attack-asset", - "id": "attack-asset--4fb4c0f0-d021-4e26-9eb5-186ce97164b6", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Slack workspace" - }, - { - "type": "attack-asset", - "id": "attack-asset--65126a0a-4027-45aa-b7e1-3055e43ff59f", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.376Z", - "modified": "2023-01-04T21:36:01.376Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "HackerOne admin console" - }, - { - "type": "attack-asset", - "id": "attack-asset--0788d2c3-214f-4c99-9806-2cda35595eac", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.377Z", - "modified": "2023-01-04T21:36:01.377Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Code repositories" - }, - { - "type": "attack-asset", - "id": "attack-asset--3500b0b1-a618-4cbd-82de-88db1ef29835", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.377Z", - "modified": "2023-01-04T21:36:01.377Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "internal employee dashboards" - }, - { - "type": "attack-asset", - "id": "attack-asset--7d689c3f-b615-46ac-9af6-05397cbc0ce4", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.377Z", - "modified": "2023-01-04T21:36:01.377Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Thycotic", - "description": "Uber's PAM system; stores end-user credentials for employee access to internal services, 3rd party apps, and DevOps secrets; controls access to different services and has a secrets manager where credentials and passwords are stored" - }, - { - "type": "attack-action", - "id": "attack-action--3d0c877d-840b-41c1-b50e-94133a67120b", - "spec_version": "2.1", - "created": "2023-01-04T21:36:01.377Z", - "modified": "2023-01-04T21:36:01.377Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Exfiltration", - "tactic_id": "TA0010", - "description": "Attacker exfiltrated internal Slack messages and information from a finance tool used to manage invoices", - "confidence": 100 - } - ] -} \ No newline at end of file diff --git a/corpus/WhisperGate.json b/corpus/WhisperGate.json deleted file mode 100644 index 9eca89c8..00000000 --- a/corpus/WhisperGate.json +++ /dev/null @@ -1,915 +0,0 @@ -{ - "type": "bundle", - "id": "bundle--de3b52cc-29d9-49c0-9746-abc3f97b32e6", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.102Z", - "modified": "2023-01-04T22:19:56.102Z", - "objects": [ - { - "type": "extension-definition", - "id": "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "name": "Attack Flow", - "description": "Extends STIX 2.1 with features to create Attack Flows.", - "created_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "schema": "https://center-for-threat-informed-defense.github.io/attack-flow/stix/attack-flow-schema-2.0.0.json", - "version": "2.0.0", - "extension_types": [ - "new-sdo" - ], - "external_references": [ - { - "source_name": "Documentation", - "description": "Documentation for Attack Flow", - "url": "https://center-for-threat-informed-defense.github.io/attack-flow" - }, - { - "source_name": "GitHub", - "description": "Source code repository for Attack Flow", - "url": "https://github.com/center-for-threat-informed-defense/attack-flow" - } - ] - }, - { - "type": "identity", - "id": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "spec_version": "2.1", - "created": "2022-08-02T19:34:35.143Z", - "modified": "2022-08-02T19:34:35.143Z", - "create_by_ref": "identity--fb9c968a-745b-4ade-9b25-c324172197f4", - "name": "MITRE Engenuity Center for Threat-Informed Defense", - "identity_class": "organization" - }, - { - "type": "attack-flow", - "id": "attack-flow--34c68acb-2ef6-4c91-b981-10416704b547", - "spec_version": "2.1", - "created": "2022-10-27T02:44:54.520Z", - "modified": "2023-01-04T22:19:56.102Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "created_by_ref": "identity--c9ab8d9a-23be-40fe-b926-44fcf8c80a35", - "start_refs": [ - "attack-action--b28935d3-2248-4304-93c7-f3c73afd7351" - ], - "name": "WhisperGate", - "description": "A Russian state-sponsored malware campaign targeting Ukraine.", - "author": [ - [ - "name", - "Mia Sanchez" - ], - [ - "identity_class", - "23b79ae0fc0f07a3669598dd23c694cc" - ], - [ - "contact_information", - "msanchez@mitre.org" - ] - ], - "scope": "incident", - "external_references": [ - { - "source_name": "Talos ", - "description": "Article", - "url": "https://blog.talosintelligence.com/ukraine-campaign-delivers-defacement/" - }, - { - "source_name": "Microsoft", - "description": "Article", - "url": "https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/" - }, - { - "source_name": "Recorded Future", - "description": "Article", - "url": "https://www.recordedfuture.com/whispergate-malware-corrupts-computers-ukraine" - }, - { - "source_name": "Blackberry", - "description": "Article", - "url": "https://blogs.blackberry.com/en/2022/01/threat-thursday-whispergate-wiper" - } - ] - }, - { - "type": "identity", - "id": "identity--c9ab8d9a-23be-40fe-b926-44fcf8c80a35", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.102Z", - "modified": "2023-01-04T22:19:56.102Z", - "name": "Mia Sanchez", - "identity_class": "individual", - "contact_information": "msanchez@mitre.org" - }, - { - "type": "attack-action", - "id": "attack-action--b28935d3-2248-4304-93c7-f3c73afd7351", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.102Z", - "modified": "2023-01-04T22:19:56.102Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Valid Accounts", - "technique_id": "T1078", - "description": "Attackers gained initial access through stolen credentials and likely had access to the victim's network for months ", - "confidence": 100, - "effect_refs": [ - "attack-action--c89289c0-e397-4de8-bc10-9bb36817433a" - ] - }, - { - "type": "threat-actor", - "id": "threat-actor--723f2959-ff51-4684-8adb-1a8d039237da", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.102Z", - "modified": "2023-01-04T22:19:56.102Z", - "name": "DEV-0586", - "description": "not attributed to any existing threat actor; this is the designation until the threat actor is converted to a an actor name or merged with a known threat actor", - "threat_actor_types": [ - "unknown" - ], - "first_seen": "2021-06-01T04:00:00.000Z", - "roles": [ - "director" - ], - "sophistication": "expert", - "resource_level": "organization; possibly government", - "primary_motivation": "ideology" - }, - { - "type": "campaign", - "id": "campaign--9aee0182-e45b-4936-92a0-ab6bf4fb21d7", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.102Z", - "modified": "2023-01-04T22:19:56.102Z", - "name": "Ukraine WhisperGate", - "description": "part of over-arching disinformation campaign in Ukraine. which targets organizations across multiple industries in Ukraine; intended to destroy the MBR and inflict additional damage", - "first_seen": "2022-01-01T05:00:00.000Z" - }, - { - "type": "attack-action", - "id": "attack-action--c89289c0-e397-4de8-bc10-9bb36817433a", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.102Z", - "modified": "2023-01-04T22:19:56.102Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "The malware is written to the C: drive in various directories and executes via Impacket", - "confidence": 100, - "effect_refs": [ - "attack-condition--d4067e78-456d-468f-a73b-87fe2fa5c179" - ] - }, - { - "type": "tool", - "id": "tool--bd603392-08d5-4112-b6e6-454271bbe97a", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.102Z", - "modified": "2023-01-04T22:19:56.102Z", - "name": "Impacket", - "description": "Python tool to perform lateral movement and execute the malware", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "attack-action", - "id": "attack-action--3fb61bf8-98d3-474f-9ffb-db073ac92b5e", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.102Z", - "modified": "2023-01-04T22:19:56.102Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Pre-OS Boot: Bootkit", - "technique_id": "T1542.003", - "description": "Executable wipes the MBR and replaces it with the ransom note", - "confidence": 100, - "effect_refs": [ - "attack-condition--23c341a8-1281-424d-9e62-07a7cd91f16f" - ] - }, - { - "type": "attack-action", - "id": "attack-action--bafd6a81-968b-4436-890a-a08b3ba0e825", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.102Z", - "modified": "2023-01-04T22:19:56.102Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: Powershell", - "technique_id": "T1059.001", - "description": " The malware executes a base64-encoded PowerShell command twice to make the machine sleep for 20 seconds", - "confidence": 100, - "effect_refs": [ - "attack-condition--68aae979-4c68-4cf9-a673-1f432e10450e" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--d4067e78-456d-468f-a73b-87fe2fa5c179", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.102Z", - "modified": "2023-01-04T22:19:56.102Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Malware executes when the infected device is rebooted by the user", - "on_true_refs": [ - "attack-action--3fb61bf8-98d3-474f-9ffb-db073ac92b5e" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--68aae979-4c68-4cf9-a673-1f432e10450e", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.102Z", - "modified": "2023-01-04T22:19:56.102Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Machine sleeps for 20 seconds", - "on_true_refs": [ - "attack-action--0a685dd5-0838-4883-8c08-52ae92e1bb27" - ] - }, - { - "type": "attack-action", - "id": "attack-action--0a685dd5-0838-4883-8c08-52ae92e1bb27", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Ingress Tool Transfer", - "technique_id": "T1105", - "description": "The malware retrieves a file from a Discord channel.", - "confidence": 100, - "effect_refs": [ - "attack-condition--885fa2f0-8387-48d4-a774-81ad544d1b9e" - ] - }, - { - "type": "infrastructure", - "id": "infrastructure--f36c1562-80be-4df6-a9e7-753c6794832f", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "name": "162.159.135.233", - "description": "Discord server hosting the next stage of the attack", - "infrastructure_types": [ - "hosting-malware" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--23c341a8-1281-424d-9e62-07a7cd91f16f", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Second stage of the attack starts", - "on_true_refs": [ - "attack-action--bafd6a81-968b-4436-890a-a08b3ba0e825" - ] - }, - { - "type": "tool", - "id": "tool--a6a55cd9-1302-478a-9eb0-8ee475906c71", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "name": "Tbopbh.jpg", - "description": "in reverse byte order; a malicious file corrupter", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--885fa2f0-8387-48d4-a774-81ad544d1b9e", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "Malware reverses the bytes within the jpg file", - "on_true_refs": [ - "attack-action--e37c269c-2993-49b2-847f-b2b2a2ae973d" - ] - }, - { - "type": "attack-action", - "id": "attack-action--e37c269c-2993-49b2-847f-b2b2a2ae973d", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Masquerading", - "technique_id": "T1036", - "description": "JPG file is loaded as a .NET assembly file; when restored, it is a Win32 DLL ", - "confidence": 100, - "effect_refs": [ - "attack-condition--525e2bf0-6244-42dd-b64c-4a62e06a5eab" - ] - }, - { - "type": "attack-action", - "id": "attack-action--aa432949-7c30-48da-8028-38687985a8eb", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Deobfuscate/Decode Files or Information", - "technique_id": "T1140", - "description": "A resource from the DLL is loaded into memory and decoded by a XOR operation", - "confidence": 100, - "asset_refs": [ - "attack-asset--7a073913-c3ec-46d4-ae42-cfc926d99824" - ], - "effect_refs": [ - "attack-action--832777c4-7164-4da2-a8c6-4f0c8afab9ce" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--7a073913-c3ec-46d4-ae42-cfc926d99824", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "78c855a088924e92a7f60d661c3d1845", - "description": "resource loaded into memory" - }, - { - "type": "attack-action", - "id": "attack-action--832777c4-7164-4da2-a8c6-4f0c8afab9ce", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Masquerading", - "technique_id": "T1036", - "description": "Decoded resource is another .NET DLL containing 2 additional resources", - "confidence": 100, - "asset_refs": [ - "attack-asset--46148584-a5bb-4ed7-9222-cb642b02d13b", - "attack-asset--df39e4ae-a6db-456f-a766-634d4d6c5321" - ], - "effect_refs": [ - "attack-action--490d6448-7f30-42f8-8269-8070af8c8923" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--46148584-a5bb-4ed7-9222-cb642b02d13b", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "zx_fee6cce9db1d42510801fc1ed0e09452.dll", - "description": ".NET dll file" - }, - { - "type": "attack-asset", - "id": "attack-asset--df39e4ae-a6db-456f-a766-634d4d6c5321", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "2 additional resources", - "description": "AdvancedRun & Waqybg" - }, - { - "type": "attack-action", - "id": "attack-action--490d6448-7f30-42f8-8269-8070af8c8923", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: PowerShell", - "technique_id": "T1059.001", - "description": "AdvancedRun uses PowerShell to execute multiple commands to stop Windows Defender from running and to delete its files and directories from memory", - "confidence": 100, - "effect_refs": [ - "attack-action--694efa68-7cff-4b29-ac5b-2500dd3a7fa9" - ] - }, - { - "type": "attack-action", - "id": "attack-action--2d74bde7-a217-4a95-88c8-5c57a42c0bd8", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Data Destruction", - "technique_id": "T1485", - "description": "For each enumeration, the malware wipes the files in the logical drive with specific file extensions, while ignoring files in the %HOMEDRIVE%/Windows directory.", - "confidence": 100, - "asset_refs": [ - "attack-asset--f4157413-58dc-4ef7-bbdd-6b209673ddbf" - ], - "effect_refs": [ - "attack-action--4e521454-aecf-4dd1-8180-a4b0947dbb8f" - ] - }, - { - "type": "attack-asset", - "id": "attack-asset--f4157413-58dc-4ef7-bbdd-6b209673ddbf", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Targeted File Extensions", - "description": " .HTML .HTM .PHTML .PHP .JSP .ASP .PHPS .PHP5 .ASPX .PHP4 .PHP3 .DOC .DOCX .XLS .XLSX .PPT .PPTX .PST .MSG .EML .TXT .CSV .RTF .WKS .WK1 .PDF .DWG .JPEG .JPG .DOCM .DOT .DOTM .XLSM .XLSB .XLW .XLT .XLM .XLC .XLTX .XLTM .PPTM .POT .PPS .PPSM .PPSX .HWP .SXI .STI .SLDX .SLDM .BMP .PNG .GIF .RAW .TIF .TIFF .PSD .SVG .CLASS .JAR .SCH .VBS .BAT .CMD .ASM .PAS .CPP .SXM .STD .SXD .ODP .WB2 .SLK .DIF .STC .SXC .ODS .3DM .MAX .3DS .STW .SXW .ODT .PEM .P12 .CSR .CRT .KEY .PFX .DER .OGG .JAVA .INC .INI .PPK .LOG .VDI .VMDK .VHD .MDF .MYI .MYD .FRM .SAV .ODB .DBF .MDB .ACCDB .SQL .SQLITEDB .SQLITE3 .LDF .ARC .BAK .TAR .TGZ .RAR .ZIP .BACKUP .ISO .CONFIG" - }, - { - "type": "attack-action", - "id": "attack-action--4e521454-aecf-4dd1-8180-a4b0947dbb8f", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Indicator Removal on Host: File Deletion", - "technique_id": "T1070.004", - "description": "WhisperGate deletes InstallerUtil.exe\" from the %TEMP% directory.", - "confidence": 100, - "effect_refs": [ - "attack-action--6fde518b-a422-4e01-bd91-17b9ce07e884" - ] - }, - { - "type": "attack-action", - "id": "attack-action--daa0a62b-cc76-4709-b9c4-3f7454d02c5f", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Obfuscated Files or Information", - "technique_id": "T1027", - "description": "WhisperGate uses Eazfuscator to obfuscate the .NET malware", - "confidence": 100, - "effect_refs": [ - "attack-action--217e84c6-e343-4d62-8c4e-f55dace6c913" - ] - }, - { - "type": "attack-condition", - "id": "attack-condition--525e2bf0-6244-42dd-b64c-4a62e06a5eab", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "description": "DLL retrieves all public methods searching for \"Ylfwdwgmpilzyaph\"; if method is found, it is executed by calling \".Invoke(null, null)\"", - "on_true_refs": [ - "attack-action--daa0a62b-cc76-4709-b9c4-3f7454d02c5f" - ] - }, - { - "type": "tool", - "id": "tool--d06890f7-9f09-46e6-8e7d-77254aa11703", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "name": "Eazfuscator", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-action", - "id": "attack-action--217e84c6-e343-4d62-8c4e-f55dace6c913", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Command and Scripting Interpreter: Visual Basic", - "technique_id": "T1059.005", - "description": "The DLL drops a VBScript into the %Temp% directory and executes it. The script modifies Windows Defender settings to exclude the C: from being scanned", - "confidence": 100, - "effect_refs": [ - "attack-action--aa432949-7c30-48da-8028-38687985a8eb" - ] - }, - { - "type": "tool", - "id": "tool--2df6c6d3-ee7b-47a4-ac7a-c6bce2a238b2", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "name": "AdvancedRun.exe", - "description": "tool from Nirsoft to execute a program with different settings; can be used to execute commands in the context of the TrustedInstaller user", - "tool_types": [ - "exploitation" - ] - }, - { - "type": "attack-action", - "id": "attack-action--694efa68-7cff-4b29-ac5b-2500dd3a7fa9", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "Process Injection", - "technique_id": "T1055", - "description": "Waqybg resource is loaded into memory and restores it as the wiper payload. The DLL then injects the payload into legitimate Windows utility InstallUtil.exe", - "confidence": 100, - "effect_refs": [ - "attack-action--256a646b-d1f6-4f11-86a7-86fbff6fba36" - ] - }, - { - "type": "tool", - "id": "tool--6d6604d7-4c4e-4eb7-8182-4d74dc3811c9", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "name": "InstallUtil.exe", - "description": "benign program produced by Microsoft and distributed as part of the .NET framework", - "tool_types": [ - "unknown" - ] - }, - { - "type": "attack-action", - "id": "attack-action--256a646b-d1f6-4f11-86a7-86fbff6fba36", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Binary Proxy Execution: InstallUtil", - "technique_id": "T1218.004", - "description": "The malware executes Waqybg through the legitimate program InstallUtil ", - "confidence": 100, - "effect_refs": [ - "attack-action--b1d2c424-5d2e-4693-a3cc-de5047e8819f", - "attack-action--2a5161c3-d3a5-454a-beac-0ad43eacc7a1" - ] - }, - { - "type": "attack-action", - "id": "attack-action--b1d2c424-5d2e-4693-a3cc-de5047e8819f", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Information Discovery", - "technique_id": "T1082", - "description": "The wiper looks for fixed logical drives in the system", - "confidence": 100, - "effect_refs": [ - "attack-operator--8c5ccd09-de7d-433d-af00-effa50e50932" - ] - }, - { - "type": "attack-action", - "id": "attack-action--2a5161c3-d3a5-454a-beac-0ad43eacc7a1", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Network Connections Discovery ", - "technique_id": "T1049", - "description": "The wiper looks for remote logical drives in the system", - "confidence": 100, - "effect_refs": [ - "attack-operator--8c5ccd09-de7d-433d-af00-effa50e50932" - ] - }, - { - "type": "attack-operator", - "id": "attack-operator--8c5ccd09-de7d-433d-af00-effa50e50932", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "operator": "AND", - "effect_refs": [ - "attack-action--2d74bde7-a217-4a95-88c8-5c57a42c0bd8" - ] - }, - { - "type": "attack-action", - "id": "attack-action--6fde518b-a422-4e01-bd91-17b9ce07e884", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "extensions": { - "extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": { - "extension_type": "new-sdo" - } - }, - "name": "System Shutdown/Reboot", - "technique_id": "T1529", - "description": "WhisperGate attempts to stop all running processes (including itself) by calling ExitWindowsEx API", - "confidence": 100 - }, - { - "type": "note", - "id": "note--21ccadc0-874d-4e01-b9d8-95ec340f8db1", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "abstract": "Evidence", - "content": "Evidence of suspicious activity using legitimate accounts, such as creating a user, adding new user to privileged group, and downloading file with a deface image.", - "object_refs": [ - "attack-action--b28935d3-2248-4304-93c7-f3c73afd7351" - ] - }, - { - "type": "malware", - "id": "malware--67537ec0-a0c5-4372-a89b-15473deaec2e", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "name": "stage1.exe", - "malware_types": [ - "ransomware" - ], - "is_family": false, - "capabilities": [ - "compromises-data-availability" - ] - }, - { - "type": "directory", - "id": "directory--61b6a8e8-acb8-4894-8d3d-36111c0e663a", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "path": "C:\\PerfLogs, C:\\ProgramData, C:\\, and C:\\temp" - }, - { - "type": "malware", - "id": "malware--dca4e5f0-804e-4694-845d-9c3dd2a35d1a", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "name": "stage2.exe", - "description": "NET downloader for malicious file corrupter malware", - "malware_types": [ - "downloader" - ], - "is_family": false, - "capabilities": [ - "installs-other-components" - ] - }, - { - "type": "malware", - "id": "malware--a557fe6f-405d-4684-9ead-d1c11dc32f45", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "name": "Frkmlkdkdubkznbkmcf.dll", - "description": "Wind32 DLL file containing 3 resources", - "malware_types": [ - "trojan" - ], - "is_family": false - }, - { - "type": "malware", - "id": "malware--db68d0fb-9669-4681-bc41-0d8d0cab5470", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "name": "Nmddfrqqrbyjeygggda.vbs", - "malware_types": [ - "trojan" - ], - "is_family": false, - "implementation_languages": [ - "visual-basic" - ], - "capabilities": [ - "evades-av" - ] - }, - { - "type": "relationship", - "id": "relationship--ac5572c4-31af-40c3-a0a1-ccce2026d834", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "relationship_type": "related-to", - "source_ref": "campaign--9aee0182-e45b-4936-92a0-ab6bf4fb21d7", - "target_ref": "threat-actor--723f2959-ff51-4684-8adb-1a8d039237da" - }, - { - "type": "relationship", - "id": "relationship--a9fba3e2-d7c8-4c73-99f0-2eadf1c75585", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "relationship_type": "related-to", - "source_ref": "attack-action--c89289c0-e397-4de8-bc10-9bb36817433a", - "target_ref": "directory--61b6a8e8-acb8-4894-8d3d-36111c0e663a" - }, - { - "type": "relationship", - "id": "relationship--d27f048b-24db-48f5-99fc-f61c8adbf55a", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.103Z", - "modified": "2023-01-04T22:19:56.103Z", - "relationship_type": "related-to", - "source_ref": "attack-action--c89289c0-e397-4de8-bc10-9bb36817433a", - "target_ref": "malware--67537ec0-a0c5-4372-a89b-15473deaec2e" - }, - { - "type": "relationship", - "id": "relationship--53cc7c2a-1178-449b-9345-2fdc77c097c7", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.105Z", - "modified": "2023-01-04T22:19:56.105Z", - "relationship_type": "related-to", - "source_ref": "attack-action--c89289c0-e397-4de8-bc10-9bb36817433a", - "target_ref": "tool--bd603392-08d5-4112-b6e6-454271bbe97a" - }, - { - "type": "relationship", - "id": "relationship--8b1538b2-8e02-4294-be1a-1a0d69d692f6", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.105Z", - "modified": "2023-01-04T22:19:56.105Z", - "relationship_type": "related-to", - "source_ref": "attack-action--bafd6a81-968b-4436-890a-a08b3ba0e825", - "target_ref": "malware--dca4e5f0-804e-4694-845d-9c3dd2a35d1a" - }, - { - "type": "relationship", - "id": "relationship--eb2bcf9a-dbe5-4202-8147-54906ccd3e11", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.106Z", - "modified": "2023-01-04T22:19:56.106Z", - "relationship_type": "related-to", - "source_ref": "attack-action--0a685dd5-0838-4883-8c08-52ae92e1bb27", - "target_ref": "infrastructure--f36c1562-80be-4df6-a9e7-753c6794832f" - }, - { - "type": "relationship", - "id": "relationship--92f6a45e-6964-41d9-ab50-6bb54c61345d", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.106Z", - "modified": "2023-01-04T22:19:56.106Z", - "relationship_type": "related-to", - "source_ref": "attack-action--0a685dd5-0838-4883-8c08-52ae92e1bb27", - "target_ref": "tool--a6a55cd9-1302-478a-9eb0-8ee475906c71" - }, - { - "type": "relationship", - "id": "relationship--dc425b36-2a55-4467-a8f5-d638b2e9004f", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.106Z", - "modified": "2023-01-04T22:19:56.106Z", - "relationship_type": "related-to", - "source_ref": "attack-action--e37c269c-2993-49b2-847f-b2b2a2ae973d", - "target_ref": "malware--a557fe6f-405d-4684-9ead-d1c11dc32f45" - }, - { - "type": "relationship", - "id": "relationship--6715ca29-adbd-44fe-83b6-4ba4ae446351", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.106Z", - "modified": "2023-01-04T22:19:56.106Z", - "relationship_type": "related-to", - "source_ref": "attack-action--490d6448-7f30-42f8-8269-8070af8c8923", - "target_ref": "tool--2df6c6d3-ee7b-47a4-ac7a-c6bce2a238b2" - }, - { - "type": "relationship", - "id": "relationship--aaa0ee72-f19c-44e9-b6c5-fc0fb68c2000", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.106Z", - "modified": "2023-01-04T22:19:56.106Z", - "relationship_type": "related-to", - "source_ref": "attack-action--daa0a62b-cc76-4709-b9c4-3f7454d02c5f", - "target_ref": "tool--d06890f7-9f09-46e6-8e7d-77254aa11703" - }, - { - "type": "relationship", - "id": "relationship--0c426c81-f8b6-4c3d-84a1-4554b1648002", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.106Z", - "modified": "2023-01-04T22:19:56.106Z", - "relationship_type": "related-to", - "source_ref": "attack-action--217e84c6-e343-4d62-8c4e-f55dace6c913", - "target_ref": "malware--db68d0fb-9669-4681-bc41-0d8d0cab5470" - }, - { - "type": "relationship", - "id": "relationship--cda2556e-4366-440c-8f87-c11d9d04bf4d", - "spec_version": "2.1", - "created": "2023-01-04T22:19:56.106Z", - "modified": "2023-01-04T22:19:56.106Z", - "relationship_type": "related-to", - "source_ref": "attack-action--694efa68-7cff-4b29-ac5b-2500dd3a7fa9", - "target_ref": "tool--6d6604d7-4c4e-4eb7-8182-4d74dc3811c9" - } - ] -} \ No newline at end of file diff --git a/docs/_static/npx-serve-2.png b/docs/_static/npx-serve-2.png new file mode 100644 index 00000000..1793bc9e Binary files /dev/null and b/docs/_static/npx-serve-2.png differ diff --git a/docs/_static/npx-serve-3.png b/docs/_static/npx-serve-3.png new file mode 100644 index 00000000..23c8e8f7 Binary files /dev/null and b/docs/_static/npx-serve-3.png differ diff --git a/docs/_static/npx-serve.png b/docs/_static/npx-serve.png new file mode 100644 index 00000000..53dbf12c Binary files /dev/null and b/docs/_static/npx-serve.png differ diff --git a/docs/builder.rst b/docs/builder.rst index 6acf9690..be02892f 100644 --- a/docs/builder.rst +++ b/docs/builder.rst @@ -184,8 +184,8 @@ Alternatively, you can run the Attack Flow Builder with Docker Compose: .. code:: shell - $ curl https://raw.githubusercontent.com/center-for-threat-informed-defense/attack-flow/main/docker-compose.yml - $ docker compose up + $ curl https://raw.githubusercontent.com/center-for-threat-informed-defense/attack-flow/main/docker-compose.yml + $ docker compose up This will launch a container with Attack Flow Builder accessible at `http://localhost:8081 `_ . You can customize the provided docker-compose.yml sample file (volumes, ports, ...). diff --git a/docs/developers.rst b/docs/developers.rst index 1acf9cd7..1be38f42 100644 --- a/docs/developers.rst +++ b/docs/developers.rst @@ -268,6 +268,9 @@ an XML file. Attack Flow Builder ------------------- +Dev Server +~~~~~~~~~~ + The Attack Flow Builder is written in JavaScript. To set up a development environment, you first need `to install Node.js and npm `__. Then, perform @@ -279,20 +282,6 @@ the following setup steps: $ npm install ... -This will download all of the dependencies needed. You also need to initialize the ATT&CK search index (used for autocompletion of ATT&CK objects): - -.. code:: shell - - $ npm run fetch-attack - Downloading ATT&CK STIX data… - * enterprise-attack-11.1.json → data/enterprise-attack.json… done - * ics-attack-11.1.json → data/ics-attack.json… done - * mobile-attack-11.1-beta.json → data/mobile-attack.json… done - - Finished successfully. - - $ npm run build-index - Finally, to run the application: .. code:: shell @@ -314,6 +303,71 @@ If this starts up successfully, then you can access the application at http://localhost:8080/. As you edit source code and save, the server will automatically rebuild the application and you can refresh the browser to run it again. +Preload a Flow +~~~~~~~~~~~~~~ + +As you are working, you may need to test a specific Attack Flow through multiple edit/compile/refresh cycles, +and repeatedly opening the same file in the Builder can be tedious. Here's a trick to automatically load a +specific flow each time you refresh the page. First, go into the corpus directory and start a mini web server. +(The first time you run this, it may prompt you to install the Node.js server package. Go ahead and do that.) + +.. code:: shell + + $ cd corpus/ + $ npx serve --cors + + +Now open the URL ``_. You will see a listing of files in the corpus. + +.. figure:: _static/npx-serve.png + :alt: Listing corpus files in a web browser + :align: center + + The mini server lists files in the corpus directory. + +Right click on the file you want to preload and copy the link. Go back to Attack Flow Builder and edit the URL +to append ``?src=`` and then paste the URL to your selected flow. + +.. figure:: _static/npx-serve-2.png + :alt: Edit the Attack Flow Builder URL + :align: center + + Edit the Attack Flow Builder URL + +Press enter and the builder will load the selected flow. + +.. figure:: _static/npx-serve-3.png + :alt: Attack Flow Builder preloads the selected flow. + :align: center + + Attack Flow Builder preloads the selected flow. + +This flow will be automatically loaded each time you refresh the page. + +Command Line Publisher +~~~~~~~~~~~~~~~~~~~~~~ + +The Attack Flow Builder also includes a command line tool for publishing ``.afb`` files into ``.json`` format. +First, compile the script: + +.. code:: shell + + $ cd src/attack_flow_builder + $ env VUE_CLI_SERVICE_CONFIG_PATH="$PWD/vue.cli.config.js" npx vue-cli-service build \ + --target lib --name cli --formats commonjs --no-clean src/cli.ts + +Once the script is compiled, run the script using the Node.js interpreter and pass in one or more builder +files to publish: + +.. code:: shell + + $ node dist/cli.common.js -v ../../corpus/Target\ Breach.afb ../../corpus/Tesla\ Kubernetes\ Breach.afb + Publishing ../../corpus/Target Breach.afb -> ../../corpus/Target Breach.json + Publishing ../../corpus/Tesla Kubernetes Breach.afb -> ../../corpus/Tesla Kubernetes Breach.json + +The JSON files are saved back to the same location as the AFB files, using the same filename stem but with the +file extension changed from ``.afb`` to ``.json``. + Releases -------- diff --git a/src/attack_flow_builder/package-lock.json b/src/attack_flow_builder/package-lock.json index e3c50c28..6c86feb8 100644 --- a/src/attack_flow_builder/package-lock.json +++ b/src/attack_flow_builder/package-lock.json @@ -13,6 +13,7 @@ }, "devDependencies": { "@types/d3": "^7.4.0", + "@types/node": "^20.4.5", "@types/resize-observer-browser": "^0.1.7", "@vue/cli-plugin-typescript": "~4.5.15", "@vue/cli-plugin-vuex": "~4.5.15", @@ -631,9 +632,9 @@ "dev": true }, "node_modules/@types/node": { - "version": "18.11.4", - "resolved": "https://registry.npmjs.org/@types/node/-/node-18.11.4.tgz", - "integrity": "sha512-BxcJpBu8D3kv/GZkx/gSMz6VnTJREBj/4lbzYOQueUOELkt8WrO6zAcSPmp9uRPEW/d+lUO8QK0W2xnS1hEU0A==", + "version": "20.4.5", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.4.5.tgz", + "integrity": "sha512-rt40Nk13II9JwQBdeYqmbn2Q6IVTA5uPhvSO+JVqdXw/6/4glI6oR9ezty/A9Hg5u7JH4OmYmuQ+XvjKm0Datg==", "dev": true }, "node_modules/@types/normalize-package-data": { @@ -16266,9 +16267,9 @@ "dev": true }, "@types/node": { - "version": "18.11.4", - "resolved": "https://registry.npmjs.org/@types/node/-/node-18.11.4.tgz", - "integrity": "sha512-BxcJpBu8D3kv/GZkx/gSMz6VnTJREBj/4lbzYOQueUOELkt8WrO6zAcSPmp9uRPEW/d+lUO8QK0W2xnS1hEU0A==", + "version": "20.4.5", + "resolved": "https://registry.npmjs.org/@types/node/-/node-20.4.5.tgz", + "integrity": "sha512-rt40Nk13II9JwQBdeYqmbn2Q6IVTA5uPhvSO+JVqdXw/6/4glI6oR9ezty/A9Hg5u7JH4OmYmuQ+XvjKm0Datg==", "dev": true }, "@types/normalize-package-data": { diff --git a/src/attack_flow_builder/package.json b/src/attack_flow_builder/package.json index eaea43f3..489f83a9 100644 --- a/src/attack_flow_builder/package.json +++ b/src/attack_flow_builder/package.json @@ -14,6 +14,7 @@ }, "devDependencies": { "@types/d3": "^7.4.0", + "@types/node": "^20.4.5", "@types/resize-observer-browser": "^0.1.7", "@vue/cli-plugin-typescript": "~4.5.15", "@vue/cli-plugin-vuex": "~4.5.15", diff --git a/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramFactory/DiagramFactory.ts b/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramFactory/DiagramFactory.ts index e391c298..3249fc4a 100644 --- a/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramFactory/DiagramFactory.ts +++ b/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramFactory/DiagramFactory.ts @@ -2,6 +2,7 @@ import { Crypto } from "../Utilities/Crypto"; import { Font, FontDescriptor, + IFont, GlobalFontStore } from "../Utilities"; import { @@ -134,7 +135,7 @@ export class DiagramFactory { this.getFontDescriptorsFromTemplate(template) ); } - await GlobalFontStore.loadFonts(fonts); + await GlobalFontStore.loadFonts(fonts, 4000); // Swap font descriptors for fonts for(let template of templates.values()) { @@ -355,7 +356,7 @@ export class DiagramFactory { /** * Swaps all {@link FontDescriptor} defined by a template with - * {@link Font} objects. + * {@link IFont} objects. * @param template * The template to modify. */ diff --git a/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramFactory/DiagramTemplateTypes.ts b/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramFactory/DiagramTemplateTypes.ts index 70bece3b..50f86615 100644 --- a/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramFactory/DiagramTemplateTypes.ts +++ b/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramFactory/DiagramTemplateTypes.ts @@ -1,5 +1,5 @@ import { RootPropertyDescriptor } from "../Property"; -import { Font, FontDescriptor } from "../Utilities"; +import { IFont, FontDescriptor } from "../Utilities"; /////////////////////////////////////////////////////////////////////////////// @@ -49,7 +49,7 @@ export type Template | PageTemplate | TextBlockTemplate -export type SerializedTemplate = SubstituteType; +export type SerializedTemplate = SubstituteType; /////////////////////////////////////////////////////////////////////////////// @@ -105,7 +105,7 @@ export type LineStyle = { } export type SerializedLineStyle = - SubstituteType; + SubstituteType; /////////////////////////////////////////////////////////////////////////////// @@ -127,7 +127,7 @@ export type LineEndingPointStyle = { } export type SerializedLineEndingPointStyle = - SubstituteType; + SubstituteType; /////////////////////////////////////////////////////////////////////////////// @@ -149,7 +149,7 @@ export type LineHandlePointStyle = { } export type SerializedLineHandlePointStyle = - SubstituteType; + SubstituteType; /////////////////////////////////////////////////////////////////////////////// @@ -168,7 +168,7 @@ export type AnchorPointStyle = { } export type SerializedAnchorPointStyle = - SubstituteType; + SubstituteType; /////////////////////////////////////////////////////////////////////////////// @@ -190,18 +190,18 @@ export type DictionaryBlockStyle = { stroke_color: string, one_title: { title: { - font: Font, + font: IFont, color: string, } }, two_title: { title: { - font: Font, + font: IFont, color: string, padding: number }, subtitle: { - font: Font, + font: IFont, color: string, line_height: number } @@ -212,12 +212,12 @@ export type DictionaryBlockStyle = { fill_color: string, stroke_color: string, field_name: { - font: Font, + font: IFont, color: string, padding: number }, field_value: { - font: Font, + font: IFont, color: string, line_height: number, padding: number @@ -238,7 +238,7 @@ export type DictionaryBlockStyle = { } export type SerializedDictionaryBlockStyle = - SubstituteType; + SubstituteType; /////////////////////////////////////////////////////////////////////////////// @@ -261,7 +261,7 @@ export type BranchTemplate = { export type BranchBlockStyle = DictionaryBlockStyle & { branch: { - font: Font, + font: IFont, color: string, vertical_padding: number, horizontal_padding: number @@ -269,7 +269,7 @@ export type BranchBlockStyle = DictionaryBlockStyle & { } export type SerializedBranchBlockStyle = - SubstituteType; + SubstituteType; /////////////////////////////////////////////////////////////////////////////// @@ -289,7 +289,7 @@ export type TextBlockStyle = { fill_color: string, stroke_color: string, text: { - font: Font, + font: IFont, color: string, line_height: number }, @@ -308,7 +308,7 @@ export type TextBlockStyle = { } export type SerializedTextBlockStyle = - SubstituteType; + SubstituteType; /////////////////////////////////////////////////////////////////////////////// @@ -355,7 +355,7 @@ export type PageStyle = { } export type SerializedPageStyle = - SubstituteType; + SubstituteType; /////////////////////////////////////////////////////////////////////////////// diff --git a/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramModelTypes/BranchBlockModel.ts b/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramModelTypes/BranchBlockModel.ts index b28b29ab..01da832e 100644 --- a/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramModelTypes/BranchBlockModel.ts +++ b/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramModelTypes/BranchBlockModel.ts @@ -17,7 +17,7 @@ import { Cursor, InheritAlignment } from "../Attributes"; -import { Font, titleCase } from "../Utilities"; +import { IFont, titleCase } from "../Utilities"; export class BranchBlockModel extends DiagramObjectModel { @@ -502,7 +502,7 @@ type TextSet = { /** * The text's fonts. */ - font: Font, + font: IFont, /** * The text's color. diff --git a/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramModelTypes/DictionaryBlockModel.ts b/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramModelTypes/DictionaryBlockModel.ts index 98c3662b..93293f63 100644 --- a/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramModelTypes/DictionaryBlockModel.ts +++ b/src/attack_flow_builder/src/assets/scripts/BlockDiagram/DiagramModelTypes/DictionaryBlockModel.ts @@ -1,4 +1,4 @@ -import { Font, titleCase } from "../Utilities"; +import { IFont, titleCase } from "../Utilities"; import { RasterCache } from "../DiagramElement/RasterCache"; import { DictionaryBlockView } from "../DiagramViewTypes"; import { @@ -408,7 +408,7 @@ type TextSet = { /** * The text's fonts. */ - font: Font, + font: IFont, /** * The text's color. diff --git a/src/attack_flow_builder/src/assets/scripts/BlockDiagram/Utilities/Fonts.ts b/src/attack_flow_builder/src/assets/scripts/BlockDiagram/Utilities/Fonts.ts index 73aaf693..316d86f6 100644 --- a/src/attack_flow_builder/src/assets/scripts/BlockDiagram/Utilities/Fonts.ts +++ b/src/attack_flow_builder/src/assets/scripts/BlockDiagram/Utilities/Fonts.ts @@ -2,8 +2,13 @@ // 1. Font Store //////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////// +interface IFontStore { + getFont(descriptor: FontDescriptor): IFont; + loadFonts(descriptors: FontDescriptor[], timeout: number): Promise; + loadFont(descriptor: FontDescriptor, timeout: number): Promise; +} -class FontStore { +class FontStore implements IFontStore { /** * The font store's internal font list. @@ -27,7 +32,7 @@ class FontStore { * @return * The font. */ - public getFont(descriptor: FontDescriptor): Font { + public getFont(descriptor: FontDescriptor): IFont { let id = FontStore.getCssFontString(descriptor); if(this._fontList.has(id)) { return this._fontList.get(id)! @@ -153,13 +158,39 @@ class FontStore { } +/** + * The dummy font store is used in CLI contexts. + */ +class FontStoreDummy implements IFontStore { + public getFont(descriptor: FontDescriptor): IFont { + return new FontDummy(); + } + + public loadFonts(descriptors: FontDescriptor[], timeout: number): Promise { + return new Promise((resolve, reject) => resolve()); + } + + public loadFont(descriptor: FontDescriptor, timeout: number): Promise { + return new Promise((resolve, reject) => resolve(true)); + } +} + /////////////////////////////////////////////////////////////////////////////// // 2. Font ////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////// +export interface IFont { + css: string; + descriptor: FontDescriptor + + measureWidth(text: string): number; + measure(text: string): { width: number, ascent: number, descent: number }; + getCharWidth(char: string): number; + wordWrap(text: string, width: number): string[]; +} -export class Font { +export class Font implements IFont { /** * The default character to width index. @@ -355,6 +386,29 @@ export class Font { } +/** + * A dummy font is used in CLI contexts. + */ +class FontDummy implements IFont { + public css: string = "font-dummy"; + public descriptor: FontDescriptor = { size: "font-dummy", family: "font-dummy" }; + + public measureWidth(text: string): number { + return 0; + } + + public measure(text: string): { width: number, ascent: number, descent: number } { + return { width: 0, ascent: 0, descent: 0 }; + } + + public getCharWidth(char: string): number { + return 0; + } + + public wordWrap(text: string, width: number): string[] { + return []; + } +} /////////////////////////////////////////////////////////////////////////////// // 3. FontDescriptor //////////////////////////////////////////////////////// @@ -373,4 +427,12 @@ export type FontDescriptor = { /////////////////////////////////////////////////////////////////////////////// -export const GlobalFontStore = new FontStore(); +function createFontStore(): IFontStore { + if (typeof document === "undefined") { + return new FontStoreDummy(); + } else { + return new FontStore(); + } +} + +export const GlobalFontStore: IFontStore = createFontStore(); diff --git a/src/attack_flow_builder/src/cli.ts b/src/attack_flow_builder/src/cli.ts new file mode 100644 index 00000000..47ca2142 --- /dev/null +++ b/src/attack_flow_builder/src/cli.ts @@ -0,0 +1,112 @@ +// TODO doc blocks everywhere + +import { PageEditor } from "../src/store/PageEditor"; +import config from "../src/assets/builder.config"; + +// Node.js imports must use require() since the Vue compiler will not understand them. +const fs = require("fs"); +const process = require("process"); + +const FLAG_REGEX = new RegExp(`^-`); +const DIAGRAM_PATH_REGEX = new RegExp(`\.${config.file_type_extension}$`); + +/** + * Main entry point for the CLI script. + */ +async function main() { + if (typeof config.publisher === "undefined") { + throw new Error("There is no publisher class configured for this application."); + } + + const args = parseCliArguments(); + + if (args.help || args.diagramPaths.length === 0) { + usage(); + return; + } + + const publisher = new config.publisher(); + + for (const diagramPath of args.diagramPaths) { + const publishPath = diagramPath.replace(DIAGRAM_PATH_REGEX, ".json"); + if (args.verbose) { + console.log(`Publishing ${diagramPath} -> ${publishPath}`); + } + const file = fs.readFileSync(diagramPath, "utf8"); + const editor = await PageEditor.fromFile(file); + const jsonData = publisher.publish(editor.page); + fs.writeFileSync(publishPath, jsonData, {encoding: "utf8"}); + } +} + +/** + * Displays CLI usage. + */ +function usage() { + const script = process.argv[1].split("/").slice(-1); + const extension = config.file_type_extension; + console.log(`Usage: node ${script} [--verbose] ${extension}_file ...`) +} + +/** + * Displays a user error (i.e. something the user can fix by changing their command line arguments). + * @param reason + * An error message to display to the user + * @param exitCode + * A process exit code + */ +function error(reason: string, exitCode: number = -1) { + console.log(`[ERROR] ${reason}`); + usage(); + process.exit(exitCode); +} + +/** + * A container for command line arguments. + */ +type CliArguments = { + diagramPaths: Array; + verbose: boolean; + help: boolean; +} + +/** + * Parse command line arguments. + * @returns + * The parsed arguments. + */ +function parseCliArguments(): CliArguments { + const args: CliArguments = { + diagramPaths: [], + verbose: false, + help: false, + }; + + // The first two arguments contain the node executable and the name of this script. + for (const arg of process.argv.slice(2)) { + if (FLAG_REGEX.test(arg)) { + switch (arg) { + case "-h": + case "--help": + args.help = true; + break; + case "-v": + case "--verbose": + args.verbose = true; + break; + default: + error(`Unrecognized flag: ${arg}`); + } + } else { + if (DIAGRAM_PATH_REGEX.test(arg)) { + args.diagramPaths.push(arg); + } else { + error(`File extension not supported: ${arg}`); + } + } + } + + return args; +} + +main(); diff --git a/src/attack_flow_builder/vue.cli.config.js b/src/attack_flow_builder/vue.cli.config.js new file mode 100644 index 00000000..8b7b66e1 --- /dev/null +++ b/src/attack_flow_builder/vue.cli.config.js @@ -0,0 +1,19 @@ +// This Vue config is used when building the command line tool (cli.ts). It is similar to the regular Vue +// config but contains `target: "node"` so that the command line tool can call Node APIs. +// +// To use it: +// +// $ export VUE_CLI_SERVICE_CONFIG_PATH=$(realpath vue.cli.config.js) +// $ npx vue-cli-service build --target lib --name cli --formats commonjs --no-clean src/cli.ts +const path = require("path"); +module.exports = { + publicPath: './', + configureWebpack: { + resolve: { + alias: { + "~": path.resolve(__dirname, "./") + } + }, + target: "node" + } +};