ics-attack/x-mitre-analytic/x-mitre-analytic--f666f516-f8d0-41f6-9a4c-0ac6c1f6086b.json

{
    "type": "bundle",
    "id": "bundle--0b255efc-c1e6-45d9-9a21-13c27a7af783",
    "spec_version": "2.0",
    "objects": [
        {
            "type": "x-mitre-analytic",
            "id": "x-mitre-analytic--f666f516-f8d0-41f6-9a4c-0ac6c1f6086b",
            "created": "2025-10-21T15:10:28.402Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/detectionstrategies/DET0758#AN1890",
                    "external_id": "AN1890"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "modified": "2025-10-21T15:10:28.402Z",
            "name": "Analytic 1890",
            "description": "Monitor for changes made to a large quantity of files for unexpected modifications in both user directories and directories used to store programs and OS components (e.g., C:\\Windows\\System32). \nMonitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.\nMonitor for unexpected deletion of files.\nMonitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "x_mitre_version": "1.0",
            "x_mitre_attack_spec_version": "3.3.0",
            "x_mitre_domains": [
                "ics-attack"
            ],
            "x_mitre_platforms": [
                "None"
            ],
            "x_mitre_log_source_references": [
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",
                    "name": "File",
                    "channel": "None"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
                    "name": "Process",
                    "channel": "None"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8",
                    "name": "File",
                    "channel": "None"
                },
                {
                    "x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
                    "name": "Command",
                    "channel": "None"
                }
            ],
            "x_mitre_deprecated": false
        }
    ]
}
ATT&CK v18.0 ICS 2025-10-27 14:35:10 -04:00			`{`
			`"type": "bundle",`
ATT&CK v19.0 ICS 2026-04-27 15:18:54 -04:00			`"id": "bundle--0b255efc-c1e6-45d9-9a21-13c27a7af783",`
ATT&CK v18.0 ICS 2025-10-27 14:35:10 -04:00			`"spec_version": "2.0",`
			`"objects": [`
			`{`
			`"type": "x-mitre-analytic",`
			`"id": "x-mitre-analytic--f666f516-f8d0-41f6-9a4c-0ac6c1f6086b",`
			`"created": "2025-10-21T15:10:28.402Z",`
			`"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",`
			`"external_references": [`
			`{`
			`"source_name": "mitre-attack",`
			`"url": "https://attack.mitre.org/detectionstrategies/DET0758#AN1890",`
			`"external_id": "AN1890"`
			`}`
			`],`
			`"object_marking_refs": [`
			`"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"`
			`],`
			`"modified": "2025-10-21T15:10:28.402Z",`
			`"name": "Analytic 1890",`
			"description": "Monitor for changes made to a large quantity of files for unexpected modifications in both user directories and directories used to store programs and OS components (e.g., C:\\Windows\\System32). \nMonitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.\nMonitor for unexpected deletion of files.\nMonitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.",
			`"x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",`
			`"x_mitre_version": "1.0",`
			`"x_mitre_attack_spec_version": "3.3.0",`
			`"x_mitre_domains": [`
			`"ics-attack"`
			`],`
			`"x_mitre_platforms": [`
			`"None"`
			`],`
			`"x_mitre_log_source_references": [`
			`{`
			`"x_mitre_data_component_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8",`
			`"name": "File",`
			`"channel": "None"`
			`},`
			`{`
			`"x_mitre_data_component_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",`
			`"name": "Process",`
			`"channel": "None"`
			`},`
			`{`
			`"x_mitre_data_component_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8",`
			`"name": "File",`
			`"channel": "None"`
			`},`
			`{`
			`"x_mitre_data_component_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",`
			`"name": "Command",`
			`"channel": "None"`
			`}`
			`],`
			`"x_mitre_deprecated": false`
			`}`
			`]`
			`}`