From 17c6c4110d439d1b6fafdfb2e4bd8ee0d17d7e77 Mon Sep 17 00:00:00 2001 From: Charissa Miller <48832936+clemiller@users.noreply.github.com> Date: Tue, 8 Nov 2022 09:49:29 -0500 Subject: [PATCH] ATT&CK v12.1 ICS --- ...-008b8f56-6107-48be-aa9f-746f927dbb61.json | 9 +- ...-063b5b92-5361-481a-9c3f-95492ed9a2d8.json | 12 +- ...-097924ce-a9a9-4039-8591-e0deedfb8722.json | 8 +- ...-09a61657-46e1-439e-b3ed-3e4556a78243.json | 7 +- ...-0fe075d5-beac-4d02-b93e-0f874997db72.json | 5 +- ...-138979ba-0430-4de6-a128-2fc0b056ba36.json | 2 +- ...-19a71d1e-6334-4233-8260-b749cae37953.json | 6 +- ...-1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json | 2 +- ...-1b22b676-9347-4c55-9a35-ef0dc653db5b.json | 8 +- ...-1c478716-71d9-46a4-9a53-fa5d576adb60.json | 7 +- ...-23270e54-1d68-4c3b-b763-b25607bcef80.json | 2 +- ...-24a9253e-8948-4c98-b751-8e2aee53127c.json | 8 +- ...-25852363-5968-4673-b81d-341d5ed90bd1.json | 5 +- ...-25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json | 5 +- ...-2736b752-4ec5-4421-a230-8977dea7649c.json | 12 +- ...-2877063e-1851-48d2-bcc6-bc1d2733157e.json | 6 +- ...-2883c520-7957-46ca-89bd-dab1ad53b601.json | 4 +- ...-2900bbd8-308a-4274-b074-5b8bde8347bc.json | 10 +- ...-2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json | 2 +- ...-2bb4d762-bf4a-4bc3-9318-15cc6a354163.json | 2 +- ...-2d0d40ad-22fa-4cc8-b264-072557e1364b.json | 3 +- ...-2dc2b567-8821-49f9-9045-8740f3d0b958.json | 5 +- ...-2fedbe69-581f-447d-8a78-32ee7db939a9.json | 6 +- ...-3067b85e-271e-4bc5-81ad-ab1a81d411e3.json | 3 +- ...-32632a95-6856-47b9-9ab7-fea5cd7dce00.json | 2 +- ...-3405891b-16aa-4bd7-bd7c-733501f9b20f.json | 11 +- ...-35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json | 6 +- ...-36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json | 5 +- ...-38213338-1aab-479d-949b-c81b66ccca5c.json | 2 +- ...-3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json | 6 +- ...-3de230d4-3e42-4041-b089-17e1128feded.json | 6 +- ...-3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json | 9 +- ...-40b300ba-f553-48bf-862e-9471b220d455.json | 7 +- ...-493832d9-cea6-4b63-abe7-9a65a6473675.json | 8 +- ...-4c2e1408-9d68-4187-8e6b-a77bc52700ec.json | 2 +- ...-50d3222f-7550-4a3c-94e1-78cb6c81d064.json | 2 +- ...-539d0484-fe95-485a-b654-86991c0d0d00.json | 2 +- ...-53a26eee-1080-4d17-9762-2027d5a1b805.json | 14 +- ...-53a48c74-0025-45f4-b04a-baa853df8204.json | 4 +- ...-56ddc820-6cfb-407f-850b-52c035d123ac.json | 2 +- ...-5a2610f6-9fff-41e1-bc27-575ca20383d4.json | 5 +- ...-5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json | 5 +- ...-5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json | 2 +- ...-5fa00fdd-4a55-4191-94a0-564181d7fec2.json | 2 +- ...-63b6942d-8359-4506-bfb3-cf87aa8120ee.json | 2 +- ...-648f995e-9c3a-41e4-aeee-98bb41037426.json | 4 +- ...-7374ab87-0782-41f8-b415-678c0950bb2a.json | 2 +- ...-7830cfcf-b268-4ac0-a69e-73c6affbae9a.json | 6 +- ...-83ebd22f-b401-4d59-8219-2294172cf916.json | 2 +- ...-8535b71e-3c12-4258-a4ab-40257a1becc4.json | 8 +- ...-85a45294-08f1-4539-bf00-7da08aa7b0ee.json | 6 +- ...-8bb4538f-f16f-49f0-a431-70b5444c7349.json | 2 +- ...-8d2f3bab-507c-4424-b58b-edc977bd215c.json | 6 +- ...-8e7089d3-fba2-44f8-94a8-9a79c53920c4.json | 6 +- ...-94f042ae-3033-4a8d-9ec3-26396533a541.json | 2 +- ...-9a505987-ab05-4f46-a9a6-6441442eec3b.json | 9 +- ...-9f947a1c-3860-48a8-8af0-a2dfa3efde03.json | 5 +- ...-a81696ef-c106-482c-8f80-59c30f2569fb.json | 2 +- ...-a8cfd474-9358-464f-a169-9c6f099a8e8a.json | 2 +- ...-ab390887-afc0-4715-826d-b1b167d522ae.json | 6 +- ...-abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json | 2 +- ...-ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json | 2 +- ...-b0628bfc-5376-4a38-9182-f324501cb4cf.json | 9 +- ...-b14395bd-5419-4ef4-9bd8-696936f509bb.json | 9 +- ...-b52870cc-83f3-473c-b895-72d91751030b.json | 2 +- ...-b5b9bacb-97f2-4249-b804-47fd44de1f95.json | 2 +- ...-b7e13ee8-182c-4f19-92a4-a88d7d855d54.json | 2 +- ...-b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json | 7 +- ...-ba203963-3182-41ac-af14-7e7ebc83cd61.json | 13 +- ...-be69c571-d746-4b1f-bdd0-c0c9817e9068.json | 7 +- ...-c267bbee-bb59-47fe-85e0-3ed210337c21.json | 8 +- ...-c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json | 6 +- ...-c9a8d958-fcdb-40d2-af4c-461c8031651a.json | 6 +- ...-cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json | 5 +- ...-cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json | 4 +- ...-d5a69cfb-fc2a-46cb-99eb-74b236db5061.json | 8 +- ...-d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json | 2 +- ...-d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json | 3 +- ...-e076cca8-2f08-45c9-aff7-ea5ac798b387.json | 6 +- ...-e0d74479-86d2-465d-bf36-903ebecef43e.json | 2 +- ...-e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json | 14 +- ...-e2994b6a-122b-4043-b654-7411c5198ec0.json | 2 +- ...-e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json | 2 +- ...-e5de767e-f513-41cd-aa15-33f6ce5fbf92.json | 7 +- ...-e6c31185-8040-4267-83d3-b217b8a92f07.json | 5 +- ...-e72425f8-9ae6-41d3-bfdb-e1b865e60722.json | 2 +- ...-ea0c980c-5cf0-43a7-a049-59c4c207566e.json | 7 +- ...-ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json | 7 +- ...-efbf7888-f61b-4572-9c80-7e2965c60707.json | 7 +- ...-f8df6b57-14bc-425f-9a91-6f59f6799307.json | 4 +- ...-fc5fda7e-6b2c-4457-b036-759896a2efa2.json | 8 +- ...-65281d3e-b03c-46b8-8cd8-716363ac3cb2.json | 2 +- ...-059ba11e-e3dc-49aa-84ca-88197f40d4ea.json | 2 +- ...-11f242bc-3121-438c-84b2-5cbd46a4bb17.json | 2 +- ...-143b4398-3222-480a-b6a4-e131bc2d3144.json | 2 +- ...-1e7ccfc0-94c8-496e-8d27-032120892291.json | 2 +- ...-2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json | 2 +- ...-2f0160b7-e982-49d7-9612-f19b810f1722.json | 2 +- ...-3172222b-4983-43f7-8983-753ded4f13bc.json | 2 +- ...-3222a807-521b-4a1a-aa13-f1cda45734b3.json | 2 +- ...-337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json | 2 +- ...-3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json | 2 +- ...-469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json | 2 +- ...-49363b74-d506-4342-bd63-320586ebadb9.json | 2 +- ...-49b306c1-a046-42c5-a4d2-30f264ada110.json | 2 +- ...-4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json | 2 +- ...-52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json | 2 +- ...-5d97c693-e054-48ba-a3a3-eaf6942dfb65.json | 2 +- ...-622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json | 2 +- ...-66cfe23e-34b6-4583-b178-ed6a412db2b0.json | 2 +- ...-6a02e38a-9629-40c0-8c7d-e98e3470315c.json | 2 +- ...-71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json | 2 +- ...-72e46e53-e12d-4106-9c70-33241b6ed549.json | 2 +- ...-7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json | 2 +- ...-86b455f2-fb63-4043-93a8-32a3a7703a02.json | 2 +- ...-8a3aadd0-b5f4-433a-800e-4893e4196bb7.json | 2 +- ...-8ac1d6e1-b07f-476a-9732-84984ebc2405.json | 2 +- ...-8bc4a54e-810c-4600-8b6c-08fa8413a401.json | 2 +- ...-97f33c84-8508-45b9-8a1d-cac921828c9e.json | 2 +- ...-98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json | 2 +- ...-99c746d7-a08a-4169-94f9-b8c0dad716fa.json | 2 +- ...-9a945a29-5233-4422-a9e3-3e957b0e8bce.json | 2 +- ...-9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json | 2 +- ...-9f99fcfd-772e-4e63-9d39-e45612e546dc.json | 2 +- ...-aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json | 2 +- ...-ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json | 2 +- ...-ad12819e-3211-4291-b360-069f280cff0a.json | 2 +- ...-b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json | 2 +- ...-bcf91ebc-f316-4e19-b2f6-444e9940c697.json | 2 +- ...-c7257b6e-4159-4771-b1f3-2bb93adaecac.json | 2 +- ...-d0909119-2f71-4923-87db-b649881672d7.json | 2 +- ...-d48b79b2-076d-483e-949c-0d38aa347499.json | 2 +- ...-da44255d-85c5-492c-baf3-ee823d44f848.json | 2 +- ...-dc61c280-c29d-44e5-a960-c0dd1623d2ba.json | 2 +- ...-ddf3e568-f065-49e2-9106-42029a28ddbd.json | 2 +- ...-de0bc375-50e1-4e26-a342-a8ff8c9d3037.json | 2 +- ...-e0d38502-decb-481d-ad8b-b8f0a0c330bd.json | 2 +- ...-e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json | 2 +- ...-f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json | 2 +- ...-f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json | 2 +- ...-facb8840-ebe7-49f1-b464-8ef6c8131e21.json | 2 +- ...-faf2b40e-5981-433f-aa46-17458e0026f7.json | 2 +- ...-fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json | 2 +- ics-attack/ics-attack.json | 29543 ++++++++-------- ...-c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json | 2 +- ...-00f67a77-86a4-4adf-be26-1a54fc713340.json | 2 +- ...-190242d7-73fc-4738-af68-20162f7a5aae.json | 2 +- ...-1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json | 2 +- ...-2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json | 2 +- ...-3753cc21-2dae-4dfb-8481-d004e74502cc.json | 2 +- ...-381fcf73-60f6-4ab2-9991-6af3cbc35192.json | 2 +- ...-4ca1929c-7d64-4aab-b849-badbfc0c760d.json | 2 +- ...-68ba94ab-78b8-43e7-83e2-aed3466882c6.json | 2 +- ...-76d59913-1d24-4992-a8ac-05a3eb093f71.json | 2 +- ...-9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json | 2 +- ...-c77c5576-ca19-42ed-a36f-4b4486a84133.json | 2 +- ...-c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json | 2 +- ...-dd2d9ca6-505b-4860-a604-233685b802c7.json | 2 +- ...-f29b7c5e-2439-42ad-a86f-9f8984fafae3.json | 6 +- ...-fbd29c89-18ba-4c2d-b792-51c0adee049f.json | 2 +- ...-00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json | 2 +- ...-083bb47b-02c8-4423-81a2-f9ef58572974.json | 2 +- ...-088f1d6e-0783-47c6-9923-9c79b2af43d4.json | 2 +- ...-1d8dccb3-e779-4702-aeb1-6627a22cc585.json | 2 +- ...-242622ca-3903-43d5-8aa0-3bbdaa3020ec.json | 2 +- ...-2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json | 2 +- ...-496bff4d-0700-4b28-b06f-f30a63002be7.json | 2 +- ...-49c04994-1035-4b58-89b7-cf8956e3b423.json | 2 +- ...-4dcff507-5af8-47ce-964a-8d9569e9ccfe.json | 2 +- ...-54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json | 2 +- ...-5719af9d-6b16-46f9-9b28-fb019541ddbb.json | 2 +- ...-58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json | 2 +- ...-5af7a825-2d9f-400d-931a-e00eb9e27f48.json | 2 +- ...-6108f800-10b8-4090-944e-be579f01263d.json | 2 +- ...-68dca94f-c11d-421e-9287-7c501108e18c.json | 2 +- ...-736a3b71-eccc-48b7-b5ed-adb2b74ca830.json | 2 +- ...-75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json | 2 +- ...-80099a91-4c86-4bea-9ccb-dac55d61960e.json | 2 +- ...-89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json | 2 +- ...-9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json | 2 +- ...-a020a61c-423f-4195-8c46-ba1d21abba37.json | 2 +- ...-a4a98eab-b691-45d9-8c48-869ef8fefd57.json | 2 +- ...-ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json | 2 +- ...-d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json | 2 +- ...-e221eb77-1502-4129-af1d-fe1ad55e7ec6.json | 2 +- ...-e401d4fe-f0c9-44f0-98e6-f93487678808.json | 2 +- ...-ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json | 2 +- ...-fa42a846-8d90-4e51-bc29-71d5b4802168.json | 2 +- ...-00b98fa6-4913-40a4-8920-befed8621c41.json | 2 +- ...-00e6c22b-9275-4039-b6d4-2ac0680325d6.json | 2 +- ...-01b4a92f-da42-4dfa-8d59-53709b65940e.json | 2 +- ...-0278ddbc-67d5-444d-8082-bf9974dee920.json | 2 +- ...-028a3bcc-f299-4061-a0f2-8da85e0a3c81.json | 2 +- ...-03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json | 2 +- ...-03ad6a9a-4443-4e33-a7a5-933e22f2e022.json | 2 +- ...-03d44496-7a15-4e23-820f-b6f1079dbbd3.json | 2 +- ...-042243fd-bfe0-4961-96de-a36232d3ff74.json | 2 +- ...-04882fef-2a6b-40d0-a101-da9c76a3572e.json | 2 +- ...-0491ef92-2941-4841-9fe6-2e1809788b52.json | 2 +- ...-04bf72de-75ba-4d95-ad24-f93ad835180c.json | 2 +- ...-04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json | 2 +- ...-058396ca-3af4-444b-b261-74485c47e68c.json | 2 +- ...-064dfd6f-db5d-48e8-b350-9dd47a270911.json | 2 +- ...-067932c3-0011-4ca2-9bbe-721c631e4e41.json | 2 +- ...-06c663f8-fcf1-47eb-ab79-284e93eafa6b.json | 2 +- ...-06f15629-d050-434a-aed1-3bb3f90c97b2.json | 2 +- ...-06fc6ec4-7857-4f59-9bbf-df373152bcfd.json | 2 +- ...-07f4d65d-4572-450f-8cb2-908fee97bd67.json | 2 +- ...-08302021-aacf-428f-a0ce-e1034d925fb0.json | 2 +- ...-088580e9-ccea-426e-9411-c1de60de650d.json | 2 +- ...-08a4f730-bc3f-4050-973f-1ef2847db4e7.json | 2 +- ...-09977105-562f-4f45-a151-27a11a18031e.json | 2 +- ...-09fe4b04-b1d2-492c-9b10-59b94807ccf9.json | 2 +- ...-0a5d2136-e1f5-4a54-be64-a558f918bf0d.json | 2 +- ...-0b7f643e-8975-4998-acbb-7405fa944a68.json | 2 +- ...-0beb0088-3bea-4612-b2d9-ff9988f829ae.json | 2 +- ...-0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json | 2 +- ...-0c284ce0-0be2-4164-b686-7c383b246aec.json | 2 +- ...-0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json | 2 +- ...-0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json | 2 +- ...-0d305450-d5ca-46fe-8583-36c983dd0a88.json | 2 +- ...-0d4f2f88-e176-42c7-8258-52b345045662.json | 2 +- ...-0d540b53-6a5d-4f56-9dee-47707443b149.json | 2 +- ...-0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json | 2 +- ...-0df0cb6d-0067-48b2-a33e-495415713ab7.json | 2 +- ...-0e275c19-7688-47f8-8cd5-85eaacec465b.json | 2 +- ...-0e29f62d-4ffc-47ec-9623-72f874fbe905.json | 2 +- ...-0e4f272b-d744-4feb-9f3f-c24c3598538f.json | 2 +- ...-0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json | 2 +- ...-0f18b876-b698-4f70-aa98-50e8b5a7eae2.json | 2 +- ...-0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json | 2 +- ...-0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json | 2 +- ...-0ffdee1a-1e83-4506-aba2-38c55812abb3.json | 2 +- ...-104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json | 2 +- ...-10626671-941d-4a82-a835-56059058ef87.json | 2 +- ...-107d9a23-991b-44f5-97f6-7f6983c7013a.json | 2 +- ...-10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5.json | 2 +- ...-10e87e4b-a231-42e3-a011-0031f8226936.json | 2 +- ...-1110814e-81ff-4a23-9988-4b93e6f68a2b.json | 2 +- ...-111f437a-c67d-40e4-9515-7e9b22e65eff.json | 2 +- ...-11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json | 2 +- ...-11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json | 2 +- ...-1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json | 2 +- ...-129a4d3f-fa4a-42c3-833e-8f15155b9693.json | 2 +- ...-12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json | 2 +- ...-1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json | 2 +- ...-13809e98-1d74-4c39-b882-9d523c76cbde.json | 2 +- ...-139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json | 2 +- ...-13fb2612-7c23-4b9d-a6e1-76f78062fc52.json | 2 +- ...-147c2158-b2af-4d88-9d59-594c67a9200e.json | 2 +- ...-15188683-7ded-4578-9102-73459ecbe095.json | 2 +- ...-154de746-5ea2-43b4-97b2-221b2433cbde.json | 2 +- ...-15a39e3b-124e-4e68-95b5-7b8020225c12.json | 2 +- ...-17525989-242e-4960-b59d-9ea62172263f.json | 2 +- ...-17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json | 2 +- ...-17fdec71-98e8-4314-a1be-037edede58bd.json | 2 +- ...-18ef2d69-d11a-4d31-a803-da989c4073f7.json | 2 +- ...-193c3cd3-0b22-4839-a1fa-413aee61e882.json | 2 +- ...-19ab6776-42de-48af-975a-568d31a3bb66.json | 2 +- ...-19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json | 2 +- ...-1a40cec9-47c3-404e-b039-b7ae83ffaf68.json | 2 +- ...-1aa02c37-973e-46bd-ab45-609463e514e9.json | 2 +- ...-1acccbe8-64e1-49ad-87df-215d5c87f050.json | 2 +- ...-1c12b1d6-d636-45c6-98f4-947ddb502cb0.json | 2 +- ...-1c3d966a-5995-48ed-919d-25b972010fe9.json | 2 +- ...-1c831708-28c2-47ae-a158-39f1f7b73406.json | 2 +- ...-1d35c947-447f-4693-9ab0-32dff56e664e.json | 2 +- ...-1d399f67-090e-444b-b75d-eed4b1780f08.json | 2 +- ...-1dc35f79-0ada-4342-bd13-10d10c1b0335.json | 2 +- ...-1e6da55a-ab6c-4583-9e20-583f82096497.json | 2 +- ...-1ed4d007-6d30-4d5d-8df9-3800ed56e042.json | 2 +- ...-1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json | 2 +- ...-1f785984-791e-4612-be32-9ee6903a9c0b.json | 2 +- ...-1f804c9f-3b65-47eb-89f3-83edd0422fdc.json | 2 +- ...-1f87378c-49fb-4da5-8ed3-3672633d3713.json | 2 +- ...-1f8abf6f-0dd0-4449-b555-733fe7296177.json | 2 +- ...-1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json | 2 +- ...-1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json | 2 +- ...-1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json | 2 +- ...-2057ec71-a94f-49cc-b348-2eeb44899afd.json | 2 +- ...-206cc4c8-797e-427b-86f1-4c81df391c6e.json | 2 +- ...-2089201c-c1c6-4d92-a737-a6499e26ee7f.json | 2 +- ...-20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json | 2 +- ...-20f66fab-7a08-4707-ac79-92dac5acd11d.json | 2 +- ...-21041206-da58-45c7-adb0-db07caebdcb6.json | 2 +- ...-21134484-2d59-46b7-b878-527121fff1e3.json | 2 +- ...-214eb531-411c-4b90-9dbf-dc0183cbb919.json | 2 +- ...-21b6ec9c-8779-49db-bf19-90e81893a6e4.json | 2 +- ...-220140ac-d927-4d86-9335-c04aa6ee3c61.json | 2 +- ...-22448288-32d9-4d2c-be16-0784e119fff1.json | 2 +- ...-228b9a13-0545-4ecf-99ff-be02addaf7fe.json | 2 +- ...-234da455-b795-4788-bc5d-22b4b58b2dc7.json | 2 +- ...-238f967a-0c29-4aa3-bbb5-3dc593473bbf.json | 2 +- ...-242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json | 2 +- ...-243ad7b2-546c-4bf2-a3c0-1438b13e197d.json | 2 +- ...-25e7ca82-2784-433a-90a9-a3483615a655.json | 2 +- ...-26254163-4f25-4d30-8456-ca093459ff32.json | 2 +- ...-2683e59a-dee3-485a-a355-ed2ee0a23d5d.json | 2 +- ...-26d68f5d-6ee5-4d98-b175-943366ccc038.json | 2 +- ...-26e58427-a2bd-4e77-9939-16ef60a072e7.json | 2 +- ...-26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json | 2 +- ...-276aa6a6-e700-470a-8f72-02537ba7be9d.json | 2 +- ...-28395db7-feee-4711-b704-48e418e13ee1.json | 2 +- ...-2867f491-919b-463f-b689-bb3ceb7ae99f.json | 2 +- ...-28afd84d-a53e-4b2f-9bee-133f7da6982a.json | 2 +- ...-2916cd9c-32d5-463a-a83b-448ef7720192.json | 2 +- ...-2971151c-0e8a-4567-84dc-01cf5dd35005.json | 2 +- ...-29b85313-645b-4fb1-b5c2-f580d111760b.json | 2 +- ...-2b62e4c0-9267-47bd-8f4d-0394b13fb566.json | 2 +- ...-2c641542-2e18-4943-849a-7141b7da4fcd.json | 2 +- ...-2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a.json | 2 +- ...-2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json | 2 +- ...-2cd79563-0f5a-44a1-9be4-6dc330855d64.json | 2 +- ...-2d07e32d-e9cd-4b19-86ad-4573824d6919.json | 2 +- ...-2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json | 2 +- ...-2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json | 2 +- ...-2e0769d7-088e-45d5-a262-6dbc91a95073.json | 2 +- ...-2e377016-bb23-481e-b72b-a2ace8c72eb7.json | 2 +- ...-2e5f338d-92c4-4647-8fef-7c901ff774f5.json | 2 +- ...-2ecc567f-3aaa-4bd8-935f-4808d177a552.json | 2 +- ...-2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json | 2 +- ...-2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json | 2 +- ...-2fbb7867-79c5-4d45-9876-98c4041dd72e.json | 2 +- ...-2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json | 2 +- ...-2ff82993-5010-4450-89e7-341f449f3263.json | 2 +- ...-2fffbea8-c031-4de8-a451-447bbbe3e224.json | 2 +- ...-309e4558-e591-4d03-9bb9-07d30acf011f.json | 2 +- ...-31203165-79d0-42e5-81f1-62150dea2c43.json | 2 +- ...-3168a905-f398-403f-9345-de5893de1326.json | 2 +- ...-31897c41-1d47-4a34-b531-21c3f74651a8.json | 2 +- ...-31bf1721-78a2-4b6c-b325-5c44dc02ea33.json | 2 +- ...-321fc522-bc6b-4975-bee4-9098624d1e8c.json | 2 +- ...-327916f7-fe5d-4858-adeb-f72f74c60c25.json | 2 +- ...-32dbed4e-4dbe-4872-a013-c96111ed102e.json | 2 +- ...-33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json | 2 +- ...-33486e89-f0f4-4507-9f13-48a8f22c8ac8.json | 2 +- ...-3439d550-61d5-40b4-a514-341509d3f701.json | 2 +- ...-3478c49c-594b-4224-b7f9-2b0b09c67288.json | 2 +- ...-34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json | 2 +- ...-34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json | 2 +- ...-350814da-5c36-42f9-8e58-8f9534e6ce0a.json | 2 +- ...-351e19c4-c16e-493a-9800-a433107aacf1.json | 2 +- ...-35cf6922-d48f-42ea-b7f5-f0258892bd52.json | 2 +- ...-3618a010-b94b-4974-b1be-7630d5c853c1.json | 2 +- ...-3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json | 2 +- ...-366a4cd1-aa95-4985-9d80-b45a2551e298.json | 2 +- ...-375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json | 2 +- ...-37abb3d5-24fc-4397-844e-07548d324729.json | 2 +- ...-383e242a-72d4-4b40-8905-888595c34919.json | 2 +- ...-3858ec3b-5814-4515-9dda-f8009fbf4cd3.json | 2 +- ...-38a3c86b-c9bb-4a65-87c9-55429c68684f.json | 2 +- ...-39963a04-9675-4fa4-87ea-1b34145cc569.json | 2 +- ...-3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json | 2 +- ...-3a7d1db3-9383-4171-8938-382e9b0375c6.json | 2 +- ...-3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json | 2 +- ...-3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json | 2 +- ...-3b199bf1-b45c-4d78-bdea-ee1c06fd3734.json | 2 +- ...-3b6567a9-6213-4db4-a069-1a86b1098b63.json | 2 +- ...-3be8045a-1f0d-4460-a76b-ae830e74c1e0.json | 2 +- ...-3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json | 2 +- ...-3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json | 2 +- ...-3c341d13-938e-4535-ac75-10a79abc7017.json | 2 +- ...-3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json | 2 +- ...-3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json | 2 +- ...-3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json | 2 +- ...-3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json | 2 +- ...-3d676c1b-2650-4599-8a57-790c55f9977d.json | 2 +- ...-3da977ab-c863-4e6f-a5b7-68173160da00.json | 2 +- ...-3dc3aec5-0056-46e8-8073-a7e32d3d929d.json | 2 +- ...-3dde2b07-7c30-4a18-a9df-f85db84f9b14.json | 2 +- ...-3e956d93-e011-40de-ab1b-3f32fa73ae41.json | 2 +- ...-3ed98d8c-de30-499e-9a62-eae0207519f4.json | 2 +- ...-3f335e8f-68da-4b06-9d96-f371ddaf23e6.json | 2 +- ...-3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json | 2 +- ...-3f76d408-be8a-478e-8a5a-aab1d1f96572.json | 2 +- ...-40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json | 2 +- ...-40f63b01-dc59-475d-826a-74f38c6e81b9.json | 2 +- ...-4122cdb6-09a4-4b68-b0d1-5d880cf5a4ef.json | 2 +- ...-41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json | 2 +- ...-41b87fd8-6e4d-4e53-a282-c85292fdaa22.json | 2 +- ...-41ff63a3-ddb9-47fb-8d92-bed74ed0d41d.json | 2 +- ...-4211c12a-57cf-4ebb-910a-6af7aa09cf34.json | 2 +- ...-42508a8e-44d5-4af1-9e66-bace5fc94734.json | 2 +- ...-4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json | 2 +- ...-42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json | 2 +- ...-433539bf-cb17-4de1-9c0f-e579b041514f.json | 2 +- ...-4369da69-bb09-4cc8-8600-081a450f50e0.json | 2 +- ...-43777394-ff59-4261-b1cf-b41a1f4f4d8b.json | 2 +- ...-43bdf580-b98f-49cf-92d5-3dac50450c86.json | 2 +- ...-446c95ea-5178-4ae9-8f92-cb20dd50f7de.json | 2 +- ...-44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json | 2 +- ...-44c857cf-7a4e-405a-87ca-7f6d79000589.json | 2 +- ...-45ee1822-71e4-4d92-976d-306561b70555.json | 2 +- ...-461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json | 2 +- ...-4631bf49-da0b-4415-a226-112c99ff0f64.json | 2 +- ...-46332a77-2fd6-4033-96cf-6163172775ec.json | 2 +- ...-46bc86e4-e20b-4778-80d2-8891039e6fb4.json | 2 +- ...-46edf5ba-ebd3-4976-9cdc-1276ba253c98.json | 2 +- ...-478cef79-cf4e-4b37-9562-b45cdeb088a4.json | 2 +- ...-47f15a06-8675-4698-833d-bd141ed9e755.json | 2 +- ...-48489baf-56c2-423e-964a-0a61688e4a19.json | 2 +- ...-491455dc-f7c8-4e12-811b-b8c5c041b4c3.json | 2 +- ...-4966e63c-ca05-466d-91f9-41d799a54471.json | 2 +- ...-49d38b21-5ce5-48d9-a356-639fc6c7a53d.json | 2 +- ...-49d941a6-4da2-4516-92d0-1bc64554b2f2.json | 2 +- ...-4b57e41c-246f-44b3-b259-1811d5275e10.json | 2 +- ...-4cce6bf1-1aa9-483d-a733-d6e52e091419.json | 2 +- ...-4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json | 2 +- ...-502a0b7e-048a-468a-b888-e91fde47c6eb.json | 2 +- ...-5041e17d-6349-4589-8c61-7b43964b5f9b.json | 2 +- ...-50a2b289-7bce-405d-8515-c2b5424cce5c.json | 2 +- ...-50b3247a-ea71-455e-b299-f00666c05146.json | 2 +- ...-50c20664-75dc-451e-b026-67b1d309e4b5.json | 2 +- ...-51eb15a3-48af-470f-94c0-10f25b366d72.json | 2 +- ...-51eca7b9-6330-48a8-badd-65ed3e9d3639.json | 2 +- ...-51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json | 2 +- ...-51f9963c-c041-4bec-b482-5fda2fb5bca4.json | 2 +- ...-520aad6a-2483-45bc-a172-2417137f6ca0.json | 2 +- ...-5212f36b-216f-4e32-8b64-3b4c94dfada5.json | 2 +- ...-52855d5d-e835-470f-a675-751c2779c861.json | 2 +- ...-52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json | 2 +- ...-531e0589-0dad-444d-aca4-6198ba5d9fcd.json | 2 +- ...-535c5160-17e0-44eb-9f4b-1a8e216b56a2.json | 2 +- ...-53a54e4a-2b38-4b0c-8f60-252a68767443.json | 2 +- ...-5424e327-396f-4b07-94a3-408ffc915686.json | 2 +- ...-54e73627-95de-4e6e-abf0-d93e20a1fe8f.json | 2 +- ...-54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json | 2 +- ...-55f3dd59-08be-4e23-a680-b6db7850b399.json | 2 +- ...-55fe102a-d32b-4a73-85b1-14a02d0e552f.json | 2 +- ...-56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json | 2 +- ...-567acebd-4ba2-4723-a74d-514992321ccc.json | 2 +- ...-56dcc2d7-5243-4a5d-a556-8723642e98a4.json | 2 +- ...-5714c88f-ca54-46b6-b072-cd1d24714ae0.json | 2 +- ...-575f0e0b-d68d-432b-abb3-cbd3e641fc88.json | 2 +- ...-5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json | 2 +- ...-578117b2-0f4b-4d75-a2dc-3ee45976e616.json | 2 +- ...-5804ae3d-0daf-47a5-b026-d42878f55803.json | 2 +- ...-58269882-7e8d-4d24-b7a3-dbef6196cb61.json | 2 +- ...-5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json | 2 +- ...-58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json | 2 +- ...-58aa90a7-886b-4f37-ab16-a0beb0e64877.json | 2 +- ...-58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json | 2 +- ...-5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json | 2 +- ...-590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json | 2 +- ...-5914a482-dbb7-429d-96f3-77f0588ac12d.json | 2 +- ...-591620d3-5549-49db-9080-43f86a68a590.json | 2 +- ...-59c65014-1fee-4c2e-9ece-9883159bbed2.json | 2 +- ...-5a16cecc-4017-4ce8-97db-01cb66a1528e.json | 2 +- ...-5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json | 2 +- ...-5bb313a8-8407-4ec1-a4b0-683ded7f3302.json | 2 +- ...-5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json | 2 +- ...-5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json | 2 +- ...-5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json | 2 +- ...-5c695f49-6c76-4818-88b6-4db2bf029e43.json | 2 +- ...-5ca1d677-b41f-4f1e-b86b-f5637a418829.json | 2 +- ...-5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json | 2 +- ...-5d33de22-35b0-47fa-bc63-f984522340b7.json | 2 +- ...-5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json | 2 +- ...-5de6bf53-0a02-439b-a8d0-248fa9640a36.json | 2 +- ...-5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json | 2 +- ...-5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json | 2 +- ...-5f03ee5d-534c-454c-aae3-b41130b00286.json | 2 +- ...-604a9bf0-81a3-425b-9005-779c4f0f749d.json | 2 +- ...-6157408d-1eb3-4445-8d8a-14619458954f.json | 2 +- ...-61668e93-6d9d-418d-9fbd-2d88c3a66544.json | 2 +- ...-6258c355-677c-452d-b1fc-27767232437b.json | 2 +- ...-62e818b8-38e6-42ff-9424-9a327332eb2a.json | 2 +- ...-632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json | 2 +- ...-63323b12-86db-4b91-a701-90daf3f98f7c.json | 2 +- ...-63453d2f-30f6-40ab-b32c-506d940ecd20.json | 2 +- ...-636baf5a-1a1c-476b-bc54-fb27b27b58a2.json | 2 +- ...-63ca148e-12c9-4090-b51e-a8fb7a847a2a.json | 2 +- ...-641813ea-66a9-4949-848f-db83420aac39.json | 2 +- ...-648c6649-5861-4b43-a7e5-a9665bafb576.json | 2 +- ...-64db6a39-64d2-4999-97d7-91c28c32f42e.json | 2 +- ...-652a68a2-a26b-4e8c-86dd-fd83187ed043.json | 2 +- ...-655e2f91-5d43-4c47-b7e0-8248b351f3ba.json | 2 +- ...-65a45501-10de-46a2-89bf-03bbf17aba33.json | 2 +- ...-65adbdda-7069-40ed-9825-b79ec87e4916.json | 2 +- ...-6603a100-d655-4e6b-8d38-73c11b89dde4.json | 2 +- ...-6637d8e6-6578-4d15-a993-d63ced4c4464.json | 2 +- ...-6681bc38-0b55-4714-b690-c609956b40bf.json | 2 +- ...-66af47d7-c430-4ac9-8020-fd79b7059037.json | 2 +- ...-66d637a0-4874-4b12-bd3a-b408acb06d26.json | 2 +- ...-66f79019-d52c-46a6-b605-c2335d1d3d20.json | 2 +- ...-671043a9-337f-411a-9ca9-3112e897ab09.json | 2 +- ...-679d216f-9bf7-428a-8d5b-72a84d6d45ab.json | 2 +- ...-679e7b8d-57d7-4c1d-8f42-1496606ea666.json | 2 +- ...-6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json | 2 +- ...-686cbd74-ef49-4e77-9599-21777d3a4738.json | 2 +- ...-6895e54e-3968-41a9-9013-a082cd46fa44.json | 2 +- ...-68d30c45-766f-48b6-9405-0c969243332b.json | 2 +- ...-6902da63-3b59-46f3-99e0-6008dd47ab70.json | 2 +- ...-69146c10-d3d0-4f69-8164-9c21a1a4e10b.json | 2 +- ...-692324b4-064a-430c-8ffc-7f7acd537778.json | 2 +- ...-69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json | 2 +- ...-698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json | 2 +- ...-6aa080d0-6e25-46e5-91d8-4af11f01ceef.json | 2 +- ...-6ad39b3a-a962-457f-852c-be7fc615e22f.json | 2 +- ...-6b5d2643-b399-43aa-8ab1-7557a0446b07.json | 2 +- ...-6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json | 2 +- ...-6b987f2a-3d07-4791-9c1c-e4f6818521e8.json | 2 +- ...-6baa9172-04e4-416d-a009-668cda23fd5d.json | 2 +- ...-6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json | 2 +- ...-6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json | 2 +- ...-6be4cef2-3d54-4cd8-97df-8a8b37c03605.json | 2 +- ...-6bf14e79-3287-4b9e-b222-9d527530df1e.json | 2 +- ...-6c15ec9f-2b48-419c-adc1-f989833f6187.json | 2 +- ...-6d1906b4-e815-4688-86f1-ce61d403f8c6.json | 2 +- ...-6d822f86-5793-403a-b176-5d533f6b81b3.json | 2 +- ...-6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json | 2 +- ...-6eaf727c-fec3-4e63-8852-eee27c44d596.json | 2 +- ...-6ed07095-c23a-4676-807f-a544deaeb274.json | 2 +- ...-6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json | 2 +- ...-6f2c2043-6487-467a-bb49-e8cd2509ae9f.json | 2 +- ...-6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json | 2 +- ...-70113c21-85f2-4232-8755-233f93864277.json | 2 +- ...-7041d8e5-3b74-402a-86b3-fd59def80632.json | 2 +- ...-709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json | 2 +- ...-70a9010c-6943-4274-b854-50901c3e5a0e.json | 2 +- ...-711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json | 2 +- ...-71422483-33e4-4131-a4ec-40322d91d8a0.json | 2 +- ...-71c81024-ea36-4853-940a-cd9d4cbcabed.json | 2 +- ...-71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json | 2 +- ...-71e9230d-eec8-4ce1-bc96-9288bacc8b13.json | 2 +- ...-7258c355-677c-452d-b1fc-27767232437b.json | 2 +- ...-72bfda0b-31e9-4958-8d40-6efe816d9989.json | 2 +- ...-739e7b8d-57d7-4c1d-8f42-1496606ea666.json | 2 +- ...-73a48431-3597-4a72-acb8-c1e5019073e2.json | 2 +- ...-7411b05d-209a-4907-83ce-00ab1538fbac.json | 2 +- ...-74b66248-2cb6-46ea-b52c-c7d60c170f3f.json | 2 +- ...-74ec9ce5-3155-488c-ae56-570c47a1d207.json | 2 +- ...-75366cbf-e45f-4cfd-9e76-5af4dfe10766.json | 2 +- ...-754521fc-4306-4daa-831b-6b6fb45847e2.json | 2 +- ...-758d5818-f919-4a6b-9dc2-a212595a11bd.json | 2 +- ...-75a60046-c4d7-498a-b256-9a93b5992dcc.json | 2 +- ...-76654cf3-5cfe-4bf4-b134-806fd75b1ddb.json | 2 +- ...-76b8bbce-1c65-4337-a4d7-320c594dc29e.json | 2 +- ...-77821dbb-367e-455f-bcae-b87412e88f1b.json | 2 +- ...-78972893-5d8c-480f-a05d-481adc0c8bb0.json | 2 +- ...-7912946d-1605-465a-a55c-36bb104235ab.json | 2 +- ...-792324b4-064a-430c-8ffc-7f7acd537778.json | 2 +- ...-79324bdd-cdab-4d0a-af60-af1047c1d117.json | 2 +- ...-798919d3-df8b-463f-b2be-4c1aa8089384.json | 2 +- ...-79d05cb2-ded0-4847-b52e-af7af421f303.json | 2 +- ...-79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json | 2 +- ...-7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json | 2 +- ...-7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json | 2 +- ...-7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json | 2 +- ...-7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json | 2 +- ...-7c1eee62-3307-4e25-8a20-919ccd56ec1c.json | 2 +- ...-7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json | 2 +- ...-7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json | 2 +- ...-7c329018-b591-42c4-8806-4d02ccd47476.json | 2 +- ...-7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json | 2 +- ...-7c85bff0-8f70-479e-9365-fef1e3fe2b95.json | 2 +- ...-7c893581-c847-495a-aa93-9d98c516e1ae.json | 2 +- ...-7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json | 2 +- ...-7d2db896-3051-483c-bc53-ca21832ee085.json | 2 +- ...-7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json | 2 +- ...-7d5759cd-890e-4ec5-b92b-aba225d52960.json | 2 +- ...-7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json | 2 +- ...-7d6c4a00-acde-40af-bf91-a4ef009cf135.json | 2 +- ...-7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json | 2 +- ...-7db9687b-7099-4cb6-a040-bc32fc549a81.json | 2 +- ...-7dedeb73-ef90-4282-a635-cc37326773af.json | 2 +- ...-7e87ce08-a428-4e55-876e-80d2760121a5.json | 2 +- ...-7f1e688d-65f7-4737-a4ba-ee482710f8ec.json | 2 +- ...-7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json | 2 +- ...-7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json | 2 +- ...-7fdaa9be-aecf-459f-b028-7c35dc8b6451.json | 2 +- ...-7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json | 2 +- ...-808174b7-3ab0-45b5-963e-5c10dd749e3c.json | 2 +- ...-808c57e7-72ef-4860-b9ea-8ea072e2385a.json | 2 +- ...-80a69b56-337d-446a-8167-8b9f63083c4f.json | 2 +- ...-81117328-e2bb-431c-a1ca-6ba7e6816637.json | 2 +- ...-81add433-49d8-43ec-85d5-f48fe80e56e7.json | 2 +- ...-81ca994a-b350-424d-8f39-a0b64aa76260.json | 2 +- ...-82b20c35-88c6-49aa-8241-a59512b17b74.json | 2 +- ...-8334b3ab-f17f-460e-b627-ad85fc9c2409.json | 2 +- ...-83c29179-4805-403a-acf5-5151c4d2e556.json | 2 +- ...-83c8c216-7ff7-4bd3-9db4-573469628d95.json | 2 +- ...-83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json | 2 +- ...-841ec349-0f4c-43fa-89b8-ef3656497fc9.json | 2 +- ...-842a2b85-4e77-4eb6-99e1-c4a231aadf48.json | 2 +- ...-84e535be-960a-450a-91f9-4dc8c5e3f69d.json | 2 +- ...-86076ad1-8037-4dd0-88e7-9c40ec00af4a.json | 2 +- ...-868db512-b897-4a54-ae56-ac78f6c93a14.json | 2 +- ...-86b868be-3e59-4497-9aa9-a2cd951a8f72.json | 2 +- ...-86c94552-de59-453d-ac06-28a6a64db930.json | 2 +- ...-86d45e92-80ba-4f97-b3a3-03ad3469658b.json | 2 +- ...-86ede365-4539-4475-b90b-9b3bfd2dbe97.json | 2 +- ...-86f1655a-db46-4d49-9051-6653da83eb13.json | 2 +- ...-874752f4-59a2-46e9-ae28-befe0142b223.json | 2 +- ...-87c8ab74-576d-4962-b641-0762d374d1e8.json | 2 +- ...-87eb5825-c918-444f-8da5-67da9eea9906.json | 2 +- ...-880161a4-d6c9-4e5b-a78d-39319cfa43ab.json | 2 +- ...-881ef4ba-a480-44de-8ab6-be2cdc87dcce.json | 2 +- ...-892c0bff-17b6-447b-a213-6a3189a1df82.json | 2 +- ...-8985cd3c-1429-4681-ad2e-9b3e46588a44.json | 2 +- ...-8a06c15b-b7e5-4374-9265-8d9020e126cd.json | 2 +- ...-8a604466-8437-4fe6-b6db-ec8fb05d702a.json | 2 +- ...-8af89a9b-3e95-45f4-a51d-223b1c82db9c.json | 2 +- ...-8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json | 2 +- ...-8b17ad46-b0cc-4766-9cae-eba32260d468.json | 2 +- ...-8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json | 2 +- ...-8b491011-322d-4e0b-8f79-449e1b2ee185.json | 2 +- ...-8baa4d55-c235-44da-b6fe-8866cf7f9915.json | 2 +- ...-8c1b22bd-7e31-427f-a9c5-085a606212ca.json | 2 +- ...-8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json | 2 +- ...-8da928a0-1c87-471f-aad7-5a1fdd438357.json | 2 +- ...-8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json | 2 +- ...-8ecf5eac-7767-411b-b54a-b374ea51b9e9.json | 2 +- ...-8f76d408-be8a-478e-8a5a-aab1d1f96572.json | 2 +- ...-8f90363e-2825-4178-807f-9268a28760fa.json | 2 +- ...-8fa6fe89-e704-4be4-a15b-50e188084aa3.json | 2 +- ...-8fcecf74-36df-41ab-9476-539c9ac0b339.json | 2 +- ...-90d9c8e3-0250-4096-8d98-7ca1d324d654.json | 2 +- ...-91f29477-2ff6-4dbf-bf68-c8825a938851.json | 2 +- ...-92634d06-42e5-407f-bcb7-cafb1ddeafce.json | 2 +- ...-92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json | 2 +- ...-92ea1c2a-3835-43de-bb56-24e937a6f322.json | 2 +- ...-93e24e03-6425-4ee8-99bb-c3a662c6cdce.json | 2 +- ...-949b498c-ca3f-4704-90bd-a22a4d34067f.json | 2 +- ...-94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json | 2 +- ...-9515f24c-1c33-4197-b9c9-b9992bc696ca.json | 2 +- ...-95b12e1a-7f21-4fa0-9b2a-c96c7c270625.json | 2 +- ...-966b59c0-8641-432c-84f7-b2a712004d74.json | 2 +- ...-968830b7-ee80-4a6e-96a4-9fc70470e4a9.json | 2 +- ...-973f5884-a076-413e-ac96-f0bd01375fb6.json | 2 +- ...-97538255-b049-4d15-91c4-6b227cbea476.json | 2 +- ...-97641754-f215-4b8f-b0cd-0d3142053c76.json | 2 +- ...-97c5b388-518a-46ec-b2b0-41bfa6a83204.json | 2 +- ...-97df42a5-e6d3-4fb7-a158-c161d14624ab.json | 2 +- ...-984992e3-0407-406a-b8dd-c114d8b2d9a2.json | 2 +- ...-98b229f8-6020-4fbb-b104-54fd478c14d9.json | 2 +- ...-98d447f4-397b-43e7-9740-c2e5ea6b1714.json | 2 +- ...-98f1d575-a975-42ae-8b00-2c9e22d560d5.json | 2 +- ...-9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json | 2 +- ...-990f944f-190d-456d-b194-f5ecb17a0868.json | 2 +- ...-99c0c90e-8526-41d6-80ca-b037598c6326.json | 2 +- ...-99ec0a8e-4a4f-427c-89db-163e4b206021.json | 2 +- ...-9a44b2a8-9f4c-43df-9174-1cba6e165886.json | 2 +- ...-9a607f89-85b8-4fba-8eb7-7e4900ea693f.json | 2 +- ...-9ad74496-e164-4068-a0f5-379f507ba864.json | 2 +- ...-9b412b1f-2dd0-4e7f-8364-f625181ba1db.json | 2 +- ...-9b825e77-2b18-4bc8-8e1d-5f645d570dca.json | 2 +- ...-9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json | 2 +- ...-9cf83701-a347-47b4-a67b-280df95b275d.json | 2 +- ...-9d4be020-4ab0-4f10-9a20-ae8a2886038f.json | 2 +- ...-9d5b9b9c-058f-4782-80aa-9d501442a03d.json | 2 +- ...-9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json | 2 +- ...-9d75333b-2542-4899-923f-55dc1e077a51.json | 2 +- ...-9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json | 2 +- ...-9db1ecfe-72eb-42da-a09e-746663a53854.json | 2 +- ...-9e0810a5-ad02-487f-b0a8-bf07decca493.json | 2 +- ...-9e8990f9-475b-43fe-91fb-25cc0634f0aa.json | 2 +- ...-9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json | 2 +- ...-9f25cdae-7d0f-49cd-acaf-481f71195ae5.json | 2 +- ...-9fa31b58-d4f3-43e4-b5b2-cafcd0c6a99d.json | 2 +- ...-9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json | 2 +- ...-9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json | 2 +- ...-a04169ed-c16b-466b-80ef-22a11067f475.json | 2 +- ...-a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json | 2 +- ...-a1383f2a-2ee2-47df-a661-8904a7535e0c.json | 2 +- ...-a1454196-0d86-49f2-8dcb-61145a16b21e.json | 2 +- ...-a1cbbdb5-30ad-4139-9784-e5a134f8d405.json | 2 +- ...-a2142552-6b8d-4751-a3d4-1471420c02fc.json | 2 +- ...-a22fabd2-836e-4141-9219-c76cc10138ec.json | 2 +- ...-a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json | 2 +- ...-a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json | 2 +- ...-a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json | 2 +- ...-a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json | 2 +- ...-a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json | 2 +- ...-a6d8b66d-fc10-404f-b0ae-e8c66506b818.json | 2 +- ...-a731ad54-0c3c-47bb-9559-d99950782beb.json | 2 +- ...-a74c14e2-eb8a-47bb-b64d-20aad9154297.json | 2 +- ...-a75ddacf-e87e-4a99-83f2-618486473163.json | 2 +- ...-a78e727c-8e42-448c-beb4-463804e18be0.json | 2 +- ...-a7a4b080-e4a6-4c46-b2c7-84119df76393.json | 2 +- ...-a7ca9443-f833-4636-9c30-fcaddd3516c6.json | 2 +- ...-a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json | 2 +- ...-a7fb3abd-c800-408e-8329-2a4f6256ea4a.json | 2 +- ...-a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json | 2 +- ...-a82e9f8a-f81e-407a-b284-e0ae5f055c61.json | 2 +- ...-a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json | 2 +- ...-a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json | 2 +- ...-a86cee0a-dc49-4c95-b5dc-37405337490b.json | 2 +- ...-a91002fe-21b2-4417-9c23-af712a7a035c.json | 2 +- ...-a946c9b1-5b89-44c9-b617-3412ffda34b9.json | 2 +- ...-aa205915-7571-47ee-8bc6-5aa1ace86690.json | 2 +- ...-aa726ced-f2ac-4113-8d05-8687b7d7ff91.json | 2 +- ...-aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json | 2 +- ...-aaffd26a-728d-42a0-9d1f-423231c55f3e.json | 2 +- ...-ab0b5170-577b-491e-8508-b9a34dc393c1.json | 2 +- ...-ab306654-2abb-4983-8d30-df4058adb06c.json | 2 +- ...-ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json | 2 +- ...-ab8e129c-5411-4784-9194-068fa915da23.json | 2 +- ...-ad7770c3-fe24-4285-9ce2-1616a1061472.json | 2 +- ...-ad77a940-150c-4d73-bf5a-1df2d9436f9c.json | 2 +- ...-ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json | 2 +- ...-ade12d27-13bb-4ebf-be08-7039cf699682.json | 2 +- ...-ae10e97a-90ac-498b-8601-01081dc4af8b.json | 2 +- ...-ae7487f1-a2d0-443d-b418-cd726c5ac15f.json | 2 +- ...-af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json | 2 +- ...-afb0b60e-e604-4b96-abb9-57fdce4e5108.json | 2 +- ...-afd63145-6033-49e4-ad43-d0b35fa5ed88.json | 2 +- ...-b064068a-9e17-4ac8-9a92-a1338d7196c7.json | 2 +- ...-b0f137d8-3c56-4f6c-9d59-1ec231d61391.json | 2 +- ...-b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json | 2 +- ...-b116fcca-e872-4735-b7e2-4e4c8e34621a.json | 2 +- ...-b13417ea-d8da-497f-818f-d2d90562039a.json | 2 +- ...-b1768154-221c-48be-ab2b-549ec1eddafb.json | 2 +- ...-b182692b-5eb3-4edc-b455-1f92d64b98ec.json | 2 +- ...-b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json | 2 +- ...-b252a076-6d4e-49f5-95ac-16264ef05b1d.json | 2 +- ...-b2d4989c-e2d1-40c4-b1d8-07834a71f26f.json | 2 +- ...-b2defaaf-625d-416e-8a9d-8be6d89bacdc.json | 2 +- ...-b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json | 2 +- ...-b343e131-e448-46c6-815b-b86e4bd6d638.json | 2 +- ...-b346eec8-de90-407c-b665-387086bb4553.json | 2 +- ...-b349ef5f-4a05-4eef-afe4-1543b8c832fa.json | 2 +- ...-b363cbbb-679c-47e0-8ad0-af98ebf51e60.json | 2 +- ...-b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json | 2 +- ...-b3b24837-83ed-46c5-ba80-66a832c7072e.json | 2 +- ...-b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json | 2 +- ...-b452a076-6d4e-49f5-95ac-16264ef05b1d.json | 2 +- ...-b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json | 2 +- ...-b48be9f9-de0e-4548-ade3-09d47af52798.json | 2 +- ...-b4b698a7-b80e-41f6-8ca2-a954270cceb3.json | 2 +- ...-b5979643-fefb-460f-b59c-971efe95f121.json | 2 +- ...-b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json | 2 +- ...-b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json | 2 +- ...-b5e52859-8dab-4e7e-af70-bb38c6993c98.json | 2 +- ...-b5f94430-be03-43ed-97e1-0424d783073e.json | 2 +- ...-b628d878-4f35-4580-8d42-26984d13821e.json | 2 +- ...-b62da342-4b12-4d88-bb48-9fa84b8c967f.json | 2 +- ...-b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json | 2 +- ...-b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json | 2 +- ...-b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json | 2 +- ...-b7f23af2-e948-4531-af56-1a1b4d03702f.json | 2 +- ...-b8b1739d-dfa2-44e9-907f-7085e262512f.json | 2 +- ...-b8d484f3-85e7-4208-8ae4-72f0e055a290.json | 2 +- ...-b8d6e550-18fe-49ad-9964-7802bbe0cb58.json | 2 +- ...-b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json | 2 +- ...-b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json | 2 +- ...-b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json | 2 +- ...-b9632b4d-43c3-4bfa-88e0-629245acb8eb.json | 2 +- ...-b9e82422-b072-494f-99c1-fcab07b90133.json | 2 +- ...-ba010007-6dde-4c9d-8452-69527cd1c2ba.json | 2 +- ...-baf4bd30-4213-43c3-b70c-54418e734caf.json | 2 +- ...-baf7daf3-2116-4051-91b5-f82e146167d0.json | 2 +- ...-bbf297d3-0c3c-44be-b780-332bac17b0ba.json | 2 +- ...-bc3744d6-9275-4d91-8888-16d5f4d5187b.json | 2 +- ...-bc383819-2e40-49b4-bea9-95eb5d418877.json | 2 +- ...-bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json | 2 +- ...-bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json | 2 +- ...-bcece7ce-91b5-40b3-b87a-25cab3600e5c.json | 2 +- ...-bda03e8d-5e06-4470-b786-11b11c7c97c7.json | 2 +- ...-bde941c6-2ca0-4f94-9336-027e7eee15a1.json | 2 +- ...-be532c78-daf5-431b-adae-ab11af395513.json | 2 +- ...-be950e87-80ac-49ea-810a-553c7f72151b.json | 2 +- ...-bf75ca96-3f9d-413c-a244-888a3fbf0be3.json | 2 +- ...-bff99f91-e1a9-4379-a2d9-5a99615a95d1.json | 2 +- ...-c0efb24a-2329-401a-bba6-817f2867bb3f.json | 2 +- ...-c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json | 2 +- ...-c195a0e9-d46c-487f-9a96-b138e9ca05d2.json | 2 +- ...-c22acaab-baa4-45b0-9c4b-9330715e5455.json | 2 +- ...-c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json | 2 +- ...-c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json | 2 +- ...-c4122b58-f1b2-4656-a715-55016700bf75.json | 2 +- ...-c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json | 2 +- ...-c473686a-2452-4ee6-bf1d-54bf3e575d95.json | 2 +- ...-c4e8dd42-9855-4a36-b915-dc7e1a91e235.json | 2 +- ...-c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json | 2 +- ...-c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json | 2 +- ...-c5fd0969-c151-4849-94c2-83e2e208cff7.json | 2 +- ...-c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json | 2 +- ...-c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json | 2 +- ...-c6520346-fe47-44ce-af75-d99004ac2977.json | 2 +- ...-c6562519-81c5-4eca-a815-f46ac0ed4bcc.json | 2 +- ...-c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json | 2 +- ...-c67e3535-69a9-4234-8170-4ad6efc632b7.json | 2 +- ...-c69eab3c-861c-45f5-8858-a595fcc7e6f6.json | 2 +- ...-c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json | 2 +- ...-c785c026-4139-4c56-a6dd-cdd3ba75bab1.json | 2 +- ...-c78f497f-01c3-4efb-aa74-92b700b9c02b.json | 2 +- ...-c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json | 2 +- ...-c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json | 2 +- ...-c848b096-3703-4962-b8a2-57682e26f31b.json | 2 +- ...-c84e39ab-30c1-40e3-95a8-fcbb271e913c.json | 2 +- ...-c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json | 2 +- ...-c8dd2735-bd04-4413-847d-316b77c6de19.json | 2 +- ...-c9065f74-556d-4728-8072-f96642e70316.json | 2 +- ...-c90cfddb-253b-41c8-9057-2abde6f8aa6d.json | 2 +- ...-c9395e2a-afaf-427c-bcb2-ae663d72c05c.json | 2 +- ...-c9c1c589-b5c6-4231-982f-cae0aa41f349.json | 2 +- ...-ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json | 2 +- ...-ca3c4d4b-cf53-4489-904f-8a220e421aeb.json | 2 +- ...-ca5c7ae7-5273-4888-bc50-183d6e200972.json | 2 +- ...-ca64a927-f050-41b3-80d3-93d22cdef26a.json | 2 +- ...-ca768c2a-0f14-471c-90a5-bce649e88d51.json | 2 +- ...-cad91f87-7cc7-4771-8c7b-1599793ed3c1.json | 2 +- ...-cb1037c1-4b83-4a79-ba12-00558bb6b42b.json | 2 +- ...-cb30d507-edc6-4197-947c-7b3a6e395c0d.json | 2 +- ...-cb38425c-646d-4bc8-bdea-e6cc630c3034.json | 2 +- ...-cb4d802e-df5b-4017-81dd-47f65fff23a3.json | 2 +- ...-cba8313b-c338-45f7-88ef-a514094882ac.json | 2 +- ...-cca191a1-3c50-4d4f-8f79-4247e58af610.json | 2 +- ...-ccab2b58-7c47-45fe-bdd3-3444fb53760c.json | 2 +- ...-ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json | 2 +- ...-ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json | 2 +- ...-cd297a7b-4b02-407e-a798-e36fef4cf3a1.json | 2 +- ...-ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json | 2 +- ...-ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json | 2 +- ...-ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json | 2 +- ...-cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json | 2 +- ...-ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json | 2 +- ...-cf703ecc-e9f5-4d56-94d4-8fda9837e614.json | 2 +- ...-cf8ac499-8c1c-4615-b933-7587f1b9488b.json | 2 +- ...-cfcbca89-8912-40c0-ac15-47882162b132.json | 2 +- ...-d08fdedd-12f6-4681-9167-70d070432dee.json | 2 +- ...-d16e8909-d055-4174-aeb1-22c0613b2f73.json | 2 +- ...-d1971b32-3a15-4544-9f36-80c05121deb6.json | 2 +- ...-d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json | 2 +- ...-d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json | 2 +- ...-d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json | 2 +- ...-d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json | 2 +- ...-d406671b-4d22-4cd5-8568-d04b0b70b51c.json | 2 +- ...-d464d443-6298-47eb-b767-8f1136f6b6b5.json | 2 +- ...-d4968f45-d06b-4843-8f72-6e08beb94cab.json | 2 +- ...-d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json | 2 +- ...-d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json | 2 +- ...-d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json | 2 +- ...-d72e7d01-56be-4fbd-8957-3384533ba83b.json | 2 +- ...-d7ea83fa-87c7-4d36-96d5-aee554504040.json | 2 +- ...-d8354850-bd4c-4bd9-a585-b107f5f1398f.json | 2 +- ...-d854cc38-adf7-485d-96b5-70606f6cb87e.json | 2 +- ...-d8911566-f622-4a01-b765-514dbbfd8201.json | 2 +- ...-d8f45959-e0fc-4b4f-a074-a3acea926300.json | 2 +- ...-d90aeeb6-3686-483a-8403-6514ecfe1a50.json | 2 +- ...-d90b1271-a90d-41c7-9df7-bec47880c82e.json | 2 +- ...-d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json | 2 +- ...-dadfed22-d70c-482b-9026-964396d75484.json | 2 +- ...-db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json | 2 +- ...-dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json | 2 +- ...-dc15440d-6683-435a-8c87-64daea29bcaa.json | 2 +- ...-dc35c44a-a90c-48a1-8811-af2618216e42.json | 2 +- ...-dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json | 2 +- ...-dda29418-9570-405a-b7db-97e951e5aa53.json | 2 +- ...-dda89758-9d0b-446d-b594-85acc7f9cb90.json | 2 +- ...-dded2d68-35c7-42c4-af10-efe7731673e3.json | 2 +- ...-de8b8a69-5f08-421a-96f0-2bed5707508d.json | 2 +- ...-df6da4ec-cbe8-4f93-a41f-3726a9491938.json | 2 +- ...-df95c619-33ee-4484-934a-78857717323e.json | 2 +- ...-dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json | 2 +- ...-dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json | 2 +- ...-e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json | 2 +- ...-e09e253c-fd28-49ae-988e-1f80d769e8b8.json | 2 +- ...-e09f3308-57d7-4b2b-b340-784b88ae61ca.json | 2 +- ...-e0aee02c-b424-4781-be10-793d71594c31.json | 2 +- ...-e0d101cc-1284-4e88-82d6-227fe5d19d8a.json | 2 +- ...-e1461f8d-6a16-4526-ac0b-0acd27ae8065.json | 2 +- ...-e18af08c-3953-4b1d-b46c-45572fdb5187.json | 2 +- ...-e257913e-40ba-4a05-ba97-0c3175c966b5.json | 2 +- ...-e323dee4-a896-4a82-85f5-d51d311b0437.json | 2 +- ...-e3923fcf-5580-4c1e-bc55-33f67792cc00.json | 2 +- ...-e4a11381-8608-4c71-966f-df0cbb834fe0.json | 2 +- ...-e5afc447-a241-4773-9a8a-3d6fd205d926.json | 2 +- ...-e5b62475-bd08-4ac6-a6f7-78f1843bf506.json | 2 +- ...-e607bb66-e53f-4684-b3f1-36a997e27d01.json | 2 +- ...-e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json | 2 +- ...-e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json | 2 +- ...-e767c178-e4b2-490a-b544-bb1b2d6c7de4.json | 2 +- ...-e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json | 2 +- ...-e8af0b34-4a67-4966-a34a-c4d1b346ea15.json | 2 +- ...-e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json | 2 +- ...-e8eaac2d-a4bf-408f-b24f-14471db7059b.json | 2 +- ...-e9f5096e-b9fc-459a-a303-88763b1269cc.json | 2 +- ...-ea218d63-d9de-4f63-804a-cb039d804025.json | 2 +- ...-ea50253a-3220-458b-b810-ad032f2b182f.json | 2 +- ...-ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json | 2 +- ...-ea817c7a-9424-4204-90a5-6f8fb86037be.json | 2 +- ...-eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json | 2 +- ...-eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json | 2 +- ...-eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json | 2 +- ...-eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json | 2 +- ...-ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json | 2 +- ...-ec105f62-2552-41fa-8b07-619dc1bf9b19.json | 2 +- ...-ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json | 2 +- ...-edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json | 2 +- ...-edf73653-b2d7-422f-b433-b6a428ff12d4.json | 2 +- ...-ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json | 2 +- ...-ee1bf429-2c7c-4eb6-acca-e758522baf2e.json | 2 +- ...-ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json | 2 +- ...-ee89466e-0655-4217-844d-fb8ea4f76247.json | 2 +- ...-eecca3e7-4db5-40d4-b04c-13f84701acb3.json | 2 +- ...-eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json | 2 +- ...-eeeff03f-7436-4f76-8591-42075e6647d4.json | 2 +- ...-ef615d62-fe85-4740-9c5d-5dddff9b5693.json | 2 +- ...-efb80069-e4be-4055-bd34-06d1376b4601.json | 2 +- ...-f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json | 2 +- ...-f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json | 2 +- ...-f0c8a954-c1a0-453a-9c1d-484305abdab2.json | 2 +- ...-f130282b-f681-455f-966b-55829842be92.json | 2 +- ...-f145b7e5-048b-46e7-8439-e2b88917523c.json | 2 +- ...-f15f24d2-e581-46ce-83e4-a924f572aae6.json | 2 +- ...-f20d8eed-b517-4297-b32a-9a5e0845de9f.json | 2 +- ...-f29ecf69-1753-44bb-9b80-1025f49cadda.json | 2 +- ...-f2e6103d-ca06-45c4-8fe9-049687fc4361.json | 2 +- ...-f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json | 2 +- ...-f347b4fe-d829-427d-851a-fff3393441db.json | 2 +- ...-f40cc6f5-111c-418f-aa84-50d920fa6c48.json | 2 +- ...-f45c2df8-30e7-45d0-8067-7b2870767574.json | 2 +- ...-f497fd3e-8f05-4db2-97cc-48a8d35a8827.json | 2 +- ...-f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json | 2 +- ...-f584a257-c22a-434b-aa2d-6220987821ab.json | 2 +- ...-f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json | 2 +- ...-f664bf42-5fb2-41e5-b790-978ddf866da3.json | 2 +- ...-f6b1e463-5db5-40c7-8a6d-5f70194fdadd.json | 2 +- ...-f6ff74c2-d088-4252-a8e0-189574863765.json | 2 +- ...-f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json | 2 +- ...-f7adf126-3580-4b12-9e63-4d4f665e8cc3.json | 2 +- ...-f8318ac4-8ed0-478d-be87-faa2c9d8a740.json | 2 +- ...-f862418a-e7b4-4783-8949-7145f3dee665.json | 2 +- ...-f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json | 2 +- ...-f951d934-d555-45e9-a564-27b84518cae4.json | 2 +- ...-f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json | 2 +- ...-f9aa3364-a1eb-4776-ae03-c39b250545a0.json | 2 +- ...-f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json | 2 +- ...-fa1bde35-63d9-4c5c-969b-2c17c29089fa.json | 2 +- ...-fb80368e-b3f6-4fa3-828b-b1cf792ea161.json | 2 +- ...-fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json | 2 +- ...-fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json | 2 +- ...-fc4803cb-d6bf-4674-bf40-d4b0997824ba.json | 2 +- ...-fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json | 2 +- ...-fcb7733f-553d-43de-a8c6-c85a5cd65041.json | 2 +- ...-fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json | 2 +- ...-fd0340cc-6105-4abd-89d0-60b0d9c00b55.json | 2 +- ...-fd856176-396c-4121-9754-35e49bfa5758.json | 2 +- ...-fe22637e-7187-4990-b24a-5dc851eec736.json | 2 +- ...-ff3f0668-98df-44c1-88c2-711f05720eb8.json | 2 +- ...-ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json | 2 +- ...-1177a4c5-31c8-400c-8544-9071166afa0e.json | 2 +- ...-181a9f8c-c780-4f1f-91a8-edb770e904ba.json | 2 +- ...-235b7491-2d2b-4617-9a52-3c0783680f71.json | 2 +- ...-2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json | 2 +- ...-3772e279-27d6-477a-9fe3-c6beb363594c.json | 2 +- ...-39b9db72-8b48-4595-a18d-db5bbba3091b.json | 2 +- ...-3d20385b-24ef-40e1-9f56-f39750379077.json | 2 +- ...-3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json | 2 +- ...-4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json | 2 +- ...-4dcd8ba3-2075-4f8b-941e-39884ffaac08.json | 2 +- ...-5297a638-1382-4f0c-8472-0d21830bf705.json | 2 +- ...-61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json | 2 +- ...-639e87f3-acb6-448a-9645-258f20da4bc5.json | 2 +- ...-66531bc6-a509-4868-8314-4d599e91d222.json | 2 +- ...-685f917a-e95e-4ba0-ade1-c7d354dae6e0.json | 2 +- ...-74fa567d-bc90-425c-8a41-3c703abb221c.json | 2 +- ...-7b375092-3a61-448d-900a-77c9a4bde4dc.json | 2 +- ...-84572de3-9583-4c73-aabd-06ea88123dd8.json | 2 +- ...-8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json | 2 +- ...-931b3fc6-ad68-42a8-9018-e98515eedc95.json | 2 +- ...-9bde2f9d-a695-4344-bfac-f2dce13d121e.json | 2 +- ...-9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json | 2 +- ...-9ce98c86-8d30-4043-ba54-0784d478d0b5.json | 2 +- ...-9d56be63-3501-4dd3-bb5f-63c580833298.json | 2 +- ...-9f387817-df83-432a-b56b-a8fb7f71eedd.json | 2 +- ...-a7f22107-02e5-4982-9067-6625d4a1765a.json | 2 +- ...-a953ca55-921a-44f7-9b8d-3d40141aa17e.json | 2 +- ...-b05a614b-033c-4578-b4f2-c63a9feee706.json | 2 +- ...-b9d031bb-d150-4fc6-8025-688201bf3ffd.json | 2 +- ...-c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json | 2 +- ...-da85d358-741a-410d-9433-20d6269a6170.json | 2 +- ...-e905dad2-00d6-477c-97e8-800427abd0e8.json | 2 +- ...-ee575f4a-2d4f-48f6-b18b-89067760adc1.json | 2 +- ...-f42df6f0-6395-4f0c-9376-525a031f00c3.json | 2 +- ...-f5468e67-51c7-4756-9b4f-65707708e7fa.json | 2 +- ...-faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json | 2 +- ...-0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json | 2 +- ...-0f42a24c-e035-4f93-a91c-5f7076bd8da0.json | 2 +- ...-12c1e727-7fa4-49b6-af81-366ed2ce231e.json | 2 +- ...-1b8c9f31-ad35-4850-bf8c-80c565ad3552.json | 2 +- ...-40269753-26bd-437b-986e-159c66dec5e4.json | 2 +- ...-4358c631-e253-4557-86df-f687d0ef9891.json | 2 +- ...-509ed41e-ca42-461e-9058-24602256daf9.json | 2 +- ...-61bbbf27-f7c3-46ba-a6bc-48ae76928065.json | 2 +- ...-73691708-ffb5-4e29-906d-f485f6fa7089.json | 2 +- ...-b1717cb4-d536-4e2b-b5e5-07e67e26183c.json | 2 +- ...-ba27545a-9c32-47ea-ba6a-cce50f1b326e.json | 2 +- ...-c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json | 2 +- ...-c9ddfb51-eb45-4e22-b614-44ac1caa7883.json | 2 +- ...-ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json | 2 +- ...-d710099e-df94-4be4-bf85-cabd30e912bb.json | 2 +- ...-e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json | 2 +- ...-f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json | 2 +- ...-575f48f4-8897-4468-897b-48bb364af6c7.json | 2 +- ...-298fe907-7931-4fd2-8131-2814dd493134.json | 2 +- ...-33752ae7-f875-4f43-bdb6-d8d02d341046.json | 2 +- ...-51c25a9e-8615-40c0-8afd-1da578847924.json | 2 +- ...-696af733-728e-49d7-8261-75fdc590f453.json | 2 +- ...-69da72d2-f550-41c5-ab9e-e8255707f28a.json | 2 +- ...-77542f83-70d0-40c2-8a9d-ad2eb8b00279.json | 2 +- ...-78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json | 2 +- ...-93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json | 2 +- ...-97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json | 2 +- ...-b2a67b1e-913c-46f6-b219-048a90560bb9.json | 2 +- ...-ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json | 2 +- ...-ff048b6c-b872-4218-b68c-3735ebd1f024.json | 2 +- 1009 files changed, 15964 insertions(+), 15898 deletions(-) diff --git a/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json b/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json index ac20a2bb2c..0dc16f1cc9 100644 --- a/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json +++ b/ics-attack/attack-pattern/attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a391ade0-f389-47ab-a67a-3980cbe7a0a9", + "id": "bundle--3ed86b73-94ae-43ea-8502-71f21009e062", "spec_version": "2.0", "objects": [ { @@ -24,12 +24,11 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Connection Creation", "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", + "Operational Databases: Process/Event Alarm", "Process: Process Termination", - "Operational Databases: Process History/Live Data", - "Operational Databases: Process/Event Alarm" + "Operational Databases: Process History/Live Data" ], "type": "attack-pattern", "id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", diff --git a/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json b/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json index f051bac9d4..a07afc442f 100644 --- a/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json +++ b/ics-attack/attack-pattern/attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cd148189-a10c-4856-ab75-2a4e4dcd6f24", + "id": "bundle--acdb8c43-cb0d-4b3b-bf93-4cc71ebcc19f", "spec_version": "2.0", "objects": [ { @@ -26,13 +26,13 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ - "Command: Command Execution", - "File: File Modification", - "Process: OS API Execution", - "Process: Process Creation", "Process: Process Termination", + "File: File Modification", "Service: Service Metadata", - "Windows Registry: Windows Registry Key Modification" + "Process: Process Creation", + "Windows Registry: Windows Registry Key Modification", + "Command: Command Execution", + "Process: OS API Execution" ], "type": "attack-pattern", "id": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", diff --git a/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json b/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json index e7ab348941..21cc6ce66a 100644 --- a/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json +++ b/ics-attack/attack-pattern/attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--12f5fb34-04e2-4412-ae17-011744a3b94a", + "id": "bundle--0be25f1f-1c06-4bf5-b67d-28eaab873b54", "spec_version": "2.0", "objects": [ { @@ -27,10 +27,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", - "Operational Databases: Device Alarm", - "Asset: Device Configuration/Parameters" + "Network Traffic: Network Traffic Content", + "Asset: Asset Inventory", + "Operational Databases: Device Alarm" ], "type": "attack-pattern", "id": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", diff --git a/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json b/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json index 700be2c3b0..f69ec3d344 100644 --- a/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json +++ b/ics-attack/attack-pattern/attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--48656c2f-b08a-434f-be8a-ed9d96a2089f", + "id": "bundle--531427e6-2f50-4050-8ba4-3a1aa4466238", "spec_version": "2.0", "objects": [ { @@ -24,8 +24,9 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "File: File Modification", - "Asset: Software/Firmware" + "Asset: Software", + "Operational Databases: Device Alarm", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", diff --git a/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json b/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json index b9384ad4a4..fbc81abbb5 100644 --- a/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json +++ b/ics-attack/attack-pattern/attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6ffbecf6-8cef-4e0d-97cf-d93381c8b46e", + "id": "bundle--1b55e587-a223-4fad-b2db-8b63db804d8a", "spec_version": "2.0", "objects": [ { @@ -30,6 +30,9 @@ "x_mitre_contributors": [ "ICSCoE Japan" ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow" + ], "type": "attack-pattern", "id": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "created": "2020-05-21T17:43:26.506Z", diff --git a/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json b/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json index ead39c77fa..6d41980336 100644 --- a/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json +++ b/ics-attack/attack-pattern/attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ce2804b6-d383-4897-89a0-af3346d738e6", + "id": "bundle--23689b6b-66e9-4aec-a391-3a787821a3a4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json b/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json index f6cd2cbbfa..1714ea901c 100644 --- a/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json +++ b/ics-attack/attack-pattern/attack-pattern--19a71d1e-6334-4233-8260-b749cae37953.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cd58f98d-014c-4025-8329-924bb6d3338a", + "id": "bundle--4d05480d-eeff-4f26-8826-6a8841396047", "spec_version": "2.0", "objects": [ { @@ -27,9 +27,9 @@ "Joe Slowik - Dragos" ], "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", - "Operational Databases: Device Alarm" + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", diff --git a/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json b/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json index 8078c74156..76d673b62b 100644 --- a/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json +++ b/ics-attack/attack-pattern/attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--853f1130-0a7b-4dc1-9099-d5352bb3cc73", + "id": "bundle--c6066e64-b965-4ac5-aa75-963f21308464", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json b/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json index 461d95afd0..2ad82a35f3 100644 --- a/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json +++ b/ics-attack/attack-pattern/attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2bad4db0-5e69-4071-b23e-0ac4942bdfe2", + "id": "bundle--456ff2b3-ac9a-4d5e-9a26-f4902a3c88cd", "spec_version": "2.0", "objects": [ { @@ -25,10 +25,10 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Application Log: Application Log Content", - "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow", - "Operational Databases: Process History/Live Data" + "Operational Databases: Process History/Live Data", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", diff --git a/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json b/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json index cc1ed338a3..50b43ffba0 100644 --- a/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json +++ b/ics-attack/attack-pattern/attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f404f518-de37-4d9b-927b-4c24b4f0f099", + "id": "bundle--ec11a42e-768c-4d23-8d60-84f012ddac0d", "spec_version": "2.0", "objects": [ { @@ -27,11 +27,10 @@ "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Connection Creation", - "Application Log: Application Log Content", "Process: Process Termination", "Operational Databases: Process History/Live Data", - "Operational Databases: Process/Event Alarm" + "Operational Databases: Process/Event Alarm", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", diff --git a/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json b/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json index 9f764d7b8b..7d1024a254 100644 --- a/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json +++ b/ics-attack/attack-pattern/attack-pattern--23270e54-1d68-4c3b-b763-b25607bcef80.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--57afb223-6de8-4d36-89d4-615a2939536b", + "id": "bundle--746ada9a-0e22-4bad-8d43-de3825db23d5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json b/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json index 9040cb36d4..52790f7b34 100644 --- a/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json +++ b/ics-attack/attack-pattern/attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6d226e1f-c004-4add-821a-79f67ce4c3ad", + "id": "bundle--72bd4f44-614b-4c4e-a2fc-25d2ceaddf2a", "spec_version": "2.0", "objects": [ { @@ -28,11 +28,9 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Command: Command Execution", "Process: Process Creation", - "Module: Module Load", - "Process: Process Creation", - "Script: Script Execution" + "Application Log: Application Log Content", + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", diff --git a/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json b/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json index c32122f016..a703b64bc8 100644 --- a/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json +++ b/ics-attack/attack-pattern/attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e4214373-10eb-4fd8-800d-02b7597fe7ac", + "id": "bundle--2967b009-7e20-4151-a9b2-5b9f3c68664b", "spec_version": "2.0", "objects": [ { @@ -29,7 +29,8 @@ "Jos Wetzels - Midnight Blue" ], "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", diff --git a/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json b/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json index 86c7e39d0b..80186aab69 100644 --- a/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json +++ b/ics-attack/attack-pattern/attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fa25bcea-2b3f-4630-b4b0-08377589d87d", + "id": "bundle--e2f5fb32-8bca-425b-8476-d45900862ad3", "spec_version": "2.0", "objects": [ { @@ -25,8 +25,9 @@ "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", + "Operational Databases: Device Alarm", "Application Log: Application Log Content", - "Operational Databases: Device Alarm" + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", diff --git a/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json b/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json index bd7bc031b6..1120748ffc 100644 --- a/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json +++ b/ics-attack/attack-pattern/attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ea8467ed-3f9c-4878-a4ff-f7c01684a7ff", + "id": "bundle--2fb12c31-965c-402f-9f47-9720279e291e", "spec_version": "2.0", "objects": [ { @@ -25,12 +25,12 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", - "Command: Command Execution", - "File: File Creation", - "Network Traffic: Network Connection Creation", "Network Traffic: Network Traffic Content", - "Process: Process Creation" + "Command: Command Execution", + "Application Log: Application Log Content", + "Network Traffic: Network Connection Creation", + "Process: Process Creation", + "File: File Access" ], "type": "attack-pattern", "id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", diff --git a/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json b/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json index 15efe4c8b6..702475c7db 100644 --- a/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json +++ b/ics-attack/attack-pattern/attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--af1a3d5c-5356-4acd-b85a-583ca580a0d1", + "id": "bundle--3c239467-196a-4ef0-a947-3a95a7525fdf", "spec_version": "2.0", "objects": [ { @@ -30,8 +30,8 @@ ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", - "Application Log: Application Log Content", - "Logon Session: Logon Session Creation" + "Logon Session: Logon Session Creation", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", diff --git a/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json b/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json index 9adc54cf9f..e739c04ebd 100644 --- a/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json +++ b/ics-attack/attack-pattern/attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c3f8b07a-d036-4c60-ba71-64ffe7815488", + "id": "bundle--4a609c7b-4fe1-4d50-ad77-095baa5cf61e", "spec_version": "2.0", "objects": [ { @@ -64,8 +64,8 @@ ], "x_mitre_is_subtechnique": false, "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", "Operational Databases: Device Alarm" ], "x_mitre_attack_spec_version": "2.1.0", diff --git a/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json b/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json index a1c8a147f3..53daf6b8e4 100644 --- a/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json +++ b/ics-attack/attack-pattern/attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0b8265be-4b69-4b6d-ae7e-1617c2024546", + "id": "bundle--a383665b-8194-4425-b20b-bd4f6e469862", "spec_version": "2.0", "objects": [ { @@ -30,10 +30,10 @@ "Jos Wetzels - Midnight Blue" ], "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content", - "Operational Databases: Process History/Live Data", - "Operational Databases: Process/Event Alarm" + "Network Traffic: Network Traffic Flow", + "Operational Databases: Process/Event Alarm", + "Operational Databases: Device Alarm", + "Operational Databases: Process History/Live Data" ], "type": "attack-pattern", "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", diff --git a/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json b/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json index ac14062fdc..4f6c24a68d 100644 --- a/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json +++ b/ics-attack/attack-pattern/attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e1fc90b6-4d73-4caa-aa14-9e0fdeba105f", + "id": "bundle--34bdd318-01b6-42a2-812c-f9c8e2177a71", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json b/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json index a1a7c90801..b8f714de7b 100644 --- a/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json +++ b/ics-attack/attack-pattern/attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a63caa18-adc4-41db-abc3-a7d71e010010", + "id": "bundle--ee9f3424-1090-4630-a0c3-3a8ee5d9f713", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json b/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json index 655c9ecb38..f22f1af950 100644 --- a/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json +++ b/ics-attack/attack-pattern/attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--371bae5b-4cd4-412a-99db-2d9d2e408c77", + "id": "bundle--8cf20116-611e-4615-b5a8-b11bd39df5e6", "spec_version": "2.0", "objects": [ { @@ -27,6 +27,7 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ + "Application Log: Application Log Content", "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", diff --git a/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json b/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json index a63a7b4921..c0c5269d3d 100644 --- a/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json +++ b/ics-attack/attack-pattern/attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2adc78ab-5a17-4c4c-9d53-b7035fa1b842", + "id": "bundle--23c910bd-6f64-4cf7-aec5-d264ea8f44f3", "spec_version": "2.0", "objects": [ { @@ -24,9 +24,10 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Command: Command Execution", "Module: Module Load", + "Command: Command Execution", "Process: Process Creation", + "Process: Process Metadata", "Script: Script Execution" ], "type": "attack-pattern", diff --git a/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json b/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json index 0cf3be67a8..39fbf81d0b 100644 --- a/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json +++ b/ics-attack/attack-pattern/attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9dff49c6-4aba-479c-9a17-bb066a83efba", + "id": "bundle--6574cede-7730-4935-b098-6666c9adc575", "spec_version": "2.0", "objects": [ { @@ -26,7 +26,9 @@ "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content" + "Network Traffic: Network Traffic Flow", + "Process: Process Creation", + "File: File Access" ], "type": "attack-pattern", "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", diff --git a/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json b/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json index dae5080046..62057be75c 100644 --- a/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json +++ b/ics-attack/attack-pattern/attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ac9ef1eb-b0c6-4791-becb-3567cbebd9f8", + "id": "bundle--cf245805-6ea6-4a68-a0ec-52be808cc1ce", "spec_version": "2.0", "objects": [ { @@ -25,6 +25,7 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", diff --git a/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json b/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json index 709ee1d168..6b367953d7 100644 --- a/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json +++ b/ics-attack/attack-pattern/attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--af3fbd86-afec-49f1-8c92-9d9a8f1b242d", + "id": "bundle--a0334140-df2a-4d8b-9fdb-ec8ea0bfd99c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json b/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json index bfdcf7a76d..887fde548e 100644 --- a/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json +++ b/ics-attack/attack-pattern/attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3ebc5e49-451a-4a72-b127-0cd0c923b21e", + "id": "bundle--89fdb0ad-31c6-4b4b-8ff1-81c2e3f1d8b3", "spec_version": "2.0", "objects": [ { @@ -27,9 +27,14 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", "Logon Session: Logon Session Creation", - "File: File Access" + "Process: OS API Execution", + "Command: Command Execution", + "Process: Process Creation", + "Script: Script Execution", + "File: File Access", + "Network Share: Network Share Access", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", diff --git a/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json b/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json index ba31f2875b..e3d0b8206d 100644 --- a/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json +++ b/ics-attack/attack-pattern/attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--083a1f9a-e03b-42de-b2cb-895d06addff9", + "id": "bundle--2bc15d2d-612f-43a3-be64-4ed59ff006f2", "spec_version": "2.0", "objects": [ { @@ -23,6 +23,10 @@ "ics-attack" ], "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow" + ], "type": "attack-pattern", "id": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "created": "2021-10-14T15:25:32.143Z", diff --git a/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json b/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json index 1b31e7a428..3874ffd969 100644 --- a/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json +++ b/ics-attack/attack-pattern/attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f7644ffa-b3d6-48c9-847c-af3c870589ff", + "id": "bundle--7d56e61b-30ad-417f-8f92-8b4e762e357c", "spec_version": "2.0", "objects": [ { @@ -24,8 +24,7 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Operational Databases: Process History/Live Data", - "Operational Databases: Device Alarm" + "Asset: Software" ], "type": "attack-pattern", "id": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", diff --git a/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json b/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json index 198aaafc29..e772a718e2 100644 --- a/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json +++ b/ics-attack/attack-pattern/attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c0921601-a057-40fb-a03d-c1c43fbd10c7", + "id": "bundle--3a40c97f-9f28-4b6b-81cd-0fa520a8d873", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json b/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json index 7086d55100..0858032d1f 100644 --- a/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json +++ b/ics-attack/attack-pattern/attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--68eb6c36-c78f-43a8-accc-7056a0d74551", + "id": "bundle--fe4bd8e6-a400-410b-8ead-01f2dc0b05d8", "spec_version": "2.0", "objects": [ { @@ -28,9 +28,7 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Drive: Drive Modification", - "Firmware: Firmware Modification", - "Module: Module Load" + "Firmware: Firmware Modification" ], "type": "attack-pattern", "id": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", diff --git a/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json b/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json index 1825677b56..d679ab1cb9 100644 --- a/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json +++ b/ics-attack/attack-pattern/attack-pattern--3de230d4-3e42-4041-b089-17e1128feded.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--962c044d-55cb-4640-a0d2-0b0030964840", + "id": "bundle--74396bc4-6677-4711-888f-ee4b7f7af192", "spec_version": "2.0", "objects": [ { @@ -25,10 +25,10 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ - "Command: Command Execution", + "Network Traffic: Network Traffic Content", "File: File Access", "Script: Script Execution", - "Network Traffic: Network Traffic Content" + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", diff --git a/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json b/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json index 95f80730ea..51afd0573c 100644 --- a/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json +++ b/ics-attack/attack-pattern/attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e1cbf4d9-d8ff-4b51-969f-1dda0f3b8850", + "id": "bundle--ce58af5a-ad5e-4888-85f7-34923f22a280", "spec_version": "2.0", "objects": [ { @@ -27,11 +27,10 @@ "x_mitre_version": "1.0", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Connection Creation", - "Application Log: Application Log Content", "Process: Process Termination", - "Operational Databases: Process History/Live Data", - "Operational Databases: Process/Event Alarm" + "Operational Databases: Process/Event Alarm", + "Application Log: Application Log Content", + "Operational Databases: Process History/Live Data" ], "type": "attack-pattern", "id": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", diff --git a/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json b/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json index dfa0db9f14..3c14d7e78b 100644 --- a/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json +++ b/ics-attack/attack-pattern/attack-pattern--40b300ba-f553-48bf-862e-9471b220d455.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7457d279-d706-4948-8fed-15da32735cb0", + "id": "bundle--d41a0ae9-6d4a-4717-939a-e246665f44ba", "spec_version": "2.0", "objects": [ { @@ -24,10 +24,11 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", + "Operational Databases: Process/Event Alarm", "Operational Databases: Process History/Live Data", - "Operational Databases: Process/Event Alarm" + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", diff --git a/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json b/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json index 2884dac07a..757196c43b 100644 --- a/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json +++ b/ics-attack/attack-pattern/attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eefadae2-4999-45f2-9325-afe9402f5fc7", + "id": "bundle--2e8bbec7-3480-48f7-9b47-19d78f141dee", "spec_version": "2.0", "objects": [ { @@ -29,10 +29,10 @@ "Matan Dobrushin - Otorio" ], "x_mitre_data_sources": [ - "Command: Command Execution", - "File: File Deletion", "File: File Modification", - "Process: Process Creation" + "Process: Process Creation", + "Command: Command Execution", + "File: File Deletion" ], "type": "attack-pattern", "id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", diff --git a/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json b/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json index 77e40d4445..bf2bf5e275 100644 --- a/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json +++ b/ics-attack/attack-pattern/attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bf4a94b4-83e0-4672-8ae9-ec873b407f5e", + "id": "bundle--f83225b3-daae-4b36-bead-12c56f2d6fab", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json b/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json index af998961fd..ad3cf1e61a 100644 --- a/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json +++ b/ics-attack/attack-pattern/attack-pattern--50d3222f-7550-4a3c-94e1-78cb6c81d064.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--340bec81-f2e0-4af3-b513-55ec8974d4c5", + "id": "bundle--326dfa4c-45d4-4755-b2cc-55ed40077b3e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json b/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json index c1a978312c..bf62a9d23d 100644 --- a/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json +++ b/ics-attack/attack-pattern/attack-pattern--539d0484-fe95-485a-b654-86991c0d0d00.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bcf99e9d-2823-40ea-9aaa-1049aae44b61", + "id": "bundle--13850b23-6db4-4d7c-9d5b-7d9cb3ccc764", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json b/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json index 1e2b3ea755..2ae5a28359 100644 --- a/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json +++ b/ics-attack/attack-pattern/attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--51ae6f7f-2973-4971-97a4-63aff2dd8bd0", + "id": "bundle--37ef02a1-f0b5-4fd6-aece-71436dc780bb", "spec_version": "2.0", "objects": [ { @@ -24,16 +24,14 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ - "Command: Command Execution", - "File: File Deletion", "File: File Metadata", - "File: File Modification", - "Network Traffic: Network Traffic Content", - "Process: OS API Execution", "Process: Process Creation", - "User Account: User Account Authentication", + "File: File Modification", + "Windows Registry: Windows Registry Key Modification", + "File: File Deletion", + "Command: Command Execution", "Windows Registry: Windows Registry Key Deletion", - "Windows Registry: Windows Registry Key Modification" + "Process: OS API Execution" ], "type": "attack-pattern", "id": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", diff --git a/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json b/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json index 483f05266e..e3e3144893 100644 --- a/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json +++ b/ics-attack/attack-pattern/attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e5146ded-1600-460d-96ba-91a3c1e3dfce", + "id": "bundle--c09bcd05-46cc-49c2-8059-150f3484d238", "spec_version": "2.0", "objects": [ { @@ -24,7 +24,7 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Asset: Software/Firmware" + "Asset: Software" ], "type": "attack-pattern", "id": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", diff --git a/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json b/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json index 88d21bc8c1..67bce0ef24 100644 --- a/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json +++ b/ics-attack/attack-pattern/attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9da6f360-a2c9-4fff-be79-7032132c7a8a", + "id": "bundle--41b4d4c1-461a-487f-999e-06771fc44f44", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json b/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json index 182dcac2aa..dec670c17c 100644 --- a/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json +++ b/ics-attack/attack-pattern/attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8349da77-f01d-4457-9a4f-3141b91ee4dc", + "id": "bundle--c5ed1fdc-3f24-474d-802a-9a74ab9b6824", "spec_version": "2.0", "objects": [ { @@ -24,8 +24,7 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Module: Module Load", - "Network Traffic: Network Traffic Content" + "Process: OS API Execution" ], "type": "attack-pattern", "id": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", diff --git a/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json b/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json index f26b068ea8..73f8826854 100644 --- a/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json +++ b/ics-attack/attack-pattern/attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d1a06160-eda9-402d-85c6-87697ac347a0", + "id": "bundle--3b619269-7ec0-45ac-af21-acad8602311b", "spec_version": "2.0", "objects": [ { @@ -28,6 +28,9 @@ "ics-attack" ], "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "File: File Metadata" + ], "type": "attack-pattern", "id": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "created": "2020-05-21T17:43:26.506Z", diff --git a/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json b/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json index e18f25e839..aa1f70803c 100644 --- a/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json +++ b/ics-attack/attack-pattern/attack-pattern--5f3da2f3-91c8-4d8b-a02f-bf43a11def55.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d6979f12-a6dd-4b85-8819-99fd0f3a8403", + "id": "bundle--82e86fa1-d136-4bc9-b885-fbfd4b870bdb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json b/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json index 5283608959..38e60ca714 100644 --- a/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json +++ b/ics-attack/attack-pattern/attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eb58e9f0-9520-4780-aaf5-1d9e048e18dc", + "id": "bundle--d6ef9807-7f7b-4ab2-b239-3e3610d915ff", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json b/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json index a510f2ef65..64cb46eb07 100644 --- a/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json +++ b/ics-attack/attack-pattern/attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b93db7a3-eb08-4a9d-9de1-40e889fca6fa", + "id": "bundle--c928190b-ca8a-4177-b34b-871f6b20ddba", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json b/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json index a01151fa15..e0f9e559b9 100644 --- a/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json +++ b/ics-attack/attack-pattern/attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--95954aef-7ff7-404d-aa25-a4b1aa622f5d", + "id": "bundle--0f4ad224-fe7e-4ece-9f0d-7ac7b586634a", "spec_version": "2.0", "objects": [ { @@ -28,6 +28,8 @@ "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Application Log: Application Log Content", + "File: File Creation", + "Process: Process Creation", "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", diff --git a/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json b/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json index 83c13224d1..80b5608675 100644 --- a/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json +++ b/ics-attack/attack-pattern/attack-pattern--7374ab87-0782-41f8-b415-678c0950bb2a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--68464d6b-3f17-4888-b2fb-bea0ac94d425", + "id": "bundle--efaf75c4-45dd-4d58-af47-bd365a204f98", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json b/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json index 663b7f7e1c..ba69d5074f 100644 --- a/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json +++ b/ics-attack/attack-pattern/attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eab455d2-0137-474a-8b2c-fc1838127689", + "id": "bundle--900b5773-01ec-438f-95d8-56d9bb11b420", "spec_version": "2.0", "objects": [ { @@ -24,10 +24,10 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", "File: File Creation", "Network Traffic: Network Connection Creation", - "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content", "Process: Process Creation" ], "type": "attack-pattern", diff --git a/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json b/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json index b5d9705a84..20366f172c 100644 --- a/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json +++ b/ics-attack/attack-pattern/attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--667109b2-47f9-49a9-a345-40e9aa8558a7", + "id": "bundle--b32487c4-4f52-48d4-a86e-f9fb3607d014", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json b/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json index 18e0ee0af0..916bc28604 100644 --- a/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json +++ b/ics-attack/attack-pattern/attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e6d80a68-6acc-40e5-978c-f938295dbb6f", + "id": "bundle--f3f6c012-f990-40d9-ab72-6409fa2ad699", "spec_version": "2.0", "objects": [ { @@ -28,8 +28,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content" + "Network Traffic: Network Traffic Flow", + "Operational Databases: Device Alarm", + "Windows Registry: Windows Registry Key Modification", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", diff --git a/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json b/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json index 740c751027..8e9dde7570 100644 --- a/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json +++ b/ics-attack/attack-pattern/attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--286cb5a0-78b8-4f16-b442-6d97f834e2bb", + "id": "bundle--10493f9a-1a83-4de1-8dc6-c4616fde4f8e", "spec_version": "2.0", "objects": [ { @@ -30,8 +30,8 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Application Log: Application Log Content", - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", diff --git a/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json b/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json index 99b3f46d57..9254072bdb 100644 --- a/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json +++ b/ics-attack/attack-pattern/attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a718a423-feaf-4750-8500-0de3cec25795", + "id": "bundle--a45d0c2b-a2d1-4d7d-b294-e26dd10d7d88", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json b/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json index 405e558aab..133b9bb686 100644 --- a/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json +++ b/ics-attack/attack-pattern/attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--85c530a8-e2bc-47e7-9e5e-755b1dd45abf", + "id": "bundle--edd1ef11-c393-44cf-950e-fc4c0f410337", "spec_version": "2.0", "objects": [ { @@ -25,9 +25,9 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", "Application Log: Application Log Content", - "Logon Session: Logon Session Metadata", - "Network Traffic: Network Traffic Flow" + "Logon Session: Logon Session Metadata" ], "type": "attack-pattern", "id": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", diff --git a/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json b/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json index 2702cde1ed..e9a5d2f0cd 100644 --- a/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json +++ b/ics-attack/attack-pattern/attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bbface67-2c41-4219-837d-771ea756244b", + "id": "bundle--81bb4904-3d4e-4dcb-8f2c-30fd2e7b8213", "spec_version": "2.0", "objects": [ { @@ -25,9 +25,9 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ + "Operational Databases: Process History/Live Data", "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content", - "Operational Databases: Process History/Live Data" + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", diff --git a/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json b/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json index 8238c914ee..c769597d54 100644 --- a/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json +++ b/ics-attack/attack-pattern/attack-pattern--94f042ae-3033-4a8d-9ec3-26396533a541.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--45fef304-e2a6-4dff-8ef0-37ade90722ef", + "id": "bundle--9d00af04-00ba-46f4-b164-86804cbda55b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json b/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json index fd4c095cb6..d48a5e3016 100644 --- a/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json +++ b/ics-attack/attack-pattern/attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f00dae9a-f8c0-428c-9eb8-e5ec0279ed66", + "id": "bundle--9bcf1a0d-86c0-4e69-ab3a-97f51494c303", "spec_version": "2.0", "objects": [ { @@ -29,11 +29,12 @@ "Conrad Layne - GE Digital" ], "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content", - "Process: OS API Execution", + "Service: Service Creation", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", "Process: Process Creation", - "Command: Command Execution" + "Windows Registry: Windows Registry Key Modification" ], "type": "attack-pattern", "id": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", diff --git a/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json b/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json index abfc8f6e4e..58329f077d 100644 --- a/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json +++ b/ics-attack/attack-pattern/attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2aa3b2bd-a902-41a3-87d0-e81c87cab194", + "id": "bundle--d581ce81-d80a-4914-a657-42c3c7b9cb14", "spec_version": "2.0", "objects": [ { @@ -24,6 +24,9 @@ "ics-attack" ], "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content" + ], "type": "attack-pattern", "id": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "created": "2020-05-21T17:43:26.506Z", diff --git a/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json b/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json index 99cc2f337d..bc71d83850 100644 --- a/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json +++ b/ics-attack/attack-pattern/attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--96e5ec5a-081e-41bc-bb04-7ab8b94e3d19", + "id": "bundle--fa07a524-7178-499d-a1ea-36496b6fd302", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json b/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json index 417ad7f9eb..e534b662b0 100644 --- a/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json +++ b/ics-attack/attack-pattern/attack-pattern--a8cfd474-9358-464f-a169-9c6f099a8e8a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--38edd46d-6c54-489d-93ab-f7345ecc7467", + "id": "bundle--ebc15e0a-97e7-44b6-b74e-ca3ef2243064", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json b/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json index 944a16ab32..8d13362b55 100644 --- a/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json +++ b/ics-attack/attack-pattern/attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b092d8c7-69f2-4a38-803b-10ab20d37d8a", + "id": "bundle--bfb6a629-769d-4e02-9b5d-c933daaa6834", "spec_version": "2.0", "objects": [ { @@ -28,8 +28,8 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "File: File Modification", - "Module: Module Load" + "Process: OS API Execution", + "Process: Process Metadata" ], "type": "attack-pattern", "id": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", diff --git a/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json b/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json index 1910353aca..4d9c5281cf 100644 --- a/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json +++ b/ics-attack/attack-pattern/attack-pattern--abb0a255-eb9c-48d0-8f5c-874bb84c0e45.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5ef8ec71-ba15-4b8c-8ffc-9d9c255270eb", + "id": "bundle--1e5b80da-8008-4919-b88e-d2aa0fc35a46", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json b/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json index d52b2d2040..afc91aec5e 100644 --- a/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json +++ b/ics-attack/attack-pattern/attack-pattern--ae62fe1a-ea1a-479b-8dc0-65d250bd8bc7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7336ace5-736b-4ced-974f-44c6d644d46a", + "id": "bundle--1d66bf54-3cbe-4568-a723-cc946650e565", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json b/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json index c3761ba121..d0c5914107 100644 --- a/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json +++ b/ics-attack/attack-pattern/attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0fb3ea22-23fa-4653-97fc-94735c6da5b2", + "id": "bundle--749a2de2-f5cd-41d9-a410-cfc2c1d5f8da", "spec_version": "2.0", "objects": [ { @@ -24,9 +24,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Traffic Content", - "Process: Process Creation" + "Module: Module Load", + "Process: Process Creation", + "Command: Command Execution", + "Logon Session: Logon Session Creation" ], "type": "attack-pattern", "id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", diff --git a/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json b/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json index 22c7b1323c..6ae68938ba 100644 --- a/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json +++ b/ics-attack/attack-pattern/attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--234581c3-b16c-4507-a624-84409e11d0ce", + "id": "bundle--ad120e54-6065-4341-aada-90edf7c1b08b", "spec_version": "2.0", "objects": [ { @@ -26,10 +26,11 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow", "Application Log: Application Log Content", - "Operational Databases: Process/Event Alarm" + "Asset: Asset Inventory", + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", diff --git a/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json b/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json index 2896907e1e..c4e575c71c 100644 --- a/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json +++ b/ics-attack/attack-pattern/attack-pattern--b52870cc-83f3-473c-b895-72d91751030b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--403f52c6-8ef9-43b2-bc22-2df86c87db78", + "id": "bundle--09b1e2b3-2f99-4328-8034-ef80bffef4d3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json b/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json index 39c681709d..d5530ed746 100644 --- a/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json +++ b/ics-attack/attack-pattern/attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--532407ac-bbdf-44f1-9441-c07a9e73369e", + "id": "bundle--24c345d6-23b1-41c0-ac4b-40530f3783e8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json b/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json index f28d6dc758..b32e2b1454 100644 --- a/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json +++ b/ics-attack/attack-pattern/attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bad1fddc-d9c4-4b06-87cb-b0b0486d82ad", + "id": "bundle--aa3328d8-fcf9-457d-88e7-48b8683a23c7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json b/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json index b449b55b3c..074d8a61a0 100644 --- a/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json +++ b/ics-attack/attack-pattern/attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--50e761bf-b5f3-4fbb-8895-b22d26ba7913", + "id": "bundle--6bc12a34-f3e2-42e5-8abf-917810b2a4b5", "spec_version": "2.0", "objects": [ { @@ -30,9 +30,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Firmware: Firmware Modification", "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow" + "Firmware: Firmware Modification", + "Application Log: Application Log Content", + "Operational Databases: Device Alarm" ], "type": "attack-pattern", "id": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", diff --git a/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json b/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json index 4af6b4d089..2a50873057 100644 --- a/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json +++ b/ics-attack/attack-pattern/attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c92d7fa1-62eb-42db-90db-c42781b46587", + "id": "bundle--d4bceb18-b528-4e01-bf37-50b333d51989", "spec_version": "2.0", "objects": [ { @@ -25,13 +25,14 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ + "Scheduled Job: Scheduled Job Creation", "Command: Command Execution", - "File: File Metadata", - "File: File Modification", - "Scheduled Job: Scheduled Job Metadata", - "Scheduled Job: Scheduled Job Modification", + "Service: Service Modification", "Service: Service Creation", - "Service: Service Metadata" + "File: File Modification", + "Process: Process Metadata", + "File: File Metadata", + "Scheduled Job: Scheduled Job Modification" ], "type": "attack-pattern", "id": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", diff --git a/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json b/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json index d300789cde..f9d75ed322 100644 --- a/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json +++ b/ics-attack/attack-pattern/attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a4636064-d321-45a1-b0a3-851778ca1450", + "id": "bundle--fee2da0d-9705-4996-a1a9-dcd9360874e2", "spec_version": "2.0", "objects": [ { @@ -25,9 +25,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", - "Operational Databases: Device Alarm" + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content", + "Asset: Asset Inventory" ], "type": "attack-pattern", "id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", diff --git a/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json b/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json index a2f5f2ef27..1ba6a4e890 100644 --- a/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json +++ b/ics-attack/attack-pattern/attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c17911ce-f52a-4981-bf52-f30c9f306ce6", + "id": "bundle--d9c4b2aa-9fe4-4be4-899f-39c8c2a4160d", "spec_version": "2.0", "objects": [ { @@ -26,10 +26,10 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Drive: Drive Creation", - "File: File Access", + "Process: Process Creation", "File: File Creation", - "Process: Process Creation" + "Drive: Drive Creation", + "File: File Access" ], "type": "attack-pattern", "id": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", diff --git a/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json b/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json index 11f2956158..0821eb32b1 100644 --- a/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json +++ b/ics-attack/attack-pattern/attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0ead4098-0d6f-4df2-8453-af7497b3d2d0", + "id": "bundle--38548879-9a1a-48e7-bdf5-7b783aab223c", "spec_version": "2.0", "objects": [ { @@ -23,8 +23,8 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ - "Command: Command Execution", - "Process: OS API Execution" + "Process: OS API Execution", + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", diff --git a/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json b/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json index dacc4736ba..52cfe495ef 100644 --- a/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json +++ b/ics-attack/attack-pattern/attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a06999be-badb-4b72-9275-4990f9ea47ea", + "id": "bundle--a48e9a64-eeaa-4a21-b44a-3050ff1f77e2", "spec_version": "2.0", "objects": [ { @@ -36,8 +36,8 @@ "Aagam Shah, @neutrinoguy, ABB" ], "x_mitre_data_sources": [ - "Logon Session: Logon Session Creation", - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Traffic Content", + "Logon Session: Logon Session Creation" ], "type": "attack-pattern", "id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", diff --git a/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json b/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json index 0c66699543..98cfdd13bf 100644 --- a/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json +++ b/ics-attack/attack-pattern/attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--400f537a-938e-4de5-a89f-a32d14ac3967", + "id": "bundle--65a16a48-c54e-427f-998b-7b890d12cff2", "spec_version": "2.0", "objects": [ { @@ -34,8 +34,9 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ + "User Account: User Account Authentication", "Logon Session: Logon Session Creation", - "User Account: User Account Authentication" + "Logon Session: Logon Session Metadata" ], "type": "attack-pattern", "id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", diff --git a/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json b/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json index 18293d2252..24a92ab6e4 100644 --- a/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json +++ b/ics-attack/attack-pattern/attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2d34c4ef-4fb2-48a9-9530-86a77923d6b6", + "id": "bundle--e193609c-118b-410c-82cd-a034525412fe", "spec_version": "2.0", "objects": [ { @@ -25,7 +25,7 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Process: OS API Execution" + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", diff --git a/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json b/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json index e7c7aadbe0..72a1878e33 100644 --- a/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json +++ b/ics-attack/attack-pattern/attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--14e4dbd3-fdd8-4320-b2aa-70ae87a04171", + "id": "bundle--9911dc77-f27e-42bd-b877-93090abd3489", "spec_version": "2.0", "objects": [ { @@ -28,10 +28,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Command: Command Execution", + "Network Traffic: Network Traffic Content", "File: File Access", - "Network Traffic: Network Connection Creation", - "Process: Process Creation" + "Process: Process Creation", + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", diff --git a/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json b/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json index 02ac4280cc..4710b8fbf2 100644 --- a/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json +++ b/ics-attack/attack-pattern/attack-pattern--d614a9cf-18eb-4800-81e4-ab8ddf0baa73.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b4787dd3-0b43-41cf-a80f-bdaad58ed732", + "id": "bundle--8288966a-0465-45e3-bbd9-77916ec2b720", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json b/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json index 442e5fbb18..94f02963db 100644 --- a/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json +++ b/ics-attack/attack-pattern/attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--79398fc1-c7db-4147-b27d-e3384ba8e939", + "id": "bundle--f652a4e2-da7c-4920-9884-4c84baeaee2a", "spec_version": "2.0", "objects": [ { @@ -24,7 +24,6 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Connection Creation", "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow" ], diff --git a/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json b/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json index ac73879e23..693990809a 100644 --- a/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json +++ b/ics-attack/attack-pattern/attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1ecb3609-206c-41ef-8a11-c66a3ceee1f7", + "id": "bundle--f1deb1cf-583d-496f-bdb0-20df396f198a", "spec_version": "2.0", "objects": [ { @@ -26,8 +26,8 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", diff --git a/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json b/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json index 801219b150..78128667d5 100644 --- a/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json +++ b/ics-attack/attack-pattern/attack-pattern--e0d74479-86d2-465d-bf36-903ebecef43e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--015ade2d-d619-40dc-93de-7e4dbc99cbfb", + "id": "bundle--d3323787-49d3-4f29-8981-25119b013721", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json b/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json index 4017f9f5a3..2b753dd4e8 100644 --- a/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json +++ b/ics-attack/attack-pattern/attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--808eee6f-f435-4ee6-a10a-b4664767b475", + "id": "bundle--ab88c9b1-aa19-4a0b-94bf-22fdfe2b62f5", "spec_version": "2.0", "objects": [ { @@ -33,13 +33,13 @@ "Daisuke Suzuki" ], "x_mitre_data_sources": [ - "Command: Command Execution", - "Logon Session: Logon Session Creation", - "Network Share: Network Share Access", + "Process: Process Creation", "Network Traffic: Network Connection Creation", - "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Traffic Content", - "Process: Process Creation" + "Module: Module Load", + "Network Share: Network Share Access", + "Logon Session: Logon Session Creation", + "Command: Command Execution", + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", diff --git a/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json b/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json index e600b44f5a..834a3ee6b2 100644 --- a/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json +++ b/ics-attack/attack-pattern/attack-pattern--e2994b6a-122b-4043-b654-7411c5198ec0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--05ca603f-5a65-46bd-ac5c-e873b323c1f3", + "id": "bundle--5a628d49-5e21-488f-852f-b406da561017", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json b/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json index c8ba683d54..2304bca621 100644 --- a/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json +++ b/ics-attack/attack-pattern/attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c47c19a1-f3a5-4727-8714-055ea234c515", + "id": "bundle--5084dca6-83fd-4c99-9e93-4a445da302ec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json b/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json index 1eb53c48aa..88821ef3b5 100644 --- a/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json +++ b/ics-attack/attack-pattern/attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1bebb247-dd9e-4ffe-be1d-f7258fa76658", + "id": "bundle--01dcd935-b9e0-45b9-8417-aa08bca0c1ee", "spec_version": "2.0", "objects": [ { @@ -28,9 +28,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", + "Operational Databases: Process History/Live Data", "Application Log: Application Log Content", - "Operational Databases: Process History/Live Data" + "Network Traffic: Network Traffic Content", + "Asset: Asset Inventory" ], "type": "attack-pattern", "id": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", diff --git a/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json b/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json index 4b2c942d57..7a27982b9c 100644 --- a/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json +++ b/ics-attack/attack-pattern/attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1c3cc061-1c4b-4bc1-ab0e-48eae7ec5ff8", + "id": "bundle--b7ed24bd-bada-4e36-ba1b-0ec34e74b422", "spec_version": "2.0", "objects": [ { @@ -31,7 +31,8 @@ "Matan Dobrushin - Otorio" ], "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", diff --git a/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json b/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json index 698bfd85b4..403e5e47be 100644 --- a/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json +++ b/ics-attack/attack-pattern/attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a15712f7-7db5-4591-aa7f-1df02abbef5f", + "id": "bundle--03e5cf64-2e24-4c5c-a63e-73e8e40385a9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json b/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json index 1e2c7d911c..02890cf238 100644 --- a/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json +++ b/ics-attack/attack-pattern/attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aff8ac47-f8e8-4bf5-a0d5-04da869c1d96", + "id": "bundle--964ab34b-e86c-438b-a9b2-ece4154462e5", "spec_version": "2.0", "objects": [ { @@ -24,9 +24,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Command: Command Execution", "Process: OS API Execution", - "Process: Process Creation" + "Script: Script Execution", + "Process: Process Creation", + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", diff --git a/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json b/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json index 2c76552cdd..7c6ca633d5 100644 --- a/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json +++ b/ics-attack/attack-pattern/attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0700b68c-b52e-4156-802a-aed5768dc8d8", + "id": "bundle--0a8bb063-e338-435a-8bee-b4059b77f3bc", "spec_version": "2.0", "objects": [ { @@ -26,11 +26,12 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Share: Network Share Access", + "Network Traffic: Network Traffic Flow", "Command: Command Execution", "File: File Creation", "File: File Metadata", - "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow", "Process: Process Creation" ], "type": "attack-pattern", diff --git a/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json b/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json index 30a00bbecc..d92707d6e9 100644 --- a/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json +++ b/ics-attack/attack-pattern/attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dc3bc7fd-9b11-44b9-8ff8-abf417c06912", + "id": "bundle--ff990c5e-5dfc-471a-a6d4-5b820c69775f", "spec_version": "2.0", "objects": [ { @@ -29,9 +29,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Firmware: Firmware Modification", "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow" + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Firmware: Firmware Modification" ], "type": "attack-pattern", "id": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", diff --git a/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json b/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json index 33b3e826db..85f0bd021d 100644 --- a/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json +++ b/ics-attack/attack-pattern/attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7f36ab61-12d4-4f9e-937e-63e20d1974c9", + "id": "bundle--c51ed92c-4adb-4ac3-b81a-d403afefc53c", "spec_version": "2.0", "objects": [ { @@ -29,8 +29,8 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", "Logon Session: Logon Session Metadata" ], "type": "attack-pattern", diff --git a/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json b/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json index 6434b2dc04..d928352bd8 100644 --- a/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json +++ b/ics-attack/attack-pattern/attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--755f5126-f92c-4bc1-8250-3baabf200341", + "id": "bundle--2d30b715-460d-4653-8607-dacd689b3a41", "spec_version": "2.0", "objects": [ { @@ -24,8 +24,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "File: File Modification", - "Asset: Software/Firmware" + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", + "Asset: Software", + "Operational Databases: Device Alarm" ], "type": "attack-pattern", "id": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", diff --git a/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json b/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json index 360e9c71c2..7459d2268d 100644 --- a/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json +++ b/ics-attack/campaign/campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--db8d476d-2543-4509-8b32-a9aa13a59c67", + "id": "bundle--51e42b1d-9516-4b2f-a2d7-a88a63721658", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json b/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json index 11ded79b43..42e5e885a0 100644 --- a/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json +++ b/ics-attack/course-of-action/course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3ccbc7dc-cb15-40a5-b8bd-7f1d3347d559", + "id": "bundle--6fac6ad5-4d6b-445f-b2ad-449a7e33d7a0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json b/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json index 13e145e480..434d3dfcb0 100644 --- a/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json +++ b/ics-attack/course-of-action/course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1c6c0337-c4b5-4b6d-8253-9cbdaf176e97", + "id": "bundle--6892a7cd-a79b-46ef-a5c9-245ea89e5584", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json b/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json index 7fa3f0d135..47576e71dd 100644 --- a/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json +++ b/ics-attack/course-of-action/course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f565872b-11f2-4816-8ea8-56c522621642", + "id": "bundle--5586eccf-3eeb-4224-acc6-7371e6ff02bc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json b/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json index 2c4be6f6ad..769f98c636 100644 --- a/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json +++ b/ics-attack/course-of-action/course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fbde3f3f-153a-4016-8bc7-85d28df98760", + "id": "bundle--30539a3a-3561-43c5-a470-a82c648c39e6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json b/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json index dbea75d31e..19a2a449c8 100644 --- a/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json +++ b/ics-attack/course-of-action/course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d6c3a930-5092-46da-ad56-9a901b790f49", + "id": "bundle--fab02b81-5057-44ba-ab18-6c121d53b5fe", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json b/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json index a8c5cba9f6..40ce42e244 100644 --- a/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json +++ b/ics-attack/course-of-action/course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a0f0ee6b-2668-4058-b256-13a54963dd77", + "id": "bundle--a489c174-c85c-470b-be84-2ace36ceaec7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json b/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json index 802bc64ebe..80ad233c2d 100644 --- a/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json +++ b/ics-attack/course-of-action/course-of-action--3172222b-4983-43f7-8983-753ded4f13bc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d8e5877a-1d42-4856-baba-4524966e0da3", + "id": "bundle--5b351fd4-8615-4d0a-ad2f-43aea06e6a52", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json b/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json index 140c67b7b0..00fcf73c73 100644 --- a/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json +++ b/ics-attack/course-of-action/course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b12cd0e9-5d3b-475c-9fec-1b2f11300163", + "id": "bundle--d2e1334a-bb31-4e22-8de0-53229f9e73e1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json b/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json index 74f389cf8b..09df7bc990 100644 --- a/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json +++ b/ics-attack/course-of-action/course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9eff1236-fea7-486c-be05-3a9cf994878d", + "id": "bundle--ae03a2e6-2051-4a7e-9720-e6b9f06d9480", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json b/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json index ec7a6402d4..dabe9a4c4a 100644 --- a/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json +++ b/ics-attack/course-of-action/course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9b525bad-2d33-4b37-ab46-771611b98165", + "id": "bundle--962afda3-7c12-4e6a-8bbb-b0ee5831052f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json b/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json index 107aaa1638..24d91938d2 100644 --- a/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json +++ b/ics-attack/course-of-action/course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--06511479-30e2-4027-812b-f825f6e5fa69", + "id": "bundle--5c403704-5490-43e8-ae13-192215d73355", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json b/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json index fb6a04e491..0ce0fab88a 100644 --- a/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json +++ b/ics-attack/course-of-action/course-of-action--49363b74-d506-4342-bd63-320586ebadb9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--42c72877-d523-4013-9a62-b29f2365a84b", + "id": "bundle--8f72653c-4ca5-41dc-84a2-f8adde7d1f37", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json b/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json index 545dc145c6..312b37fe4c 100644 --- a/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json +++ b/ics-attack/course-of-action/course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--81ceedf4-6ae8-45e8-aac0-31c61c799a3f", + "id": "bundle--484332ad-b600-44d0-946c-c0e7c8fa64b8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json b/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json index 867f9f2073..7bdfb457c6 100644 --- a/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json +++ b/ics-attack/course-of-action/course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dd0ed07b-3146-4ec4-9160-8060bb547b3c", + "id": "bundle--c1342d0f-2493-4211-91d7-fec7605ad257", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json b/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json index 26db742613..d0d07ff681 100644 --- a/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json +++ b/ics-attack/course-of-action/course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0fcbb767-83cb-4c28-ba08-54531cec4d01", + "id": "bundle--c37d454d-067e-4aba-bfa4-98b308e11aab", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json b/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json index bc1497762d..cc325f0c8c 100644 --- a/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json +++ b/ics-attack/course-of-action/course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dbe60aeb-703b-4a94-8205-f5f44026f823", + "id": "bundle--30f8a162-3a18-4e78-8f29-29e423b064ce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json b/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json index 62d6e3dcc8..bbfe01db1b 100644 --- a/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json +++ b/ics-attack/course-of-action/course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--44537228-da7e-4a58-abd3-234e728d1420", + "id": "bundle--63ada407-1189-456a-a4b8-565e2e1b6fd9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json b/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json index e79dd07a67..f7a69d6410 100644 --- a/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json +++ b/ics-attack/course-of-action/course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5968be92-3ce3-4655-8386-569c6d37018b", + "id": "bundle--cd977255-fe64-4c52-a0d4-e8ea45989e1a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json b/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json index 2fc5a058f2..3cdebdfa11 100644 --- a/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json +++ b/ics-attack/course-of-action/course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b4968aa0-ad0b-42d4-a29f-c2cc0b89d13a", + "id": "bundle--862f26a1-1ee5-41be-958b-268689bf4bae", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json b/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json index b3665ce4c3..d4482cdcf9 100644 --- a/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json +++ b/ics-attack/course-of-action/course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a76e2b07-1a9b-423a-b04b-0e2465d7f06f", + "id": "bundle--cd485635-c7c4-4a20-87a4-66c83df98b86", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json b/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json index bbdecdd9aa..f841c68d2f 100644 --- a/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json +++ b/ics-attack/course-of-action/course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cf722d27-261a-4879-8166-c7a468e504e6", + "id": "bundle--09be7739-36bd-4c74-8fca-b8ca1fae1306", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json b/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json index d0c93daa1b..5fb6bf761b 100644 --- a/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json +++ b/ics-attack/course-of-action/course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d02587fe-48e1-4eaa-b672-52560ea4980d", + "id": "bundle--ca09efb4-0dd6-4050-ba7b-74269e684ca1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json b/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json index 1aba05bc9f..a12a70a681 100644 --- a/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json +++ b/ics-attack/course-of-action/course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a8e3dabb-669a-4825-9ec5-98e1bbb6a179", + "id": "bundle--16e83d5c-4cb8-4f11-a380-cd479c4edef7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json b/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json index 0c5f460144..274b63ae4c 100644 --- a/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json +++ b/ics-attack/course-of-action/course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4cb33515-55c3-40c2-9743-797c9cb64b5c", + "id": "bundle--2d019ae0-9a40-4626-8a46-7e202cae32bc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json b/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json index af37c781d5..9b4634e034 100644 --- a/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json +++ b/ics-attack/course-of-action/course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b7a67052-a792-4544-a8bc-5d02bc00dfc4", + "id": "bundle--ac2b202a-ca25-4222-8154-5c2feeb488a7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json b/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json index 2f45376e42..b37d6d1215 100644 --- a/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json +++ b/ics-attack/course-of-action/course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cd63566f-efbf-410a-8b3f-250d0b380089", + "id": "bundle--708cba23-ee91-427b-8a21-3f7450160481", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json b/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json index 83f8170f07..bde0520818 100644 --- a/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json +++ b/ics-attack/course-of-action/course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8d9179fb-b4a9-44d3-9da8-f0ea3acda701", + "id": "bundle--87b14486-c859-48a7-843f-4f702e32d697", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json b/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json index 83969988d2..ef2ff5e51b 100644 --- a/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json +++ b/ics-attack/course-of-action/course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--205cd5da-dd18-4615-b100-823ec928d6cb", + "id": "bundle--f6cc5f61-a70f-478c-bdb4-4e0e517b077e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json b/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json index 568f889e90..68f58fbe54 100644 --- a/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json +++ b/ics-attack/course-of-action/course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7d0122ba-dbf3-4ad1-b665-6a5b4bde8324", + "id": "bundle--04ce0313-c34b-4995-9588-6ba630938e4f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json b/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json index 9b5bd19a02..c3aabc2c6d 100644 --- a/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json +++ b/ics-attack/course-of-action/course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cdc1cc93-4e92-420e-abe7-4205fc594870", + "id": "bundle--bf534059-78ae-4344-88e8-2295db81f6a8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json b/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json index 6b00fe8ad4..75d25cd75d 100644 --- a/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json +++ b/ics-attack/course-of-action/course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ed06d7f3-2b44-4034-aa0c-41a2a2bf29cf", + "id": "bundle--76bf6ca6-424d-4e48-bba7-1d7219c6849d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json b/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json index cdf0a82112..c9b9e8197d 100644 --- a/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json +++ b/ics-attack/course-of-action/course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4bc56db7-4b7d-47b3-b2ed-dcb6cd08b6a8", + "id": "bundle--1653b0a9-e15c-4ecb-9f3a-e6b36efb7fb9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json b/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json index 06c0188576..e6839e58b7 100644 --- a/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json +++ b/ics-attack/course-of-action/course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--52cbac5b-a73c-4c27-89b5-e6a203f5a708", + "id": "bundle--083f576d-c156-4ede-b836-b00629c8bdd2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json b/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json index c0e79ceacb..eaf1236271 100644 --- a/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json +++ b/ics-attack/course-of-action/course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f455a107-82c5-4324-8413-ced84c093f0b", + "id": "bundle--8c485dc6-6ec9-4263-9df4-12e0670f2d7c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json b/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json index 1ede22e42b..a55a6dd246 100644 --- a/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json +++ b/ics-attack/course-of-action/course-of-action--ad12819e-3211-4291-b360-069f280cff0a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b21c6099-a776-442e-b80a-1e7af534b595", + "id": "bundle--86c65616-2bb0-489b-bba3-fae2d3ddd756", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json b/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json index 00a91805d8..cd31643424 100644 --- a/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json +++ b/ics-attack/course-of-action/course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c18aa2d8-1f84-4da7-aa2e-7f03b9cf0b26", + "id": "bundle--93345c32-fef4-4366-82c8-4cf3b1306a55", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json b/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json index 3a29bfe73b..09363d2c8d 100644 --- a/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json +++ b/ics-attack/course-of-action/course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--82a265f4-6f96-45d8-9b32-3a53ae754668", + "id": "bundle--38cd2657-a926-445a-9b39-3914e2fec38b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json b/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json index 2c99570bef..77b83ae7ac 100644 --- a/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json +++ b/ics-attack/course-of-action/course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4c98ae47-8e0b-4024-b44b-9a81a2db4242", + "id": "bundle--cf6a9b65-4d0d-4c98-8f0b-bb833fa75600", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json b/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json index d1e5b75571..d0d965cec7 100644 --- a/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json +++ b/ics-attack/course-of-action/course-of-action--d0909119-2f71-4923-87db-b649881672d7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d7c29a94-4983-4928-b2ab-ddf919f32ff8", + "id": "bundle--a2d7805a-860d-4b7d-9c29-b513aff4cba8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json b/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json index fd4716704a..b158a663d2 100644 --- a/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json +++ b/ics-attack/course-of-action/course-of-action--d48b79b2-076d-483e-949c-0d38aa347499.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--24c82165-8aa9-4574-965f-3458a8d79359", + "id": "bundle--ed9c151a-0cda-4c40-83c9-4c2bf5a06260", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json b/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json index a46b6c895e..87e8f2e80a 100644 --- a/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json +++ b/ics-attack/course-of-action/course-of-action--da44255d-85c5-492c-baf3-ee823d44f848.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5d66132b-8676-4a49-a03d-2e92fedea5a8", + "id": "bundle--d2a1f704-0dd3-492d-9d6b-5c3a762cbecd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json b/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json index 265eb32339..82ef9a832a 100644 --- a/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json +++ b/ics-attack/course-of-action/course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--127e47a2-9aa9-4013-95f2-cf3ae3313f1c", + "id": "bundle--185d0af9-e765-4e32-a668-f10ca203866c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json b/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json index 9daef3702a..35bd6b1736 100644 --- a/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json +++ b/ics-attack/course-of-action/course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dbb8d764-a6aa-4f19-bc46-d6ed476fe524", + "id": "bundle--ed24f0f7-a991-4ba5-a0ad-98b567f7837e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json b/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json index 1297d33d47..c00262d0bb 100644 --- a/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json +++ b/ics-attack/course-of-action/course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1fa4985a-2351-4192-9c81-821f9d12cf88", + "id": "bundle--6dac863a-784c-42d8-b896-852fc9ff5bcc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json b/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json index 606e4f2b0d..ae4410b5b6 100644 --- a/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json +++ b/ics-attack/course-of-action/course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b4f9fb8c-c727-44d0-b212-15c7f2e8f381", + "id": "bundle--a5997bd1-1920-4e0b-add4-6fce760ad7af", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json b/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json index 7552f0ff89..afe1cf7376 100644 --- a/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json +++ b/ics-attack/course-of-action/course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0d844fca-56b3-4566-a977-dbd117eee4e9", + "id": "bundle--b0bb591f-2110-4ede-bd97-a8853c3f3f21", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json b/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json index 3e2d04cffd..a1f517c800 100644 --- a/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json +++ b/ics-attack/course-of-action/course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9e38ce62-ca39-437e-ab2a-c0ddeade6e4c", + "id": "bundle--0ed2a3b0-c9d9-45d6-a272-94b532e58212", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json b/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json index 37bfd29c26..7238efce57 100644 --- a/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json +++ b/ics-attack/course-of-action/course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ff6ebc5c-5fee-4902-b3de-7f64984778f1", + "id": "bundle--7e0567f0-b0e1-4c46-92de-6ea60e74ad2b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json b/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json index f44faf9f63..61d1c310e8 100644 --- a/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json +++ b/ics-attack/course-of-action/course-of-action--facb8840-ebe7-49f1-b464-8ef6c8131e21.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e2e181c7-78ac-473c-a49c-b92cf805b111", + "id": "bundle--ed14d0ee-aedf-4b9c-825d-e3a0da9aeaae", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json b/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json index bdd7d58778..967c3ac3eb 100644 --- a/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json +++ b/ics-attack/course-of-action/course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--953632b3-8182-4ac2-83c4-1550c680aaf1", + "id": "bundle--3347f9ce-9594-48ca-a7b7-dc40266e6b13", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json b/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json index 599be3138f..62fe3da910 100644 --- a/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json +++ b/ics-attack/course-of-action/course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bb56c43c-4a15-4c35-bde6-e0449754443a", + "id": "bundle--32e7e525-011f-4c8e-bf5d-ad300cf24af3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/ics-attack.json b/ics-attack/ics-attack.json index d0e86533a0..a4cf0ffaa1 100644 --- a/ics-attack/ics-attack.json +++ b/ics-attack/ics-attack.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ce00bb62-0f29-4d86-ba82-8334a21ce5b5", + "id": "bundle--326be5ca-06af-41f9-b620-20c5c1d75430", "objects": [ { "tactic_refs": [ @@ -3309,12 +3309,11 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Connection Creation", "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", + "Operational Databases: Process/Event Alarm", "Process: Process Termination", - "Operational Databases: Process History/Live Data", - "Operational Databases: Process/Event Alarm" + "Operational Databases: Process History/Live Data" ], "type": "attack-pattern", "id": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", @@ -3365,13 +3364,13 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ - "Command: Command Execution", - "File: File Modification", - "Process: OS API Execution", - "Process: Process Creation", "Process: Process Termination", + "File: File Modification", "Service: Service Metadata", - "Windows Registry: Windows Registry Key Modification" + "Process: Process Creation", + "Windows Registry: Windows Registry Key Modification", + "Command: Command Execution", + "Process: OS API Execution" ], "type": "attack-pattern", "id": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", @@ -3423,10 +3422,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", - "Operational Databases: Device Alarm", - "Asset: Device Configuration/Parameters" + "Network Traffic: Network Traffic Content", + "Asset: Asset Inventory", + "Operational Databases: Device Alarm" ], "type": "attack-pattern", "id": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", @@ -3472,8 +3471,9 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "File: File Modification", - "Asset: Software/Firmware" + "Asset: Software", + "Operational Databases: Device Alarm", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", @@ -3525,6 +3525,9 @@ "x_mitre_contributors": [ "ICSCoE Japan" ], + "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow" + ], "type": "attack-pattern", "id": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "created": "2020-05-21T17:43:26.506Z", @@ -3633,9 +3636,9 @@ "Joe Slowik - Dragos" ], "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", - "Operational Databases: Device Alarm" + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", @@ -3728,10 +3731,10 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Application Log: Application Log Content", - "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow", - "Operational Databases: Process History/Live Data" + "Operational Databases: Process History/Live Data", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", @@ -3800,11 +3803,10 @@ "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Connection Creation", - "Application Log: Application Log Content", "Process: Process Termination", "Operational Databases: Process History/Live Data", - "Operational Databases: Process/Event Alarm" + "Operational Databases: Process/Event Alarm", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", @@ -3889,11 +3891,9 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Command: Command Execution", "Process: Process Creation", - "Module: Module Load", - "Process: Process Creation", - "Script: Script Execution" + "Application Log: Application Log Content", + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", @@ -3944,7 +3944,8 @@ "Jos Wetzels - Midnight Blue" ], "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", @@ -3991,8 +3992,9 @@ "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", + "Operational Databases: Device Alarm", "Application Log: Application Log Content", - "Operational Databases: Device Alarm" + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", @@ -4034,12 +4036,12 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", - "Command: Command Execution", - "File: File Creation", - "Network Traffic: Network Connection Creation", "Network Traffic: Network Traffic Content", - "Process: Process Creation" + "Command: Command Execution", + "Application Log: Application Log Content", + "Network Traffic: Network Connection Creation", + "Process: Process Creation", + "File: File Access" ], "type": "attack-pattern", "id": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", @@ -4101,8 +4103,8 @@ ], "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", - "Application Log: Application Log Content", - "Logon Session: Logon Session Creation" + "Logon Session: Logon Session Creation", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", @@ -4213,8 +4215,8 @@ ], "x_mitre_is_subtechnique": false, "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", "Operational Databases: Device Alarm" ], "x_mitre_attack_spec_version": "2.1.0", @@ -4247,10 +4249,10 @@ "Jos Wetzels - Midnight Blue" ], "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content", - "Operational Databases: Process History/Live Data", - "Operational Databases: Process/Event Alarm" + "Network Traffic: Network Traffic Flow", + "Operational Databases: Process/Event Alarm", + "Operational Databases: Device Alarm", + "Operational Databases: Process History/Live Data" ], "type": "attack-pattern", "id": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", @@ -4403,6 +4405,7 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ + "Application Log: Application Log Content", "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", @@ -4442,9 +4445,10 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Command: Command Execution", "Module: Module Load", + "Command: Command Execution", "Process: Process Creation", + "Process: Process Metadata", "Script: Script Execution" ], "type": "attack-pattern", @@ -4488,7 +4492,9 @@ "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content" + "Network Traffic: Network Traffic Flow", + "Process: Process Creation", + "File: File Access" ], "type": "attack-pattern", "id": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", @@ -4530,6 +4536,7 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", @@ -4614,9 +4621,14 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Application Log: Application Log Content", "Logon Session: Logon Session Creation", - "File: File Access" + "Process: OS API Execution", + "Command: Command Execution", + "Process: Process Creation", + "Script: Script Execution", + "File: File Access", + "Network Share: Network Share Access", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", @@ -4666,6 +4678,10 @@ "ics-attack" ], "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow" + ], "type": "attack-pattern", "id": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "created": "2021-10-14T15:25:32.143Z", @@ -4715,8 +4731,7 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Operational Databases: Process History/Live Data", - "Operational Databases: Device Alarm" + "Asset: Software" ], "type": "attack-pattern", "id": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", @@ -4818,9 +4833,7 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Drive: Drive Modification", - "Firmware: Firmware Modification", - "Module: Module Load" + "Firmware: Firmware Modification" ], "type": "attack-pattern", "id": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", @@ -4867,10 +4880,10 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ - "Command: Command Execution", + "Network Traffic: Network Traffic Content", "File: File Access", "Script: Script Execution", - "Network Traffic: Network Traffic Content" + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", @@ -4912,11 +4925,10 @@ "x_mitre_version": "1.0", "x_mitre_data_sources": [ "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Connection Creation", - "Application Log: Application Log Content", "Process: Process Termination", - "Operational Databases: Process History/Live Data", - "Operational Databases: Process/Event Alarm" + "Operational Databases: Process/Event Alarm", + "Application Log: Application Log Content", + "Operational Databases: Process History/Live Data" ], "type": "attack-pattern", "id": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", @@ -4967,10 +4979,11 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", + "Operational Databases: Process/Event Alarm", "Operational Databases: Process History/Live Data", - "Operational Databases: Process/Event Alarm" + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", @@ -5036,10 +5049,10 @@ "Matan Dobrushin - Otorio" ], "x_mitre_data_sources": [ - "Command: Command Execution", - "File: File Deletion", "File: File Modification", - "Process: Process Creation" + "Process: Process Creation", + "Command: Command Execution", + "File: File Deletion" ], "type": "attack-pattern", "id": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", @@ -5224,16 +5237,14 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ - "Command: Command Execution", - "File: File Deletion", "File: File Metadata", - "File: File Modification", - "Network Traffic: Network Traffic Content", - "Process: OS API Execution", "Process: Process Creation", - "User Account: User Account Authentication", + "File: File Modification", + "Windows Registry: Windows Registry Key Modification", + "File: File Deletion", + "Command: Command Execution", "Windows Registry: Windows Registry Key Deletion", - "Windows Registry: Windows Registry Key Modification" + "Process: OS API Execution" ], "type": "attack-pattern", "id": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", @@ -5272,7 +5283,7 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Asset: Software/Firmware" + "Asset: Software" ], "type": "attack-pattern", "id": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", @@ -5381,8 +5392,7 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Module: Module Load", - "Network Traffic: Network Traffic Content" + "Process: OS API Execution" ], "type": "attack-pattern", "id": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", @@ -5427,6 +5437,9 @@ "ics-attack" ], "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "File: File Metadata" + ], "type": "attack-pattern", "id": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "created": "2020-05-21T17:43:26.506Z", @@ -5609,6 +5622,8 @@ "x_mitre_version": "1.1", "x_mitre_data_sources": [ "Application Log: Application Log Content", + "File: File Creation", + "Process: Process Creation", "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", @@ -5702,10 +5717,10 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", "File: File Creation", "Network Traffic: Network Connection Creation", - "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content", "Process: Process Creation" ], "type": "attack-pattern", @@ -5819,8 +5834,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content" + "Network Traffic: Network Traffic Flow", + "Operational Databases: Device Alarm", + "Windows Registry: Windows Registry Key Modification", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", @@ -5877,8 +5894,8 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Application Log: Application Log Content", - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Traffic Content", + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", @@ -5981,9 +5998,9 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Flow", "Application Log: Application Log Content", - "Logon Session: Logon Session Metadata", - "Network Traffic: Network Traffic Flow" + "Logon Session: Logon Session Metadata" ], "type": "attack-pattern", "id": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", @@ -6040,9 +6057,9 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ + "Operational Databases: Process History/Live Data", "Network Traffic: Network Traffic Content", - "Application Log: Application Log Content", - "Operational Databases: Process History/Live Data" + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", @@ -6125,11 +6142,12 @@ "Conrad Layne - GE Digital" ], "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content", - "Process: OS API Execution", + "Service: Service Creation", + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Flow", "Process: Process Creation", - "Command: Command Execution" + "Windows Registry: Windows Registry Key Modification" ], "type": "attack-pattern", "id": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", @@ -6180,6 +6198,9 @@ "ics-attack" ], "x_mitre_version": "1.1", + "x_mitre_data_sources": [ + "Application Log: Application Log Content" + ], "type": "attack-pattern", "id": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", "created": "2020-05-21T17:43:26.506Z", @@ -6324,8 +6345,8 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "File: File Modification", - "Module: Module Load" + "Process: OS API Execution", + "Process: Process Metadata" ], "type": "attack-pattern", "id": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", @@ -6470,9 +6491,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Traffic Content", - "Process: Process Creation" + "Module: Module Load", + "Process: Process Creation", + "Command: Command Execution", + "Logon Session: Logon Session Creation" ], "type": "attack-pattern", "id": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", @@ -6515,10 +6537,11 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow", "Application Log: Application Log Content", - "Operational Databases: Process/Event Alarm" + "Asset: Asset Inventory", + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", @@ -6734,9 +6757,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Firmware: Firmware Modification", "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow" + "Firmware: Firmware Modification", + "Application Log: Application Log Content", + "Operational Databases: Device Alarm" ], "type": "attack-pattern", "id": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", @@ -6783,13 +6807,14 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ + "Scheduled Job: Scheduled Job Creation", "Command: Command Execution", - "File: File Metadata", - "File: File Modification", - "Scheduled Job: Scheduled Job Metadata", - "Scheduled Job: Scheduled Job Modification", + "Service: Service Modification", "Service: Service Creation", - "Service: Service Metadata" + "File: File Modification", + "Process: Process Metadata", + "File: File Metadata", + "Scheduled Job: Scheduled Job Modification" ], "type": "attack-pattern", "id": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", @@ -6831,9 +6856,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", "Application Log: Application Log Content", - "Operational Databases: Device Alarm" + "Operational Databases: Device Alarm", + "Network Traffic: Network Traffic Content", + "Asset: Asset Inventory" ], "type": "attack-pattern", "id": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", @@ -6876,10 +6902,10 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Drive: Drive Creation", - "File: File Access", + "Process: Process Creation", "File: File Creation", - "Process: Process Creation" + "Drive: Drive Creation", + "File: File Access" ], "type": "attack-pattern", "id": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", @@ -6969,8 +6995,8 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ - "Command: Command Execution", - "Process: OS API Execution" + "Process: OS API Execution", + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", @@ -7026,8 +7052,8 @@ "Aagam Shah, @neutrinoguy, ABB" ], "x_mitre_data_sources": [ - "Logon Session: Logon Session Creation", - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Traffic Content", + "Logon Session: Logon Session Creation" ], "type": "attack-pattern", "id": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", @@ -7078,8 +7104,9 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ + "User Account: User Account Authentication", "Logon Session: Logon Session Creation", - "User Account: User Account Authentication" + "Logon Session: Logon Session Metadata" ], "type": "attack-pattern", "id": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", @@ -7126,7 +7153,7 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Process: OS API Execution" + "Application Log: Application Log Content" ], "type": "attack-pattern", "id": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", @@ -7176,10 +7203,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Command: Command Execution", + "Network Traffic: Network Traffic Content", "File: File Access", - "Network Traffic: Network Connection Creation", - "Process: Process Creation" + "Process: Process Creation", + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", @@ -7264,7 +7291,6 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Connection Creation", "Network Traffic: Network Traffic Content", "Network Traffic: Network Traffic Flow" ], @@ -7314,8 +7340,8 @@ "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Traffic Content" + "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", @@ -7414,13 +7440,13 @@ "Daisuke Suzuki" ], "x_mitre_data_sources": [ - "Command: Command Execution", - "Logon Session: Logon Session Creation", - "Network Share: Network Share Access", + "Process: Process Creation", "Network Traffic: Network Connection Creation", - "Network Traffic: Network Traffic Flow", - "Network Traffic: Network Traffic Content", - "Process: Process Creation" + "Module: Module Load", + "Network Share: Network Share Access", + "Logon Session: Logon Session Creation", + "Command: Command Execution", + "Network Traffic: Network Traffic Flow" ], "type": "attack-pattern", "id": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", @@ -7585,9 +7611,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Content", + "Operational Databases: Process History/Live Data", "Application Log: Application Log Content", - "Operational Databases: Process History/Live Data" + "Network Traffic: Network Traffic Content", + "Asset: Asset Inventory" ], "type": "attack-pattern", "id": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", @@ -7645,7 +7672,8 @@ "Matan Dobrushin - Otorio" ], "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow" + "Network Traffic: Network Traffic Flow", + "Network Traffic: Network Traffic Content" ], "type": "attack-pattern", "id": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", @@ -7743,9 +7771,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Command: Command Execution", "Process: OS API Execution", - "Process: Process Creation" + "Script: Script Execution", + "Process: Process Creation", + "Command: Command Execution" ], "type": "attack-pattern", "id": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", @@ -7798,11 +7827,12 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ + "Network Traffic: Network Traffic Content", + "Network Share: Network Share Access", + "Network Traffic: Network Traffic Flow", "Command: Command Execution", "File: File Creation", "File: File Metadata", - "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow", "Process: Process Creation" ], "type": "attack-pattern", @@ -7854,9 +7884,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "Firmware: Firmware Modification", "Network Traffic: Network Traffic Content", - "Network Traffic: Network Traffic Flow" + "Application Log: Application Log Content", + "Operational Databases: Device Alarm", + "Firmware: Firmware Modification" ], "type": "attack-pattern", "id": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", @@ -7907,8 +7938,8 @@ ], "x_mitre_version": "1.0", "x_mitre_data_sources": [ - "Network Traffic: Network Traffic Flow", "Network Traffic: Network Traffic Content", + "Network Traffic: Network Traffic Flow", "Logon Session: Logon Session Metadata" ], "type": "attack-pattern", @@ -7970,8 +8001,10 @@ ], "x_mitre_version": "1.1", "x_mitre_data_sources": [ - "File: File Modification", - "Asset: Software/Firmware" + "Application Log: Application Log Content", + "Network Traffic: Network Traffic Content", + "Asset: Software", + "Operational Databases: Device Alarm" ], "type": "attack-pattern", "id": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", @@ -7997,43 +8030,19 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.127Z", - "relationship_type": "mitigates", - "description": "Once an adversary has access to a remote GUI they can abuse system features, such as required HMI functions.\n", - "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335", - "created": "2021-04-13T12:28:20.652Z", + "id": "relationship--9e0810a5-ad02-487f-b0a8-bf07decca493", + "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Ben Hunter and Fred Gutierrez July 2020", - "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", - "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T17:46:56.223Z", - "description": "[EKANS](https://attack.mitre.org/software/S0605) performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. (Citation: Ben Hunter and Fred Gutierrez July 2020)", - "relationship_type": "uses", - "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", - "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "modified": "2022-09-26T15:07:52.455Z", + "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -8041,109 +8050,165 @@ }, { "type": "relationship", - "id": "relationship--7c329018-b591-42c4-8806-4d02ccd47476", + "id": "relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c", + "created": "2022-09-27T15:34:07.320Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:34:07.320Z", + "description": "Monitor DLL file events, specifically creation of these binary files as well as the loading of DLLs into processes associated with remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host’s GUI.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--966b59c0-8641-432c-84f7-b2a712004d74", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:52:41.680Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:55:36.262Z", - "description": "Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files.", + "modified": "2022-10-14T19:43:54.996Z", + "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "type": "relationship", + "id": "relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9", + "created": "2022-09-23T16:36:40.950Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:50:45.583Z", + "description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs and tasks. Data from these platforms can be used to identify modified controller tasking.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f", + "id": "relationship--d8f45959-e0fc-4b4f-a074-a3acea926300", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.202Z", + "modified": "2022-05-06T17:47:24.194Z", "relationship_type": "mitigates", - "description": "Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", - "source_ref": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "description": "Consider the disabling of features such as AutoRun.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, + { + "type": "relationship", + "id": "relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0", + "created": "2022-09-29T14:28:08.703Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T14:28:08.703Z", + "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access.", + "relationship_type": "mitigates", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee", + "created": "2022-09-29T14:26:04.715Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T14:26:04.715Z", + "description": "Monitor network traffic for hardcoded credential use in protocols that allow unencrypted authentication.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--eeeff03f-7436-4f76-8591-42075e6647d4", + "id": "relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.076Z", + "modified": "2022-05-06T17:47:24.220Z", "relationship_type": "mitigates", - "description": "All field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f6ff74c2-d088-4252-a8e0-189574863765", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.139Z", - "relationship_type": "mitigates", - "description": "Communication authenticity will ensure that any messages tampered with through MITM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various MITM procedures.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.168Z", - "relationship_type": "mitigates", - "description": "Use multi-factor authentication wherever possible.\n", - "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--220140ac-d927-4d86-9335-c04aa6ee3c61", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.126Z", - "relationship_type": "mitigates", - "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access. (Citation: Keith Stouffer May 2015)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "external_references": [ { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", @@ -8152,17 +8217,17 @@ }, { "type": "relationship", - "id": "relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b", + "id": "relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:50:54.867Z", - "description": "On Windows and Unix systems monitor executed commands and arguments that may use shell commands for execution. Shells may be common on administrator, developer, or power user systems depending on job function.\n\nOn network device and embedded system CLIs consider reviewing command history if unauthorized or suspicious commands were used to modify device configuration.", + "modified": "2022-10-14T19:50:10.284Z", + "description": "Monitor for processes spawning from known command shell applications (e.g., PowerShell, Bash). Benign activity will need to be allow-listed. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", "x_mitre_deprecated": false, "x_mitre_version": "1.0", @@ -8170,60 +8235,19 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--ee89466e-0655-4217-844d-fb8ea4f76247", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.065Z", - "relationship_type": "mitigates", - "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--502a0b7e-048a-468a-b888-e91fde47c6eb", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T18:59:17.429Z", - "modified": "2022-05-06T17:47:24.189Z", - "relationship_type": "mitigates", - "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "external_references": [ - { - "source_name": "North America Transmission Forum December 2019", - "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", - "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8", - "created": "2022-05-11T16:22:58.805Z", + "id": "relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572", + "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:40:51.224Z", - "description": "Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "modified": "2022-10-14T16:17:25.451Z", + "description": "Monitor for newly executed processes related to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to login and may perform follow-on actions that spawn additional processes as the user.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -8234,14 +8258,79 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--8b17ad46-b0cc-4766-9cae-eba32260d468", + "id": "relationship--111f437a-c67d-40e4-9515-7e9b22e65eff", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.135Z", + "modified": "2022-05-06T17:47:24.234Z", "relationship_type": "mitigates", - "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "description": "Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. (Citation: Microsoft May 2017) (Citation: Microsoft August 2018)These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft February 2019)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "Microsoft May 2017", + "description": "Microsoft 2017, May Attractive Accounts for Credential Theft Retrieved. 2020/09/25 ", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft" + }, + { + "source_name": "Microsoft August 2018", + "description": "Microsoft 2018, August Implementing Least-Privilege Administrative Models Retrieved. 2020/09/25 ", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models" + }, + { + "source_name": "Microsoft February 2019", + "description": "Microsoft 2019, February Active Directory administrative tier model Retrieved. 2020/09/25 ", + "url": "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "FireEye TRITON", + "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + }, + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T20:49:30.525Z", + "description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon. (Citation: DHS CISA February 2019)\n\n[Triton](https://attack.mitre.org/software/S1009) was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.(Citation: FireEye TRITON)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.091Z", + "relationship_type": "mitigates", + "description": "Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", @@ -8255,11 +8344,2140 @@ }, { "type": "relationship", - "id": "relationship--f130282b-f681-455f-966b-55829842be92", + "id": "relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CopyFromScreen .NET", + "description": "Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.", + "url": "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8" + }, + { + "source_name": "Antiquated Mac Malware", + "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", + "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:38:15.307Z", + "description": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) The data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693", + "type": "relationship", + "created": "2022-03-09T23:42:34.056Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Secureworks IRON VIKING ", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." + } + ], + "modified": "2022-03-09T23:42:34.056Z", + "description": "(Citation: Secureworks IRON VIKING )", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--edf73653-b2d7-422f-b433-b6a428ff12d4", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", + "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", + "url": "https://securelist.com/bad-rabbit-ransomware/82851/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:31:21.210Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.070Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:59:40.539Z", + "description": "Monitor device application logs parameter changes, although not all devices will produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--58aa90a7-886b-4f37-ab16-a0beb0e64877", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-21T14:04:49.301Z", + "modified": "2022-05-06T17:47:24.368Z", + "relationship_type": "uses", + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) captured ICS vendor names, reference documents, wiring diagrams, and panel layouts about the process environment. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", + "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "external_references": [ + { + "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", + "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab", + "created": "2021-04-13T12:28:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ben Hunter and Fred Gutierrez July 2020", + "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", + "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" + }, + { + "source_name": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020", + "description": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12 ", + "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:45:28.094Z", + "description": "Before encrypting the process, [EKANS](https://attack.mitre.org/software/S0605) first kills the process if its name matches one of the processes defined on the kill-list. (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. (Citation: Ben Hunter and Fred Gutierrez July 2020)", + "relationship_type": "uses", + "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.203Z", + "relationship_type": "mitigates", + "description": "Deploy anti-virus on all systems that support external email.\n", + "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.160Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:43:36.467Z", + "description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.150Z", + "relationship_type": "mitigates", + "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.201Z", + "relationship_type": "mitigates", + "description": "Consider removal or disabling of programs and features which may be used to run malicious scripts (e.g., scripting language IDEs, PowerShell, visual studio).\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6", + "created": "2022-09-27T16:56:30.665Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:39:41.897Z", + "description": "Monitor for newly constructed scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--37abb3d5-24fc-4397-844e-07548d324729", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:32:20.552Z", + "description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.209Z", + "relationship_type": "mitigates", + "description": "Ensure proper network segmentation between higher level corporate resources and the control process environment.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2fffbea8-c031-4de8-a451-447bbbe3e224", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.201Z", + "relationship_type": "mitigates", + "description": "Consider the use of application isolation and sandboxing to restrict specific operating system interactions such as access through user accounts, services, system calls, registry, and network access. This may be even more useful in cases where the source of the executed script is unknown.\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c9c1c589-b5c6-4231-982f-cae0aa41f349", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET", + "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:11:11.693Z", + "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories. (Citation: ESET)\n", + "relationship_type": "uses", + "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:49:11.920Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.106Z", + "relationship_type": "mitigates", + "description": "Restrict browsers to limit the capabilities of malicious ads and Javascript.\n", + "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce", + "created": "2022-09-27T15:25:50.596Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:49:19.854Z", + "description": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.075Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3d676c1b-2650-4599-8a57-790c55f9977d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.109Z", + "relationship_type": "mitigates", + "description": "Minimize the exposure of API calls that allow the execution of code.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5", + "created": "2022-09-27T16:38:57.931Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:38:57.931Z", + "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c5fd0969-c151-4849-94c2-83e2e208cff7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.168Z", + "relationship_type": "mitigates", + "description": "Ensure that wired and/or wireless traffic is encrypted when feasible. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ + { + "source_name": "Hydro", + "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", + "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" + }, + { + "source_name": "Kevin Beaumont", + "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", + "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:56:30.836Z", + "description": "While Norsk Hydro attempted to recover from a [LockerGoga](https://attack.mitre.org/software/S0372) infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity. (Citation: Kevin Beaumont)(Citation: Hydro)", + "relationship_type": "uses", + "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.114Z", + "relationship_type": "mitigates", + "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "external_references": [ + { + "source_name": "Dan Goodin March 2017", + "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", + "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "MDudek-ICS", + "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", + "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:26:26.552Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed. (Citation: MDudek-ICS)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.222Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.094Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c67e3535-69a9-4234-8170-4ad6efc632b7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.211Z", + "relationship_type": "mitigates", + "description": "Implement continuous monitoring of vulnerability sources. Also, use automatic and manual code review tools. (Citation: OWASP)\n", + "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "external_references": [ + { + "source_name": "OWASP", + "description": "OWASP Top 10 Web Application Security Risks Retrieved. 2020/09/25 ", + "url": "https://owasp.org/www-project-top-ten/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f15f24d2-e581-46ce-83e4-a924f572aae6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.065Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--55fe102a-d32b-4a73-85b1-14a02d0e552f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17T00:14:20.652Z", + "modified": "2022-05-06T17:47:24.362Z", + "relationship_type": "uses", + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) utilized watering hole attacks to gather credentials, by compromising websites that energy sector organizations might access. (Citation: Symantec September 2017) A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", + "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "external_references": [ + { + "source_name": "Symantec September 2017", + "description": "Symantec 2017, September 6 Dragonfly: Western energy sector targeted by sophisticated attack group Retrieved. 2017/09/14 ", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" + }, + { + "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", + "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET", + "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:10:58.645Z", + "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) can collect AutoCad files with drawings. These drawings may contain operational information. (Citation: ESET)\n", + "relationship_type": "uses", + "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.233Z", + "relationship_type": "mitigates", + "description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: CISA June 2013)\n", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "CISA June 2013", + "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3618a010-b94b-4974-b1be-7630d5c853c1", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Robert Falcone, Bryan Lee May 2016", + "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", + "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:31:19.923Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. (Citation: Robert Falcone, Bryan Lee May 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.199Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d1971b32-3a15-4544-9f36-80c05121deb6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.160Z", + "relationship_type": "mitigates", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--0d4f2f88-e176-42c7-8258-52b345045662", + "created": "2022-09-28T20:29:51.844Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:17:08.493Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely send commands to a malicious agent uploaded on Omron PLCs over HTTP or HTTPS.(Citation: CISA-AA22-103A) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.203Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:54:12.966Z", + "description": "Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) and [System Network Connections Discovery](https://attack.mitre.org/techniques/T1049).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d16e8909-d055-4174-aeb1-22c0613b2f73", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.141Z", + "relationship_type": "mitigates", + "description": "Disable unnecessary legacy network protocols that may be used for MiTM if applicable.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:33:51.166Z", + "description": "Monitor for new master devices communicating with outstation assets, which may be visible in asset application logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--20f66fab-7a08-4707-ac79-92dac5acd11d", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:00:13.772Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006)'s code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.199Z", + "relationship_type": "mitigates", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f664bf42-5fb2-41e5-b790-978ddf866da3", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T17:45:58.655Z", + "description": "Monitor for information collection on assets that may indicate deviations from standard operational tools. Examples include unexpected industrial automation protocol functions, new high volume communication sessions, or broad collection across many hosts within the network. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--83c29179-4805-403a-acf5-5151c4d2e556", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:27:02.814Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:07:49.346Z", + "description": "Monitor for device alarms produced when program uploads occur, although not all devices will produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a78e727c-8e42-448c-beb4-463804e18be0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.123Z", + "relationship_type": "mitigates", + "description": "Minimize permissions and access for service accounts to limit impact of exploitation. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--798919d3-df8b-463f-b2be-4c1aa8089384", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.226Z", + "relationship_type": "mitigates", + "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "external_references": [ + { + "source_name": "North America Transmission Forum December 2019", + "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", + "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7", + "created": "2022-09-27T15:30:18.604Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:30:18.604Z", + "description": "Monitor logs from installed applications (e.g., historian logs) for unexpected commands or abuse of system features.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Hydro", + "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", + "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" + }, + { + "source_name": "Kevin Beaumont", + "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", + "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:57:06.704Z", + "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of control which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", + "relationship_type": "uses", + "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--92ea1c2a-3835-43de-bb56-24e937a6f322", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:31:12.226Z", + "description": "Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (e.g., JScript.dll, vbscript.dll).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:45:25.119Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Atlassian Confluence Logging", + "description": "Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.", + "url": "https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html" + }, + { + "source_name": "Microsoft SharePoint Logging", + "description": "Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.", + "url": "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2" + }, + { + "source_name": "Sharepoint Sharing Events", + "description": "Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021.", + "url": "https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:01:51.664Z", + "description": "In the case of detecting collection from centralized information repositories monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents.(Citation: Microsoft SharePoint Logging) Sharepoint audit logging can also be configured to report when a user shares a resource.(Citation: Sharepoint Sharing Events) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.(Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. For added context on adversary procedures and background see [Data from Information Repositories](https://attack.mitre.org/techniques/T1213).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--327916f7-fe5d-4858-adeb-f72f74c60c25", + "created": "2021-10-08T15:25:32.143Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:11:45.996Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) sends an SQL statement that creates a table and inserts a binary value into the table. The binary value is a hex string representation of the main Stuxnet DLL as an executable file (formed using resource 210) and an updated configuration data block. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572", + "created": "2018-04-18T17:59:24.739Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015", + "url": "https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf", + "description": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01 " + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. (Citation: Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015)", + "modified": "2022-08-11T13:23:12.321Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.084Z", + "relationship_type": "mitigates", + "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques likeDomain Fronting.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--70113c21-85f2-4232-8755-233f93864277", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T19:17:12.033Z", + "description": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af", + "created": "2022-09-27T16:08:15.473Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:08:15.473Z", + "description": "Monitor device application logs that indicate the program has changed, although not all devices produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.089Z", + "relationship_type": "mitigates", + "description": "Utilize central storage servers for critical operations where possible (e.g., historians) and keep remote backups. For outstations, use local redundant storage for event recorders. Have backup control system platforms, preferably as hot-standbys to respond immediately to data destruction events. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--e323dee4-a896-4a82-85f5-d51d311b0437", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Max Heinemeyer February 2020", + "description": "Max Heinemeyer 2020, February 21 Post-mortem of a targeted Sodinokibi ransomware attack Retrieved. 2021/04/12 ", + "url": "https://www.darktrace.com/en/blog/post-mortem-of-a-targeted-sodinokibi-ransomware-attack/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:06:56.076Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) uses the SMB protocol to encrypt files located on remotely connected file shares. (Citation: Max Heinemeyer February 2020)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ACSC Email Spoofing", + "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", + "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" + }, + { + "source_name": "Microsoft Anti Spoofing", + "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", + "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:48:02.425Z", + "description": "Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dc15440d-6683-435a-8c87-64daea29bcaa", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:01:03.550Z", + "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020", + "description": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA 2020, October 15 Indictment: Conspiracy to Commit an Offense Against the United States Retrieved. 2021/04/07 ", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:53:50.448Z", + "description": "In the Ukraine 2015 incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems. (Citation: UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1c831708-28c2-47ae-a158-39f1f7b73406", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T20:10:57.573Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.(Citation: Anton Cherepanov, ESET June 2017)\n\n[Industroyer](https://attack.mitre.org/software/S0604) contains an OPC DA module that enumerates all OPC servers using the `ICatInformation::EnumClassesOfCategories` method with `CATID_OPCDAServer20` category identifier and `IOPCServer::GetStatus` to identify the ones running.", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--53a54e4a-2b38-4b0c-8f60-252a68767443", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:12:58.883Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc", + "created": "2022-09-26T14:27:28.370Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:27:28.370Z", + "description": "Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2057ec71-a94f-49cc-b348-2eeb44899afd", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T18:40:20.312Z", + "description": "Monitor for changes made to a large quantity of files for unexpected modifications in both user directories and directories used to store programs and OS components (e.g., C:\\Windows\\System32). ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--df95c619-33ee-4484-934a-78857717323e", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:18:47.783Z", + "description": "Monitor for unusual logins to Internet connected devices or unexpected protocols to/from the Internet. Network traffic content will provide valuable context and details about the content of network flows.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--73a48431-3597-4a72-acb8-c1e5019073e2", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Twitter ItsReallyNick Masquerading Update", + "description": "Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.", + "url": "https://twitter.com/ItsReallyNick/status/1055321652777619457" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:41:24.266Z", + "description": "Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.(Citation: Twitter ItsReallyNick Masquerading Update)", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.080Z", + "relationship_type": "mitigates", + "description": "Consider removing or restricting features that are unnecessary to an asset's intended function within the control environment.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T20:51:43.487Z", + "description": "Monitor for unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3439d550-61d5-40b4-a514-341509d3f701", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:08:28.052Z", + "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--64db6a39-64d2-4999-97d7-91c28c32f42e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.101Z", + "relationship_type": "mitigates", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c", + "created": "2022-09-28T21:16:28.195Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.435Z", + "description": "The [INCONTROLLER](https://attack.mitre.org/software/S1045) PLCProxy module can add an IP route to the CODESYS gateway running on Schneider PLCs to allow it to route messages through the PLC to other devices on that network. This allows the malware to bypass firewall rules that prevent it from directly communicating with devices on the same network as the PLC.(Citation: Wylie-22)", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:55:14.211Z", + "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads. For added context on adversary procedures and background see [User Execution](https://attack.mitre.org/techniques/T1204) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T18:41:09.265Z", + "description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.084Z", + "relationship_type": "mitigates", + "description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.\n", + "source_ref": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--de8b8a69-5f08-421a-96f0-2bed5707508d", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nzyme Alerts Intro", + "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.", + "url": "https://www.nzyme.org/docs/alerts/intro" + }, + { + "source_name": "Wireless Intrusion Detection", + "description": "Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.", + "url": "https://apps.dtic.mil/sti/pdfs/ADA466332.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T18:57:13.322Z", + "description": "New or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.201Z", + "relationship_type": "mitigates", + "description": "Audit the integrity of PLC system and application code functionality, such as the manipulation of standard function blocks (e.g., Organizational Blocks) that manage the execution of application logic programs. (Citation: IEC February 2019)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00", + "created": "2022-09-28T20:25:51.024Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos-Pipedream", + "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + }, + { + "source_name": "Brubaker-Incontroller", + "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.448Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can wipe the memory of Omron PLCs and reset settings through the remote HTTP service.(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.236Z", + "relationship_type": "mitigates", + "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7411b05d-209a-4907-83ce-00ab1538fbac", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.084Z", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "external_references": [ + { + "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", + "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ff3f0668-98df-44c1-88c2-711f05720eb8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.060Z", + "relationship_type": "mitigates", + "description": "Restrict configurations changes and firmware updating abilities to only authorized individuals.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:36:33.957Z", + "description": "Monitor network traffic for anomalies associated with known AiTM behavior. For Collection activity where transmitted data is not manipulated, anomalies may be present in network management protocols (e.g., ARP, DHCP).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--baf7daf3-2116-4051-91b5-f82e146167d0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.235Z", + "relationship_type": "mitigates", + "description": "Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--46edf5ba-ebd3-4976-9cdc-1276ba253c98", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-21T14:04:49.301Z", + "modified": "2022-05-06T17:47:24.364Z", + "relationship_type": "uses", + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", + "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "external_references": [ + { + "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", + "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:15:27.767Z", + "description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Chris Bing May 2018", + "description": "Chris Bing 2018, May 24 Trisis masterminds have expanded operations to target U.S. industrial firms Retrieved. 2020/01/03 ", + "url": "https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:07:07.445Z", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilizes watering hole websites to target industrial employees. (Citation: Chris Bing May 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28", + "created": "2021-04-13T12:28:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Davey Winder June 2020", + "description": "Davey Winder 2020, June 10 Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations Retrieved. 2021/04/12 ", + "url": "https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:47:16.775Z", + "description": "[EKANS](https://attack.mitre.org/software/S0605) infection resulted in a temporary production loss within a Honda manufacturing plant. (Citation: Davey Winder June 2020)", + "relationship_type": "uses", + "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b5979643-fefb-460f-b59c-971efe95f121", + "created": "2022-09-27T16:57:48.758Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:42:28.408Z", + "description": "Monitor for changes made to services that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.218Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4966e63c-ca05-466d-91f9-41d799a54471", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T18:59:17.429Z", + "modified": "2022-05-06T17:47:24.186Z", + "relationship_type": "mitigates", + "description": "Provide privileges corresponding to the restriction of a GUI session to control system operations (examples include HMI read-only vs. read-write modes). Ensure local users, such as operators and engineers, are giving prioritization over remote sessions and have the authority to regain control over a remote session if needed. Prevent remote access sessions (e.g., RDP, VNC) from taking over local sessions, especially those used for ICS control, especially HMIs.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--82b20c35-88c6-49aa-8241-a59512b17b74", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + }, { "source_name": "Ralph Langner November 2013", "description": "Ralph Langner 2013, November To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve Retrieved. 2018/03/27 ", @@ -8269,11 +10487,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-20T21:23:20.356Z", - "description": "One of [Stuxnet](https://attack.mitre.org/software/S0603)'s rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets PLC code is not discovered or damaged. (Citation: Ralph Langner November 2013)", + "modified": "2022-09-20T21:14:10.400Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened. (Citation: Ralph Langner November 2013)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -8281,46 +10499,8 @@ }, { "type": "relationship", - "id": "relationship--aa205915-7571-47ee-8bc6-5aa1ace86690", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:52:11.111Z", - "description": "Devices may produce alarms about restarts or shutdowns. Monitor for unexpected device restarts or shutdowns.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--321fc522-bc6b-4975-bee4-9098624d1e8c", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:32:18.815Z", - "description": "Monitor for network traffic originating from unknown/unexpected devices or addresses. Local network traffic metadata could be used to identify unexpected connections, including unknown/unexpected source MAC addresses connecting to ports associated with operational protocols. Also, network management protocols such as DHCP and ARP may be helpful in identifying unexpected devices. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--868db512-b897-4a54-ae56-ac78f6c93a14", - "created": "2022-09-28T20:29:18.027Z", + "id": "relationship--80a69b56-337d-446a-8167-8b9f63083c4f", + "created": "2022-09-28T21:24:21.810Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -8338,37 +10518,196 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-13T16:53:47.443Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use a Telnet session to load a malware implant on Omron PLCs.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", + "modified": "2022-10-13T16:53:47.442Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) includes a library that creates Modbus connections with a device to request its device ID.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", "relationship_type": "uses", "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "type": "relationship", - "id": "relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a", - "created": "2019-03-25T19:13:54.947Z", + "id": "relationship--aaffd26a-728d-42a0-9d1f-423231c55f3e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-21T14:04:49.301Z", + "modified": "2022-05-06T17:47:24.361Z", + "relationship_type": "uses", + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) accessed workstations and servers within the corporate network that contained data from power generation control system environments. The files were related to the ICS and SCADA systems including vendor names and ICS reference documents such as wiring diagrams and panel layouts. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", + "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "external_references": [ + { + "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", + "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d464d443-6298-47eb-b767-8f1136f6b6b5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17T00:14:20.652Z", + "modified": "2022-05-06T17:47:24.369Z", + "relationship_type": "uses", + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) leveraged compromised user credentials to access the targets networks and download tools from a remote server. (Citation: Dragos) (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", + "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Dymalloy Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/dymalloy/" + }, + { + "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", + "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.150Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T18:59:17.429Z", + "modified": "2022-05-06T17:47:24.189Z", + "relationship_type": "mitigates", + "description": "Filter application-layer protocol messages for remote services to block any unauthorized activity.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.204Z", + "relationship_type": "mitigates", + "description": "Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.\n", + "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.202Z", + "relationship_type": "mitigates", + "description": "Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--26d68f5d-6ee5-4d98-b175-943366ccc038", + "created": "2020-10-14T21:33:27.046Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Joe Slowik April 2019", - "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", - "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + "source_name": "Dragos October 2018", + "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:32:08.109Z", - "description": "[WannaCry](https://attack.mitre.org/software/S0366) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", + "modified": "2022-10-12T16:54:09.871Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands. (Citation: Dragos October 2018)", "relationship_type": "uses", - "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6ed07095-c23a-4676-807f-a544deaeb274", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "McAfee Labs October 2019", + "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us" + }, + { + "source_name": "SecureWorks September 2019", + "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:05:35.788Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. (Citation: McAfee Labs October 2019) (Citation: SecureWorks September 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -8379,14 +10718,14 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46", + "id": "relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.071Z", + "modified": "2022-05-06T17:47:24.216Z", "relationship_type": "mitigates", - "description": "Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" @@ -8396,31 +10735,107 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--3ed98d8c-de30-499e-9a62-eae0207519f4", + "id": "relationship--1aa02c37-973e-46bd-ab45-609463e514e9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.092Z", + "modified": "2022-05-06T17:47:24.228Z", "relationship_type": "mitigates", - "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "description": "If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.\n", + "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, + { + "type": "relationship", + "id": "relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:18:37.808Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf", + "id": "relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.115Z", + "modified": "2022-05-06T17:47:24.178Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Robert Falcone, Bryan Lee May 2016", + "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", + "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:32:31.072Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) communicated with its command and control using HTTP requests. (Citation: Robert Falcone, Bryan Lee May 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--47f15a06-8675-4698-833d-bd141ed9e755", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.122Z", "relationship_type": "mitigates", "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017)Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia)Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", - "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "external_references": [ { "source_name": "Microsoft Security Response Center August 2017", @@ -8439,71 +10854,86 @@ }, { "type": "relationship", - "id": "relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616", - "created": "2020-09-21T17:59:24.739Z", + "id": "relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d", + "created": "2021-04-12T18:49:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + "source_name": "SecureWorks September 2019", + "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" + }, + { + "source_name": "Tom Fakterman August 2019", + "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-19T21:22:50.001Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "modified": "2022-10-12T18:06:28.859Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) sends HTTPS POST messages with randomly generated URLs to communicate with a remote server. (Citation: Tom Fakterman August 2019) (Citation: SecureWorks September 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.089Z", "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to impact data storage. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" }, { - "type": "relationship", - "id": "relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:45:37.289Z", - "description": "Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of [Valid Accounts](https://attack.mitre.org/techniques/T0859).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { "type": "relationship", - "id": "relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0", - "created": "2022-05-11T16:22:58.803Z", + "id": "relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "created": "2021-04-13T11:15:26.506Z", + "modified": "2022-05-06T17:47:24.156Z", + "relationship_type": "mitigates", + "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } ], - "modified": "2022-09-26T15:02:57.267Z", - "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c", + "id": "relationship--be532c78-daf5-431b-adae-ab11af395513", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -8517,11 +10947,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-20T21:16:10.677Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "modified": "2022-09-20T21:16:39.070Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -8532,32 +10962,79 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4", + "id": "relationship--ea817c7a-9424-4204-90a5-6f8fb86037be", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.109Z", + "modified": "2022-05-06T17:47:24.230Z", "relationship_type": "mitigates", - "description": "Application isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux.\n", - "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "type": "relationship", - "id": "relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8", + "id": "relationship--81ca994a-b350-424d-8f39-a0b64aa76260", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.204Z", + "relationship_type": "mitigates", + "description": "Users can be trained to identify social engineering techniques and spearphishing emails.\n", + "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ad7770c3-fe24-4285-9ce2-1616a1061472", + "type": "relationship", + "created": "2019-04-17T14:45:59.681Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "source_name": "FireEye FIN6 Apr 2019" + } + ], + "modified": "2019-06-28T14:59:17.849Z", + "description": "(Citation: FireEye FIN6 Apr 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T16:52:31.059Z", - "description": "Device restarts and shutdowns may be observable in device application logs. Monitor for unexpected device restarts or shutdowns.", + "modified": "2022-09-26T16:11:30.678Z", + "description": "Monitor operational process data for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -8565,63 +11042,18 @@ }, { "type": "relationship", - "id": "relationship--dda89758-9d0b-446d-b594-85acc7f9cb90", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T21:23:40.524Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6902da63-3b59-46f3-99e0-6008dd47ab70", - "created": "2022-09-27T15:33:16.221Z", + "id": "relationship--15a39e3b-124e-4e68-95b5-7b8020225c12", + "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:38:13.560Z", - "description": "Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host’s GUI.", + "modified": "2022-10-14T16:30:27.289Z", + "description": "Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:53:22.510Z", - "description": "Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -8632,19 +11064,19 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3", + "id": "relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.120Z", + "modified": "2022-05-06T17:47:24.218Z", "relationship_type": "mitigates", - "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", - "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "external_references": [ { - "source_name": "Dan Goodin March 2017", - "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", - "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", @@ -8652,45 +11084,48 @@ "x_mitre_version": "1.0" }, { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "type": "relationship", - "id": "relationship--6baa9172-04e4-416d-a009-668cda23fd5d", - "created": "2021-10-08T15:25:32.143Z", + "id": "relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.115Z", + "relationship_type": "mitigates", + "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5424e327-396f-4b07-94a3-408ffc915686", + "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + "source_name": "Dragos", + "description": "Dragos Allanite Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/allanite/" + }, + { + "source_name": "ICS-CERT October 2017", + "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ", + "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-19T17:13:18.889Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell with the following command: `set @s = master..xp _ cmdshell extrac32 /y +@t+ +@t+x; exec(@s);` (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "modified": "2022-10-12T15:40:18.975Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) has been identified to collect and distribute screenshots of ICS systems such as HMIs. (Citation: Dragos) (Citation: ICS-CERT October 2017)", "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:14:40.227Z", - "description": "Monitor executed commands and arguments to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may then perform these actions using [Valid Accounts](https://attack.mitre.org/techniques/T0859).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -8701,14 +11136,14 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--671043a9-337f-411a-9ca9-3112e897ab09", + "id": "relationship--45ee1822-71e4-4d92-976d-306561b70555", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.184Z", + "modified": "2022-05-06T17:47:24.106Z", "relationship_type": "mitigates", "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -8722,177 +11157,25 @@ }, { "type": "relationship", - "id": "relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2", - "created": "2018-10-17T00:14:20.652Z", + "id": "relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f", + "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:01:00.053Z", - "description": "The execution on the PLC can be stopped by violating the cycle time limit. The [PLC-Blaster](https://attack.mitre.org/software/S1006) implements an endless loop triggering an error condition within the PLC with the impact of a DoS. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "modified": "2022-10-12T17:35:32.480Z", + "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. (Citation: Booz Allen Hamilton)\n", "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--91f29477-2ff6-4dbf-bf68-c8825a938851", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T12:08:26.506Z", - "modified": "2022-05-06T17:47:24.119Z", - "relationship_type": "mitigates", - "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--46332a77-2fd6-4033-96cf-6163172775ec", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.164Z", - "relationship_type": "mitigates", - "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--0491ef92-2941-4841-9fe6-2e1809788b52", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.210Z", - "relationship_type": "mitigates", - "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f862418a-e7b4-4783-8949-7145f3dee665", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.104Z", - "relationship_type": "mitigates", - "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--63453d2f-30f6-40ab-b32c-506d940ecd20", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.061Z", - "relationship_type": "mitigates", - "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918)", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.111Z", - "relationship_type": "mitigates", - "description": "Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. (Citation: Karen Scarfone; Paul Hoffman September 2009)\n", - "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e5afc447-a241-4773-9a8a-3d6fd205d926", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.106Z", - "relationship_type": "mitigates", - "description": "Utilize exploit protection to prevent activities which may be exploited through malicious web sites.\n", - "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:52:05.598Z", - "description": "The name of the [Industroyer](https://attack.mitre.org/software/S0604) payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors execute a shell command commands. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -8900,410 +11183,7 @@ }, { "type": "relationship", - "id": "relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd", - "created": "2021-10-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T17:31:56.055Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects DLL's associated with the WinCC Simatic manager which are responsible for opening project files. If a user opens an uninfected project file using a compromised manager, the file will be infected with Stuxnet code. If an infected project is opened with the Simatic manager, the modified data file will trigger a search for the `xyz.dll` file. If the `xyz.dll` file is not found in any of the specified locations, the malicious DLL will be loaded and executed by the manager. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3168a905-f398-403f-9345-de5893de1326", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-21T14:04:49.301Z", - "modified": "2022-05-06T17:47:24.363Z", - "relationship_type": "uses", - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", - "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "external_references": [ - { - "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", - "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", - "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f", - "created": "2022-09-27T18:40:11.818Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T18:40:11.818Z", - "description": "In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. For added context on adversary procedures and background see [Data from Network Shared Drive](https://attack.mitre.org/techniques/T1039).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1f785984-791e-4612-be32-9ee6903a9c0b", - "created": "2022-09-28T20:26:09.928Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.433Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--78972893-5d8c-480f-a05d-481adc0c8bb0", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:12:25.316Z", - "description": "Monitor ICS automation network protocols for functions related to reading an asset’s operating mode. In some cases, there may be multiple ways to detect a device’s operating mode, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c4122b58-f1b2-4656-a715-55016700bf75", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:56:39.825Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) automatically collects protocol object data to learn about control devices in the environment. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.130Z", - "relationship_type": "mitigates", - "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected.\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.073Z", - "relationship_type": "mitigates", - "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c", - "created": "2022-05-06T17:47:21.168Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Carl Hurd March 2019", - "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", - "url": "https://www.youtube.com/watch?v=yuZazP22rpI" - }, - { - "source_name": "William Largent June 2018", - "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", - "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:31:07.308Z", - "description": "The [VPNFilter](https://attack.mitre.org/software/S1010)'s ssler module configures the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", - "relationship_type": "uses", - "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ab306654-2abb-4983-8d30-df4058adb06c", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Selena Larson, Camille Singleton December 2020", - "description": "Selena Larson, Camille Singleton 2020, December RANSOMWARE IN ICS ENVIRONMENTS Retrieved. 2021/04/12 ", - "url": "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf?utm_referrer=https%3A%2F%2Fwww.dragos.com%2Fresource%2Fransomware-in-ics-environments%2F" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:06:16.474Z", - "description": "The [REvil](https://attack.mitre.org/software/S0496) malware gained access to an organizations network and encrypted sensitive files used by OT equipment. (Citation: Selena Larson, Camille Singleton December 2020)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59", - "created": "2022-09-26T17:08:21.214Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T17:08:21.214Z", - "description": "Monitor device communication patterns to identify irregular bulk transfers of data between the embedded ICS asset and other nodes within the network. Note these indicators are dependent on the profile of normal operations and the capabilities of the industrial automation protocols involved (e.g., partial program uploads).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:14:57.034Z", - "description": "Monitor for alarm setting changes observable in automation or management network protocols.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.175Z", - "relationship_type": "mitigates", - "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.201Z", - "relationship_type": "mitigates", - "description": "Execution prevention may prevent malicious scripts from accessing protected resources.\n", - "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b13417ea-d8da-497f-818f-d2d90562039a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.142Z", - "relationship_type": "mitigates", - "description": "Network intrusion detection and prevention systems that can identify traffic patterns indicative of MiTM activity can be used to mitigate activity at the network level.\n", - "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a", - "created": "2021-04-13T11:15:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - }, - { - "source_name": "Jos Wetzels January 2018", - "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", - "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:25:29.480Z", - "description": "[Triton](https://attack.mitre.org/software/S1009)'s argument-setting and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle. (Citation: DHS CISA February 2019) (Citation: Jos Wetzels January 2018)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--31897c41-1d47-4a34-b531-21c3f74651a8", - "created": "2021-04-13T11:15:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:00:39.796Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) utilizes the PLC communication and management API to load executable Program Organization Units. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f", - "created": "2021-10-08T15:42:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Inc. June 2017", - "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", - "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:01:24.078Z", - "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) establishes an internal proxy prior to the installation of backdoors within the network. (Citation: Dragos Inc. June 2017)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b", + "id": "relationship--6ad39b3a-a962-457f-852c-be7fc615e22f", "created": "2020-09-21T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -9317,20 +11197,275 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-19T21:23:30.482Z", + "modified": "2022-10-19T21:23:00.355Z", "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", "relationship_type": "mitigates", "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "type": "relationship", - "id": "relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0", - "created": "2017-12-14T16:46:06.044Z", + "id": "relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.178Z", + "relationship_type": "mitigates", + "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--50a2b289-7bce-405d-8515-c2b5424cce5c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.090Z", + "relationship_type": "mitigates", + "description": "Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:01:39.537Z", + "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.140Z", + "relationship_type": "mitigates", + "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some MitM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--97538255-b049-4d15-91c4-6b227cbea476", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:16:09.542Z", + "description": "Data about the industrial process may indicate it is operating outside of expected bounds and could help indicate that that an alarm setting has changed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3da977ab-c863-4e6f-a5b7-68173160da00", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a86cee0a-dc49-4c95-b5dc-37405337490b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.079Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.152Z", + "relationship_type": "mitigates", + "description": "Limit privileges of user accounts and groups so that only designated administrators or engineers can interact with alarm management and alarm configuration thresholds.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d854cc38-adf7-485d-96b5-70606f6cb87e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.208Z", + "relationship_type": "mitigates", + "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:49:59.817Z", + "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.240Z", + "relationship_type": "mitigates", + "description": "Reduce the range of RF communications to their intended operating range when possible. Propagation reduction methods may include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", + "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", + "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "external_references": [ + { + "source_name": "DHS National Urban Security Technology Laboratory April 2019", + "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", + "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:34:32.554Z", + "description": "Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.154Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a", + "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -9343,11 +11478,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-20T21:11:26.196Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "modified": "2022-09-20T21:12:08.899Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) calls system function blocks which are part of the operating system running on the PLC. Theyre used to execute system tasks, such as reading the system clock (SFC1) and generating data blocks on the fly. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -9358,93 +11493,39 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--65a45501-10de-46a2-89bf-03bbf17aba33", + "id": "relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.166Z", + "modified": "2022-05-06T17:47:24.232Z", "relationship_type": "mitigates", - "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "description": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining access to valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.\n", + "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.101Z", + "relationship_type": "mitigates", + "description": "Ensure remote commands that enable device shutdown are disabled if they are not necessary. Examples include DNP3's 0x0D function code or unnecessary device management functions.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:25:44.864Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) communicates with Triconex controllers using a custom component framework written entirely in Python. The modules that implement the TriStation communication protocol and other supporting components are found in a separate file -- library.zip -- the main script that employs this functionality is compiled into a standalone py2exe Windows executable -- trilog.exe which includes a Python environment. (Citation: DHS CISA February 2019)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:57:47.375Z", - "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f347b4fe-d829-427d-851a-fff3393441db", - "created": "2021-04-12T07:57:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos October 2018", - "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", - "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:58:31.152Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays. (Citation: Dragos October 2018)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654", - "created": "2021-04-12T10:12:26.506Z", + "id": "relationship--067932c3-0011-4ca2-9bbe-721c631e4e41", + "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -9462,11 +11543,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T17:22:33.586Z", - "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "modified": "2022-10-12T17:19:04.571Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", "relationship_type": "uses", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -9474,7 +11555,1064 @@ }, { "type": "relationship", - "id": "relationship--042243fd-bfe0-4961-96de-a36232d3ff74", + "id": "relationship--00b98fa6-4913-40a4-8920-befed8621c41", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:15:33.180Z", + "description": "Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2", + "created": "2022-09-26T15:37:30.958Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:37:30.958Z", + "description": "Monitor for loss of network traffic which could indicate alarms are being suppressed. A loss of expected communications associated with network protocols used to communicate alarm events or process data could indicate this technique is being used. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:00:56.539Z", + "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.227Z", + "relationship_type": "mitigates", + "description": "Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers).\n", + "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f29ecf69-1753-44bb-9b80-1025f49cadda", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:24:02.276Z", + "description": "DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious [Stuxnet](https://attack.mitre.org/software/S0603) block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. The replaced DP_RECV block (later on referred to as the DP_RECV monitor) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--99c0c90e-8526-41d6-80ca-b037598c6326", + "created": "2022-09-26T19:37:35.412Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:36:13.269Z", + "description": "Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.235Z", + "relationship_type": "mitigates", + "description": "Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.186Z", + "relationship_type": "mitigates", + "description": "When at rest, project files should be encrypted to prevent unauthorized changes. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.071Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.200Z", + "relationship_type": "mitigates", + "description": "Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:40:22.279Z", + "description": "Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.092Z", + "relationship_type": "mitigates", + "description": "Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices\n", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--98d447f4-397b-43e7-9740-c2e5ea6b1714", + "created": "2021-10-14T21:33:27.046Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos October 2018", + "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:58:02.679Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: cscript C:\\\\Backinfo\\\\ufn.vbs C:\\\\Backinfo\\\\101.dll C:\\\\Delta\\\\101.dll (Citation: Dragos October 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0df0cb6d-0067-48b2-a33e-495415713ab7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.181Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--309e4558-e591-4d03-9bb9-07d30acf011f", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "McAfee Labs October 2019", + "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", + "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:04:11.691Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) searches for all processes listed in the prc field within its configuration file and then terminates each process. (Citation: McAfee Labs October 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:41:46.146Z", + "description": "Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-10T14:13:17.429Z", + "modified": "2022-05-06T17:47:24.188Z", + "relationship_type": "mitigates", + "description": "Enforce strong password requirements to prevent password brute force methods for lateral movement.\n", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:56:07.745Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.214Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:36:26.506Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "Minimize the exposure of API calls that allow the execution of code.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.150Z", + "relationship_type": "mitigates", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3478c49c-594b-4224-b7f9-2b0b09c67288", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.239Z", + "relationship_type": "mitigates", + "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications. (Citation: Bastille April 2017)\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", + "external_references": [ + { + "source_name": "Bastille April 2017", + "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", + "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--75a60046-c4d7-498a-b256-9a93b5992dcc", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:55:46.014Z", + "description": "Monitor for unusual processes with internal network connections creating files on-system which may be suspicious. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3b6567a9-6213-4db4-a069-1a86b1098b63", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:08:26.506Z", + "modified": "2022-05-06T17:47:24.119Z", + "relationship_type": "mitigates", + "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017)Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia)Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", + "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "external_references": [ + { + "source_name": "Microsoft Security Response Center August 2017", + "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", + "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" + }, + { + "source_name": "Wikipedia", + "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", + "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T18:41:05.273Z", + "description": "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.172Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b346eec8-de90-407c-b665-387086bb4553", + "created": "2022-09-29T01:36:02.223Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + }, + { + "source_name": "Brubaker-Incontroller", + "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.444Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to upload programs from Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can obtain existing program logic from Omron PLCs by using either the program upload or backup functions available through the HTTP server.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.170Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f584a257-c22a-434b-aa2d-6220987821ab", + "created": "2021-10-13T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:29:11.326Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:11.538Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.229Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a2142552-6b8d-4751-a3d4-1471420c02fc", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:15:48.476Z", + "description": "Monitor for newly constructed network connections into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp:3389 and tcp:22 for remote logins. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to enable remote logins.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.112Z", + "relationship_type": "mitigates", + "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:01:18.283Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95", + "created": "2022-09-27T17:22:27.241Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:54:23.870Z", + "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--baf4bd30-4213-43c3-b70c-54418e734caf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.184Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022", + "created": "2022-09-27T17:39:15.655Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:56:24.399Z", + "description": "Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3b199bf1-b45c-4d78-bdea-ee1c06fd3734", + "created": "2022-09-27T18:37:39.332Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:37:39.332Z", + "description": "In the case of detecting collection from local systems monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. For added context on adversary procedures and background see [Data from Local System](https://attack.mitre.org/techniques/T1005).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.226Z", + "relationship_type": "mitigates", + "description": "Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--55f3dd59-08be-4e23-a680-b6db7850b399", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:59:50.879Z", + "description": "Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5041e17d-6349-4589-8c61-7b43964b5f9b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.227Z", + "relationship_type": "mitigates", + "description": "Integrity checking of transient assets can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot. (Citation: Emerson Exchange) It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports. (Citation: National Security Agency February 2016)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "external_references": [ + { + "source_name": "Emerson Exchange", + "description": "Emerson Exchange Increase Security with TPM, Secure Boot, and Trusted Boot Retrieved. 2020/09/25 ", + "url": "https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot" + }, + { + "source_name": "National Security Agency February 2016", + "description": "National Security Agency 2016, February Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems Retrieved. 2020/09/25 ", + "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + }, + { + "source_name": "Kyle Wilhoit", + "description": "Kyle Wilhoit Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ICS Malware: Havex and Black Energy Retrieved. 2019/10/22 ", + "url": "https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:19:26.117Z", + "description": "Execution of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) relies on a user opening a trojanized installer attached to an email. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) (Citation: Kyle Wilhoit)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.077Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b8b1739d-dfa2-44e9-907f-7085e262512f", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:01:52.517Z", + "description": "Monitor login sessions for new or unexpected devices or sessions on wireless networks.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--383e242a-72d4-4b40-8905-888595c34919", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Kelly Jackson Higgins", + "description": "Kelly Jackson Higgins How a Manufacturing Firm Recovered from a Devastating Ransomware Attack Retrieved. 2019/11/03 ", + "url": "https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:20:20.608Z", + "description": "An enterprise resource planning (ERP) manufacturing server was lost to the [Ryuk](https://attack.mitre.org/software/S0446) attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open. (Citation: Kelly Jackson Higgins)", + "relationship_type": "uses", + "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.088Z", + "relationship_type": "mitigates", + "description": "Minimize permissions and access for service accounts to limit the information that may be impacted by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:44:27.451Z", + "description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--68d30c45-766f-48b6-9405-0c969243332b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.214Z", + "relationship_type": "mitigates", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--65adbdda-7069-40ed-9825-b79ec87e4916", + "type": "relationship", + "created": "2021-09-21T15:47:37.522Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "IBM Ransomware Trends September 2020", + "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/", + "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021." + }, + { + "source_name": "CrowdStrike Carbon Spider August 2021", + "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021." + }, + { + "source_name": "FBI Flash FIN7 USB", + "url": "https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/", + "description": "The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022." + } + ], + "modified": "2022-01-14T17:29:16.633Z", + "description": "(Citation: IBM Ransomware Trends September 2020)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: FBI Flash FIN7 USB)", + "relationship_type": "uses", + "source_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--28395db7-feee-4711-b704-48e418e13ee1", + "created": "2022-09-27T18:05:21.608Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:05:21.608Z", + "description": "In the case of detecting collection from local systems monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). For added context on adversary procedures and background see [Data from Local System](https://attack.mitre.org/techniques/T1005).\n\nIn the case of detecting collection from shared network drives monitor executed commands and arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). For added context on adversary procedures and background see [Data from Network Shared Drive](https://attack.mitre.org/techniques/T1039).\n\nIn the case of detecting collection from removable media monitor executed commands and arguments for actions that could be taken to collect files from a system's connected removable media. For example, data may be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). For added context on adversary procedures and background see [Data from Removable Media](https://attack.mitre.org/techniques/T1025).\n", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -9488,11 +12626,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T16:04:03.547Z", - "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) or [Trojan.Karagany](https://attack.mitre.org/software/S0094). (Citation: Symantec Security Response July 2014)", + "modified": "2022-10-12T16:12:48.097Z", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) trojanized legitimate ICS equipment providers software packages available for download on their websites.(Citation: Symantec Security Response July 2014)", "relationship_type": "uses", "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -9500,25 +12638,312 @@ }, { "type": "relationship", - "id": "relationship--064dfd6f-db5d-48e8-b350-9dd47a270911", - "created": "2022-09-28T20:22:09.916Z", + "id": "relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572", + "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "CISA-AA22-103A", - "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T15:16:59.156Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely read the OCP UA structure from devices.(Citation: CISA-AA22-103A) ", + "modified": "2022-10-12T17:20:08.002Z", + "description": "Using OPC, a component of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.148Z", + "relationship_type": "mitigates", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--19ab6776-42de-48af-975a-568d31a3bb66", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.152Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016) (Citation: N/A)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "N/A", + "description": "N/A Department of Homeland Security 2016, September Retrieved. 2020/09/25 Alarm Management for Process Control Retrieved. 2020/09/25 ", + "url": "https://www.exida.com/images/uploads/18492275-Alarm-Management-for-Process-Control.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:39:13.371Z", + "description": "Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:56:37.468Z", + "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized HMI GUIs in the SCADA environment to open breakers. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e18af08c-3953-4b1d-b46c-45572fdb5187", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T19:02:08.013Z", + "description": "Monitor operational data for indicators of temporary data loss which may indicate a Denial of Service. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.156Z", + "relationship_type": "mitigates", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.104Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--52855d5d-e835-470f-a675-751c2779c861", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.140Z", + "relationship_type": "mitigates", + "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:37:24.268Z", + "description": "Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--86f1655a-db46-4d49-9051-6653da83eb13", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.092Z", + "relationship_type": "mitigates", + "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6258c355-677c-452d-b1fc-27767232437b", + "created": "2019-03-26T16:19:52.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:58:23.141Z", + "description": "[NotPetya](https://attack.mitre.org/software/S0368) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:58:34.751Z", + "description": "Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--62e818b8-38e6-42ff-9424-9a327332eb2a", + "created": "2022-09-29T20:02:37.671Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T20:08:03.342Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 componentsends the domain-specific MMSgetNameListrequest to determine what logical nodes the device supports. It then searches the logical nodes for the CSW value, which indicates the device performs a circuit breaker or switch control function.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604)'s OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604) IEC 60870-5-104 module includes a range mode to discover Information Object Addresses (IOAs) by enumerating through each.(Citation: ESET Industroyer)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -9526,8 +12951,596 @@ }, { "type": "relationship", - "id": "relationship--06f15629-d050-434a-aed1-3bb3f90c97b2", - "created": "2022-09-27T15:22:37.864Z", + "id": "relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:39:20.443Z", + "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:29:38.448Z", + "description": "Monitor network traffic for default credential use in protocols that allow unencrypted authentication.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.185Z", + "relationship_type": "mitigates", + "description": "Ensure permissions restrict project file access to only engineer and technician user groups and accounts.\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.169Z", + "relationship_type": "mitigates", + "description": "Systems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:38:17.130Z", + "description": "Monitor for loss of expected operational process alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a04169ed-c16b-466b-80ef-22a11067f475", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:54:58.401Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of view. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:39:30.850Z", + "description": "Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.128Z", + "relationship_type": "mitigates", + "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:01:38.884Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e607bb66-e53f-4684-b3f1-36a997e27d01", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.087Z", + "relationship_type": "mitigates", + "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n", + "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", + "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "external_references": [ + { + "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", + "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", + "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.102Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:31:37.216Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.112Z", + "relationship_type": "mitigates", + "description": "Use least privilege for service accounts. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--18ef2d69-d11a-4d31-a803-da989c4073f7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.096Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.147Z", + "relationship_type": "mitigates", + "description": "Only authorized personnel should be able to change settings for alarms.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T11:15:26.506Z", + "modified": "2022-05-06T17:47:24.154Z", + "relationship_type": "mitigates", + "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--758d5818-f919-4a6b-9dc2-a212595a11bd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.062Z", + "relationship_type": "mitigates", + "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.185Z", + "relationship_type": "mitigates", + "description": "Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps).\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.104Z", + "relationship_type": "mitigates", + "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.143Z", + "relationship_type": "mitigates", + "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--686cbd74-ef49-4e77-9599-21777d3a4738", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.174Z", + "relationship_type": "mitigates", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41", + "created": "2022-09-26T19:30:14.122Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:15:05.195Z", + "description": "Monitor DLL file events, specifically creation of these files as well as the loading of DLLs into processes specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:56:58.977Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1e6da55a-ab6c-4583-9e20-583f82096497", + "created": "2022-09-26T14:40:01.334Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:49:58.047Z", + "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7", + "created": "2021-04-13T12:08:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:28:11.304Z", + "description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, changes the function pointer of the 'get main processor diagnostic data' TriStation command to the address of imain.bin so that it is executed prior to the normal handler. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--17fdec71-98e8-4314-a1be-037edede58bd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.212Z", + "relationship_type": "mitigates", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--147c2158-b2af-4d88-9d59-594c67a9200e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.204Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:09:52.454Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) renames s7otbxdx.dll, a dll responsible for handling communications with a PLC. It replaces this dll file with its own version that allows it to intercept any calls that are made to access the PLC. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1acccbe8-64e1-49ad-87df-215d5c87f050", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:42:43.105Z", + "description": "Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393", + "created": "2022-09-26T14:43:24.136Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { @@ -9539,15 +13552,14 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-27T15:22:37.864Z", - "description": "Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL) For added context on adversary procedures and background see [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).", + "modified": "2022-10-14T16:49:34.799Z", + "description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -9555,58 +13567,32 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1", + "id": "relationship--366a4cd1-aa95-4985-9d80-b45a2551e298", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.072Z", + "modified": "2022-05-06T17:47:24.179Z", "relationship_type": "mitigates", - "description": "Ensure devices have an alternative method for communicating in the event that a valid COM port is unavailable.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e", - "created": "2022-09-28T21:21:58.641Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.435Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the HTTP CGI scripts on Omron PLCs to modify parameters on EtherCat connected servo drives.(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd", - "created": "2022-05-11T16:22:58.804Z", + "id": "relationship--b48be9f9-de0e-4548-ade3-09d47af52798", + "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T15:12:43.166Z", - "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages over serial COM ports are blocked.", + "modified": "2022-09-26T15:03:58.153Z", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if command messages are blocked.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -9614,24 +13600,148 @@ }, { "type": "relationship", - "id": "relationship--42508a8e-44d5-4af1-9e66-bace5fc94734", - "created": "2022-09-27T18:49:25.089Z", + "id": "relationship--cfcbca89-8912-40c0-ac15-47882162b132", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "University of Birmingham C2", - "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", - "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-27T18:49:25.089Z", - "description": "Monitor for mismatches between protocols and their expected ports (e.g., non-HTTP traffic on tcp:80). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "modified": "2022-09-26T19:00:16.899Z", + "description": "Monitor application logs for new or unexpected devices or sessions on wireless networks.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1", + "type": "relationship", + "created": "2020-09-22T19:41:27.951Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + } + ], + "modified": "2020-09-22T19:41:27.951Z", + "description": "(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--754521fc-4306-4daa-831b-6b6fb45847e2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.108Z", + "relationship_type": "mitigates", + "description": "All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls. (Citation: MITRE June 2020)\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "external_references": [ + { + "source_name": "MITRE June 2020", + "description": "MITRE 2020, June CWE CATEGORY: 7PK - API Abuse Retrieved. 2020/09/25 ", + "url": "https://cwe.mitre.org/data/definitions/227.html" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.207Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a75ddacf-e87e-4a99-83f2-618486473163", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.217Z", + "relationship_type": "mitigates", + "description": "Patch the BIOS and EFI as necessary.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:00:06.347Z", + "description": "Monitor ICS management protocols for parameter changes, including for unexpected values, changes far exceeding standard values, or for parameters being changed in an unexpected way (e.g., via a new function, at an unusual time).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1d399f67-090e-444b-b75d-eed4b1780f08", + "created": "2022-09-26T18:42:16.844Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T18:42:16.844Z", + "description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -9639,73 +13749,100 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "type": "relationship", - "id": "relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T16:51:47.079Z", - "description": "Monitor ICS automation protocols for functions that restart or shutdown a device. Commands to restart or shutdown devices may also be observable in traditional IT management protocols.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "type": "relationship", + "id": "relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.101Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce", + "id": "relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Dragos December 2017", - "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", - "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T17:06:08.814Z", - "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) used valid credentials when laterally moving through RDP jump boxes into the ICS environment. (Citation: Dragos December 2017)", + "modified": "2022-09-23T18:57:08.952Z", + "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", - "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "type": "relationship", - "id": "relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T16:09:42.474Z", - "description": "Monitor network traffic for ICS functions related to write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "type": "relationship", + "id": "relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.139Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.228Z", + "relationship_type": "mitigates", + "description": "If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--97641754-f215-4b8f-b0cd-0d3142053c76", - "created": "2022-05-11T16:22:58.806Z", + "id": "relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7", + "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -9733,11 +13870,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:48:56.024Z", + "modified": "2022-10-14T16:48:28.074Z", "description": "Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -9748,14 +13885,566 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea", + "id": "relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.216Z", + "modified": "2022-05-06T17:47:24.081Z", + "relationship_type": "mitigates", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Tom Fakterman August 2019", + "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:07:33.947Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware. (Citation: Tom Fakterman August 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:08:26.506Z", + "modified": "2022-05-06T17:47:24.118Z", + "relationship_type": "mitigates", + "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", + "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.173Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6603a100-d655-4e6b-8d38-73c11b89dde4", + "created": "2019-03-26T16:19:52.358Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:58:42.847Z", + "description": "[NotPetya](https://attack.mitre.org/software/S0368) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026", + "created": "2021-10-08T15:25:32.143Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:20:42.055Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--dded2d68-35c7-42c4-af10-efe7731673e3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.108Z", + "relationship_type": "mitigates", + "description": "All APIs on remote systems or local processes should require the authentication of users before executing any code or system changes.\n", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4369da69-bb09-4cc8-8600-081a450f50e0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.120Z", + "relationship_type": "mitigates", + "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--21041206-da58-45c7-adb0-db07caebdcb6", + "created": "2021-04-13T12:36:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:00:27.700Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--44c857cf-7a4e-405a-87ca-7f6d79000589", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:22:38.490Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d", + "created": "2022-09-26T16:16:21.749Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:16:21.749Z", + "description": "Monitor applications logs for any access attempts to operational databases (e.g., historians) or other sources of operational data within the ICS environment. These devices should be monitored for adversary collection using techniques relevant to the underlying technologies (e.g., Windows, Linux).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.231Z", + "relationship_type": "mitigates", + "description": "Consider configuration and use of a network-wide authentication service such as Active Directory, LDAP, or RADIUS capabilities which can be found in ICS devices. (Citation: Keith Stouffer May 2015) (Citation: Schweitzer Engineering Laboratories August 2015)\n", + "source_ref": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Schweitzer Engineering Laboratories August 2015", + "description": "Schweitzer Engineering Laboratories 2015, August Understanding When to Use LDAP or RADIUS for Centralized Authentication Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:59:36.071Z", + "description": "Monitor for unexpected deletion of files.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:45:17.457Z", + "description": "Monitor for network traffic originating from unknown/unexpected systems.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.081Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "MDudek-ICS", + "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", + "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:27:15.545Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) uses TriStations default UDP port, 1502, to communicate with devices. (Citation: MDudek-ICS)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--08302021-aacf-428f-a0ce-e1034d925fb0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.115Z", + "relationship_type": "mitigates", + "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", + "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.068Z", + "relationship_type": "mitigates", + "description": "Provide an alternative method for alarms to be reported in the event of a communication failure.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--48489baf-56c2-423e-964a-0a61688e4a19", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.224Z", + "relationship_type": "mitigates", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--21134484-2d59-46b7-b878-527121fff1e3", + "created": "2022-09-26T14:28:17.209Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:28:17.209Z", + "description": "Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Chrysene Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/chrysene/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:32:49.409Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) utilized stolen credentials to gain access to victim machines.(Citation: Dragos)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.219Z", + "relationship_type": "mitigates", + "description": "Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP).\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f7adf126-3580-4b12-9e63-4d4f665e8cc3", + "created": "2022-09-27T18:38:12.667Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:38:12.667Z", + "description": "In the case of detecting collection from local systems monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. For added context on adversary procedures and background see [Data from Local System](https://attack.mitre.org/techniques/T1005).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b343e131-e448-46c6-815b-b86e4bd6d638", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Threat Intelligence August 2019", + "description": "Dragos Threat Intelligence 2019, August Global Oil and Gas Cyber Threat Perspective Retrieved. 2020/01/03 ", + "url": "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:06:51.429Z", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) targeted several ICS vendors and manufacturers. (Citation: Dragos Threat Intelligence August 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.220Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--86c94552-de59-453d-ac06-28a6a64db930", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:47:46.836Z", + "description": "Monitor device application logs which may contain information related to operating mode changes, although not all devices produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0c284ce0-0be2-4164-b686-7c383b246aec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.164Z", "relationship_type": "mitigates", "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A)Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018)Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "external_references": [ { "source_name": "N/A", @@ -9779,149 +14468,18 @@ }, { "type": "relationship", - "id": "relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T20:08:31.892Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) developed and used malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--efb80069-e4be-4055-bd34-06d1376b4601", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.109Z", - "relationship_type": "mitigates", - "description": "Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", - "external_references": [ - { - "source_name": "McCarthy, J et al. July 2018", - "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", - "url": "https://doi.org/10.6028/NIST.SP.1800-2" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c6520346-fe47-44ce-af75-d99004ac2977", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:17:59.179Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--79324bdd-cdab-4d0a-af60-af1047c1d117", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.170Z", - "relationship_type": "mitigates", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--25e7ca82-2784-433a-90a9-a3483615a655", - "type": "relationship", - "created": "2019-04-12T17:01:01.255Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.", - "url": "https://content.fireeye.com/apt/rpt-apt38", - "source_name": "FireEye APT38 Oct 2018" - }, - { - "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.", - "url": "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/", - "source_name": "LogRhythm WannaCry" - }, - { - "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.", - "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", - "source_name": "FireEye WannaCry 2017" - }, - { - "source_name": "SecureWorks WannaCry Analysis", - "url": "https://www.secureworks.com/research/wcry-ransomware-analysis", - "description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019." - } - ], - "modified": "2019-09-09T19:15:45.677Z", - "description": "(Citation: FireEye APT38 Oct 2018)(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)", - "relationship_type": "uses", - "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4", - "created": "2022-05-11T16:22:58.808Z", + "id": "relationship--15188683-7ded-4578-9102-73459ecbe095", + "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:45:39.703Z", - "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.", + "modified": "2022-10-14T16:37:54.914Z", + "description": "Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host’s GUI.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -9929,144 +14487,18 @@ }, { "type": "relationship", - "id": "relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T18:46:37.894Z", - "description": "Analyze network data for uncommon data flows (e.g., new protocols in use between hosts, unexpected ports in use). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c22acaab-baa4-45b0-9c4b-9330715e5455", - "created": "2022-10-13T21:18:17.775Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Pinellas County Sheriffs Office February 2021", - "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", - "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-18T13:26:03.133Z", - "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors utilized an operator HMI to manipulate process control setpoint values far beyond normal operating levels.(Citation: Pinellas County Sheriffs Office February 2021)", - "relationship_type": "uses", - "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", - "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T18:41:15.273Z", - "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:23:18.048Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.097Z", - "relationship_type": "mitigates", - "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--4631bf49-da0b-4415-a226-112c99ff0f64", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:22:17.841Z", - "description": "Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--0e275c19-7688-47f8-8cd5-85eaacec465b", + "id": "relationship--193c3cd3-0b22-4839-a1fa-413aee61e882", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T14:34:04.450Z", - "description": "Monitor industrial process history data for events that correspond with command message functions, such as setpoint modification or changes to system status for key devices. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "modified": "2022-10-14T16:30:40.378Z", + "description": "Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -10074,178 +14506,7 @@ }, { "type": "relationship", - "id": "relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-28T18:44:20.611Z", - "description": "Monitor for unexpected ICS protocol functions from new and existing devices. Monitoring known devices requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.075Z", - "relationship_type": "mitigates", - "description": "Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--f145b7e5-048b-46e7-8439-e2b88917523c", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:48:47.595Z", - "description": "Monitor alarms for information about when an operating mode is changed, although not all devices produce such logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.111Z", - "relationship_type": "mitigates", - "description": "Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ade12d27-13bb-4ebf-be08-7039cf699682", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.065Z", - "relationship_type": "mitigates", - "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--29b85313-645b-4fb1-b5c2-f580d111760b", - "created": "2022-09-26T19:38:04.844Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:36:50.910Z", - "description": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \"0\" indicates LLMNR is disabled.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--17525989-242e-4960-b59d-9ea62172263f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2018-10-17T00:14:20.652Z", - "modified": "2022-05-06T17:47:24.366Z", - "relationship_type": "uses", - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) used the Phishery tool kit to conduct spear phishing attacks and gather credentials. (Citation: Symantec September 2017) (Citation: Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall July 2017) [Dragonfly 2.0](https://attack.mitre.org/groups/G0035) conducted a targeted spear phishing campaign against multiple electric utilities in the North America. (Citation: Dragos Threat Intelligence September 2018) (Citation: Dragos Threat Intelligence 2018) ", - "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "external_references": [ - { - "source_name": "Symantec September 2017", - "description": "Symantec 2017, September 6 Dragonfly: Western energy sector targeted by sophisticated attack group Retrieved. 2017/09/14 ", - "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" - }, - { - "source_name": "Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall July 2017", - "description": "Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall 2017, July 07 Attack on Critical Infrastructure Leverages Template Injection Retrieved. 2019/12/05 ", - "url": "https://blog.talosintelligence.com/2017/07/template-injection.html" - }, - { - "source_name": "Dragos Threat Intelligence September 2018", - "description": "Dragos Threat Intelligence 2018, September 17 THREAT INTELLIGENCE SUMMARY TR-2018-25: Phishing Campaign Targeting Electric Utility Companies Retrieved. 2020/01/03 ", - "url": "https://dragos.com/wp-content/uploads/Sample-WorldView-Report.pdf" - }, - { - "source_name": "Dragos Threat Intelligence 2018", - "description": "Dragos Threat Intelligence 2018 ICS Activity Groups and Threat Landscape Retrieved. 2020/01/03 ", - "url": "https://dragos.com/wp-content/uploads/yir-ics-activity-groups-threat-landscape-2018.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.132Z", - "relationship_type": "mitigates", - "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", - "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "external_references": [ - { - "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", - "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", - "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4", + "id": "relationship--990f944f-190d-456d-b194-f5ecb17a0868", "created": "2019-06-24T17:20:24.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -10259,11 +14520,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T17:39:25.984Z", - "description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production. (Citation: Catalin Cimpanu April 2016)", + "modified": "2022-10-12T17:40:11.392Z", + "description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to temporarily shutdown. (Citation: Catalin Cimpanu April 2016)", "relationship_type": "uses", "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -10274,156 +14535,139 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984", + "id": "relationship--cca191a1-3c50-4d4f-8f79-4247e58af610", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.071Z", + "modified": "2022-05-06T17:47:24.146Z", "relationship_type": "mitigates", - "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "description": "Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9", + "id": "relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a", + "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.139Z", - "relationship_type": "mitigates", - "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", - "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", - "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "revoked": false, "external_references": [ { - "source_name": "M. Rentschler and H. Heine", - "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", - "url": "https://ieeexplore.ieee.org/document/6505877" + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" } ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "type": "relationship", - "id": "relationship--d08fdedd-12f6-4681-9167-70d070432dee", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.208Z", - "relationship_type": "mitigates", - "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b", - "type": "relationship", - "created": "2021-10-04T20:52:20.304Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "ESET Lazarus KillDisk April 2018", - "description": "Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", - "url": "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/" - } - ], - "modified": "2021-10-04T20:54:09.057Z", - "description": "(Citation: ESET Lazarus KillDisk April 2018)", + "modified": "2022-09-23T18:54:30.385Z", + "description": "Using its protocol payloads, [Industroyer](https://attack.mitre.org/software/S0604) sends unauthorized commands to RTUs to change the state of equipment. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", - "source_ref": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", - "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22", + "id": "relationship--bc383819-2e40-49b4-bea9-95eb5d418877", + "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.160Z", - "relationship_type": "mitigates", - "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", - "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7041d8e5-3b74-402a-86b3-fd59def80632", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.135Z", - "relationship_type": "mitigates", - "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", - "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", - "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "revoked": false, "external_references": [ { - "source_name": "M. Rentschler and H. Heine", - "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", - "url": "https://ieeexplore.ieee.org/document/6505877" + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:15:38.341Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a thread to monitor a data block DB890 of sequence A or B. This thread is constantly running and probing this block (every 5 minutes). On an infected PLC, if block DB890 is found and contains a special magic value (used by Stuxnet to identify his own block DB890), this blocks data can be read and written. This thread is likely used to optimize the way sequences A and B work, and modify their behavior when the Step7 editor is opened. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b", - "created": "2022-05-11T16:22:58.803Z", + "id": "relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4", + "created": "2022-09-26T20:46:23.812Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T15:09:35.145Z", - "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if reporting messages are blocked. ", + "modified": "2022-10-14T16:30:58.676Z", + "description": "Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. ", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "type": "relationship", - "id": "relationship--40f63b01-dc59-475d-826a-74f38c6e81b9", + "id": "relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.123Z", + "relationship_type": "mitigates", + "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8", "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T19:38:28.550Z", - "description": "Host-based implementations of this technique may utilize networking-based system calls or network utility commands (e.g., iptables) to locally intercept traffic. Monitor for relevant process creation events.", + "modified": "2022-09-27T16:44:06.211Z", + "description": "Monitor for changes made to Windows Registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:10:34.653Z", + "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -10434,20 +14678,240 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0", + "id": "relationship--ca64a927-f050-41b3-80d3-93d22cdef26a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.130Z", + "modified": "2022-05-06T17:47:24.081Z", "relationship_type": "mitigates", - "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:18:43.413Z", + "description": "Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.097Z", + "relationship_type": "mitigates", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9db1ecfe-72eb-42da-a09e-746663a53854", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, + "source_name": "MDudek-ICS", + "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", + "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T20:46:03.389Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.(Citation: MDudek-ICS)\n\n[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.(Citation: MDudek-ICS)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.168Z", + "relationship_type": "mitigates", + "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a22fabd2-836e-4141-9219-c76cc10138ec", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.100Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.168Z", + "relationship_type": "mitigates", + "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some MitM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:49:29.157Z", + "description": "Monitor asset log which may provide information that an asset has been placed into Firmware Update Mode. Some assets may log firmware updates themselves without logging that the device has been placed into update mode.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.187Z", + "relationship_type": "mitigates", + "description": "All communication sessions to remote services should be authenticated to prevent unauthorized access.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:24:51.471Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Tom Fakterman August 2019", + "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:03:36.379Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. (Citation: Tom Fakterman August 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.170Z", + "relationship_type": "mitigates", + "description": "Restrict root or administrator access on user accounts to limit the ability to capture promiscuous traffic on a network through common packet capture tools. (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "external_references": [ { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", @@ -10460,44 +14924,18 @@ }, { "type": "relationship", - "id": "relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be", - "created": "2021-04-13T11:15:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:02:30.876Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60", - "created": "2022-05-11T16:22:58.804Z", + "id": "relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea", + "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:42:04.422Z", - "description": "Monitor for newly constructed files written to disk through a user visiting a website over the normal course of browsing.", + "modified": "2022-10-14T19:40:06.988Z", + "description": "Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -10508,148 +14946,31 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6", + "id": "relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.186Z", + "modified": "2022-05-06T17:47:24.143Z", "relationship_type": "mitigates", - "description": "All remote services should require strong authentication before providing user access.\n", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "description": "Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce MiTM conditions.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--b62da342-4b12-4d88-bb48-9fa84b8c967f", + "created": "2022-09-27T18:39:49.747Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T18:40:55.168Z", - "description": "Monitor for application logging, messaging, and/or other artifacts that may result from Denial of Service (DoS) attacks which degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection.", + "modified": "2022-09-27T18:39:49.747Z", + "description": "In the case of detecting collection from local systems monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). For added context on adversary procedures and background see [Data from Local System](https://attack.mitre.org/techniques/T1005).", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6157408d-1eb3-4445-8d8a-14619458954f", - "created": "2022-09-27T15:26:40.297Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:26:40.297Z", - "description": "Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) may be helpful in identifying transient assets.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.183Z", - "relationship_type": "mitigates", - "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444", - "created": "2017-05-31T21:33:27.074Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", - "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", - "url": "https://securelist.com/bad-rabbit-ransomware/82851/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:30:30.761Z", - "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", - "relationship_type": "uses", - "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.175Z", - "relationship_type": "mitigates", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6eaf727c-fec3-4e63-8852-eee27c44d596", - "created": "2022-09-27T15:23:19.486Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:47:06.144Z", - "description": "Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a", - "created": "2022-09-29T14:27:05.757Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T14:27:05.757Z", - "description": "Monitor logon sessions for hardcoded credential use, when feasible.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -10658,149 +14979,37 @@ }, { "type": "relationship", - "id": "relationship--81add433-49d8-43ec-85d5-f48fe80e56e7", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f", + "created": "2022-09-26T18:41:48.947Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:44:21.000Z", - "description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", - "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b5f94430-be03-43ed-97e1-0424d783073e", - "created": "2021-10-14T21:33:27.046Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos October 2018", - "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", - "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:59:39.830Z", - "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) transfers executable files as .txt. and then renames them to .exe, likely to avoid detection through extension tracking. (Citation: Dragos October 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--39963a04-9675-4fa4-87ea-1b34145cc569", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Elastic - Koadiac Detection with EQL", - "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", - "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:51:44.656Z", - "description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe , especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b", - "created": "2022-09-27T19:06:12.301Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T19:06:12.302Z", - "description": "A manipulated I/O image requires analyzing the application program running on the PLC for specific data block writes. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", - "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--86076ad1-8037-4dd0-88e7-9c40ec00af4a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2018-10-17T00:14:20.652Z", - "modified": "2022-05-06T17:47:24.368Z", - "relationship_type": "uses", - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) trojanized legitimate software to deliver malware disguised as standard windows applications. (Citation: Symantec September 2017)", - "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "external_references": [ - { - "source_name": "Symantec September 2017", - "description": "Symantec 2017, September 6 Dragonfly: Western energy sector targeted by sophisticated attack group Retrieved. 2017/09/14 ", - "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b7f23af2-e948-4531-af56-1a1b4d03702f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.172Z", - "relationship_type": "mitigates", - "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:49:07.316Z", - "description": "Monitor device alarms that indicate the devices has been placed into Firmware Update Mode, although not all devices produce such alarms.", + "modified": "2022-09-26T18:41:48.947Z", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:11:14.662Z", + "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -10808,24 +15017,133 @@ }, { "type": "relationship", - "id": "relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236", - "created": "2018-10-17T00:14:20.652Z", + "id": "relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a", + "created": "2019-03-25T19:13:54.947Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-23T18:53:56.368Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", + "modified": "2022-10-12T18:32:23.717Z", + "description": "[WannaCry](https://attack.mitre.org/software/S0366) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6895e54e-3968-41a9-9013-a082cd46fa44", + "created": "2020-05-14T14:40:26.221Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", + "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020." + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020." + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020." + }, + { + "source_name": "CrowdStrike Wizard Spider October 2020", + "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021." + }, + { + "source_name": "Sophos New Ryuk Attack October 2020", + "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", + "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020." + }, + { + "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", + "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", + "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020." + }, + { + "source_name": "DFIR Ryuk in 5 Hours October 2020", + "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020." + }, + { + "source_name": "DFIR Ryuk's Return October 2020", + "url": "https://thedfirreport.com/2020/10/08/ryuks-return/", + "description": "The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", + "modified": "2022-05-20T17:07:10.940Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "relationship_type": "uses", + "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.070Z", + "relationship_type": "mitigates", + "description": "Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--04bf72de-75ba-4d95-ad24-f93ad835180c", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:54:26.520Z", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) erases the master boot record (MBR) and system logs, leaving the system unusable. (Citation: Booz Allen Hamilton)", + "relationship_type": "uses", + "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "x_mitre_deprecated": false, "x_mitre_version": "1.0", @@ -10837,80 +15155,30 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--04882fef-2a6b-40d0-a101-da9c76a3572e", + "id": "relationship--09977105-562f-4f45-a151-27a11a18031e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.128Z", + "modified": "2022-05-06T17:47:24.164Z", "relationship_type": "mitigates", - "description": "Restrict the use of untrusted or unknown libraries, such as remote or unknown DLLs.\n", - "source_ref": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", - "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.156Z", - "relationship_type": "mitigates", - "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "external_references": [ - { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" - } - ], + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--66f79019-d52c-46a6-b605-c2335d1d3d20", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:25:59.238Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) has the capability to stop a service itself, or to login as a user and stop a service as that user. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ab0b5170-577b-491e-8508-b9a34dc393c1", - "created": "2022-09-27T16:22:57.470Z", + "id": "relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919", + "created": "2022-09-27T16:30:41.482Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-27T16:22:57.470Z", - "description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs. Data from these platforms can be used to identify modified controller programs.", + "modified": "2022-09-27T16:30:41.482Z", + "description": "Monitor device management protocols for functions that modify programs such as online edit and program append events.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_deprecated": false, "x_mitre_version": "0.1", @@ -10920,30 +15188,102 @@ }, { "type": "relationship", - "id": "relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8", - "created": "2021-04-11T14:06:54.109Z", + "id": "relationship--dda29418-9570-405a-b7db-97e951e5aa53", + "created": "2022-09-26T19:36:13.409Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:35:58.409Z", + "description": "Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.126Z", + "relationship_type": "mitigates", + "description": "Consider utilizing jump boxes for external remote access. Additionally, dynamic account management may be used to easily remove accounts when not in use.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a", + "created": "2022-09-26T14:37:45.140Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:37:45.140Z", + "description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.069Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33", + "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "ICS CERT September 2018", - "description": "ICS CERT 2018, September 06 Advantech/Broadwin WebAccess RPC Vulnerability (Update B) Retrieved. 2019/12/05 ", - "url": "https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B" + "source_name": "Eduard Kovacs March 2018", + "description": "Eduard Kovacs 2018, March 1 Five Threat Groups Target Industrial Systems: Dragos Retrieved. 2020/01/03 ", + "url": "https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos" }, { - "source_name": "ICS-CERT December 2014", - "description": "ICS-CERT 2014, December 10 ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) Retrieved. 2019/10/11 ", - "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B" + "source_name": "Novetta Threat Research Group February 2016", + "description": "Novetta Threat Research Group 2016, February 24 Operation Blockbuster: Unraveling the Long Thread of the Sony Attack Retrieved. 2016/02/25 ", + "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T16:59:07.486Z", - "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. (Citation: ICS-CERT December 2014) (Citation: ICS CERT September 2018)", + "modified": "2022-10-12T16:15:30.732Z", + "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has been observed targeting organizations using spearphishing documents with embedded malicious payloads. (Citation: Novetta Threat Research Group February 2016) Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. (Citation: Eduard Kovacs March 2018)", "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -10951,29 +15291,224 @@ }, { "type": "relationship", - "id": "relationship--71422483-33e4-4131-a4ec-40322d91d8a0", - "created": "2019-06-24T17:20:24.258Z", + "id": "relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1", + "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Catalin Cimpanu April 2016", - "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", - "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + "source_name": "Carl Hurd March 2019", + "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", + "url": "https://www.youtube.com/watch?v=yuZazP22rpI" }, { - "source_name": "Symantec June 2015", - "description": "Symantec 2015, June 30 Simple steps to protect yourself from the Conficker Worm Retrieved. 2019/12/05 ", - "url": "https://support.symantec.com/us/en/article.tech93179.html" + "source_name": "William Largent June 2018", + "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", + "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-17T15:38:28.233Z", - "description": "[Conficker](https://attack.mitre.org/software/S0608) exploits Windows drive shares. Once it has infected a computer, [Conficker](https://attack.mitre.org/software/S0608) automatically copies itself to all visible open drive shares on other computers inside the network. (Citation: Symantec June 2015) Nuclear power plant officials suspect someone brought in [Conficker](https://attack.mitre.org/software/S0608) by accident on a USB thumb drive, either from home or computers found in the power plant's facility. (Citation: Catalin Cimpanu April 2016)", + "modified": "2022-10-12T18:31:19.732Z", + "description": "The [VPNFilter](https://attack.mitre.org/software/S1010) packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", "relationship_type": "uses", - "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", + "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--66d637a0-4874-4b12-bd3a-b408acb06d26", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:53:54.118Z", + "description": "Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:34:07.441Z", + "description": "Alterations to the service binary path or the service startup type changed to disabled may be suspicious.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1f87378c-49fb-4da5-8ed3-3672633d3713", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.123Z", + "relationship_type": "mitigates", + "description": "Regularly scan the internal network for available services to identify new and potentially vulnerable services.\n", + "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.091Z", + "relationship_type": "mitigates", + "description": "Develop and publish policies that define acceptable information to be stored in repositories.\n", + "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--99ec0a8e-4a4f-427c-89db-163e4b206021", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.094Z", + "relationship_type": "mitigates", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.208Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ea50253a-3220-458b-b810-ad032f2b182f", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + }, + { + "source_name": "ICS-CERT December 2018", + "description": "ICS-CERT 2018, December 18 Advisory (ICSA-18-107-02) - Schneider Electric Triconex Tricon (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02" + }, + { + "source_name": "Schneider Electric January 2018", + "description": "Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ", + "url": "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s" + }, + { + "source_name": "The Office of Nuclear Reactor Regulation", + "description": "The Office of Nuclear Reactor Regulation Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 Triconex Topical Report 7286-545-1 Retrieved. 2018/05/30 ", + "url": "https://www.nrc.gov/docs/ML1209/ML120900890.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:28:54.342Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) disables a firmware RAM/ROM consistency check after injects a payload (imain.bin) into the firmware memory region. (Citation: DHS CISA February 2019) (Citation: ICS-CERT December 2018) (Citation: Schneider Electric January 2018) Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration. (Citation: The Office of Nuclear Reactor Regulation)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--26254163-4f25-4d30-8456-ca093459ff32", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:32:29.856Z", + "description": "Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_deprecated": false, "x_mitre_version": "1.0", @@ -10982,11 +15517,228 @@ }, { "type": "relationship", - "id": "relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d", + "id": "relationship--71c81024-ea36-4853-940a-cd9d4cbcabed", "created": "2021-04-11T14:06:54.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ + { + "source_name": "Dragos December 2017", + "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", + "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:05:39.957Z", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment. (Citation: Dragos December 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4122cdb6-09a4-4b68-b0d1-5d880cf5a4ef", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:37:06.013Z", + "description": "In the case of detecting collection from local systems monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases. For added context on adversary procedures and background see [Data from Local System](https://attack.mitre.org/techniques/T1005).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:52:04.484Z", + "description": "Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6d822f86-5793-403a-b176-5d533f6b81b3", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:19:43.236Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through trojanized installers planted on compromised vendor sites. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--98b229f8-6020-4fbb-b104-54fd478c14d9", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:29:49.652Z", + "description": "Monitor logon sessions for default credential use.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T17:00:17.249Z", + "modified": "2022-05-06T17:47:24.212Z", + "relationship_type": "mitigates", + "description": "A supply chain management program should include methods the assess the trustworthiness and technical maturity of a supplier, along with technical methods (e.g., code-signing, bill of materials) needed to validate the integrity of newly obtained devices and components. Develop procurement language that emphasizes the expectations for suppliers regarding the artifacts, audit records, and technical capabilities needed to validate the integrity of the devices supply chain. (Citation: Robert A. Martin January 2021)\n", + "source_ref": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "external_references": [ + { + "source_name": "Robert A. Martin January 2021", + "description": "Robert A. Martin 2021, January TRUSTING OUR SUPPLY CHAINS: A COMPREHENSIVE DATA-DRIVEN APPROACH Retrieved. 2021/04/12 ", + "url": "https://www.mitre.org/sites/default/files/publications/pr-20-01465-37-trusting-our-supply-chains-a-comprehensive-data-driven-approach.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--72bfda0b-31e9-4958-8d40-6efe816d9989", + "created": "2022-09-27T15:32:03.332Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:33:47.681Z", + "description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:11:33.323Z", + "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.209Z", + "relationship_type": "mitigates", + "description": "When available utilize hardware and software root-of-trust to verify the authenticity of a system. This may be achieved through cryptographic means, such as digital signatures or hashes, of critical software and firmware throughout the supply chain.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--892c0bff-17b6-447b-a213-6a3189a1df82", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:51:45.844Z", + "description": "Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625", + "created": "2021-10-14T21:33:27.046Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Electrum Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/electrum/" + }, + { + "source_name": "Dragos October 2018", + "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + }, { "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", @@ -10996,11 +15748,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T16:55:23.567Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "modified": "2022-10-12T16:57:19.471Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems. (Citation: Dragos) (Citation: Dragos October 2018) In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -11008,30 +15760,146 @@ }, { "type": "relationship", - "id": "relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2", - "created": "2018-04-18T17:59:24.739Z", + "id": "relationship--0d305450-d5ca-46fe-8583-36c983dd0a88", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:43:33.144Z", + "description": "Monitor ICS management protocols for functions that change an asset’s operating mode.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:24:52.417Z", + "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:46:16.720Z", + "description": "When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a731ad54-0c3c-47bb-9559-d99950782beb", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:22:39.784Z", + "description": "Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:33:10.450Z", + "description": "Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962", + "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Andy Greenburg June 2019", - "description": "Andy Greenburg 2019, June 20 Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount Retrieved. 2020/01/03 ", - "url": "https://www.wired.com/story/iran-hackers-us-phishing-tensions/" - }, - { - "source_name": "Jacqueline O'Leary et al. September 2017", - "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", - "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T15:41:49.943Z", - "description": "[APT33](https://attack.mitre.org/groups/G0064) sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. (Citation: Jacqueline O'Leary et al. September 2017) [APT33](https://attack.mitre.org/groups/G0064) has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. (Citation: Andy Greenburg June 2019)", + "modified": "2022-09-20T21:21:24.221Z", + "description": "When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, [Stuxnet](https://attack.mitre.org/software/S0603) prevents an operator from noticing unauthorized commands sent to the peripheral. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", - "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--351e19c4-c16e-493a-9800-a433107aacf1", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:24:36.935Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -11042,19 +15910,143 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--276aa6a6-e700-470a-8f72-02537ba7be9d", + "id": "relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.128Z", + "modified": "2022-05-06T17:47:24.209Z", "relationship_type": "mitigates", - "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", - "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "description": "A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + "source_name": "Anton Cherepanov", + "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", + "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:55:06.661Z", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. (Citation: Anton Cherepanov)", + "relationship_type": "uses", + "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5914a482-dbb7-429d-96f3-77f0588ac12d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.123Z", + "relationship_type": "mitigates", + "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", + "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ab8e129c-5411-4784-9194-068fa915da23", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov", + "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", + "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:54:49.878Z", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) deletes application, security, setup, and system event logs from Windows systems. (Citation: Anton Cherepanov)", + "relationship_type": "uses", + "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:37:44.970Z", + "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible, to determine their actions and intent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:32:51.548Z", + "description": "Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8fcecf74-36df-41ab-9476-539c9ac0b339", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.179Z", + "relationship_type": "mitigates", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" } ], "x_mitre_attack_spec_version": "2.1.0", @@ -11062,19 +16054,60 @@ "x_mitre_version": "1.0" }, { - "type": "relationship", - "id": "relationship--6bf14e79-3287-4b9e-b222-9d527530df1e", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:57:08.560Z", - "description": "Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows , or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "type": "relationship", + "id": "relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.145Z", + "relationship_type": "mitigates", + "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.127Z", + "relationship_type": "mitigates", + "description": "Set and enforce secure password policies for accounts.\n", + "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jeff Jones May 2018", + "description": "Jeff Jones 2018, May 10 Dragos Releases Details on Suspected Russian Infrastructure Hacking Team ALLANITE Retrieved. 2020/01/03 ", + "url": "https://www.eisac.com/public-news-detail?id=115909" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:40:28.784Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized spear phishing to gain access into energy sector environments. (Citation: Jeff Jones May 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -11082,7 +16115,26 @@ }, { "type": "relationship", - "id": "relationship--9fa31b58-d4f3-43e4-b5b2-cafcd0c6a99d", + "id": "relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a", + "created": "2022-09-30T15:34:29.316Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T15:34:29.316Z", + "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c848b096-3703-4962-b8a2-57682e26f31b", "created": "2021-04-11T14:06:54.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -11096,11 +16148,52 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T16:58:41.806Z", - "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) appears to use MS-SQL access to a pivot machine, allowing code execution throughout the ICS network. (Citation: Dragos October 2018)", + "modified": "2022-10-12T17:00:37.718Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution. (Citation: Dragos October 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42", + "created": "2021-01-04T21:30:14.830Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ESET Industroyer", + "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + }, + { + "source_name": "Dragos Crashoverride 2017", + "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + }, + { + "source_name": "Dragos Crashoverride 2018", + "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", + "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + }, + { + "source_name": "Secureworks IRON VIKING", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:46:32.756Z", + "description": "(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2017)(Citation: ESET Industroyer)(Citation: Secureworks IRON VIKING)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -11111,14 +16204,110 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--c9065f74-556d-4728-8072-f96642e70316", + "id": "relationship--74ec9ce5-3155-488c-ae56-570c47a1d207", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T18:59:24.739Z", - "modified": "2022-05-06T17:47:24.187Z", + "created": "2021-04-13T12:45:26.506Z", + "modified": "2022-05-06T17:47:24.194Z", "relationship_type": "mitigates", - "description": "Access Management technologies can help enforce authentication on critical remote service, examples include, but are not limited to, device management services (e.g., telnet, SSH), data access servers (e.g., HTTP, Historians), and HMI sessions (e.g., RDP, VNC).\n", + "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "external_references": [ + { + "source_name": "D. Parsons and D. Wylie September 2019", + "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", + "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" + }, + { + "source_name": "Colin Gray", + "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", + "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" + }, + { + "source_name": "Josh Rinaldi April 2016", + "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", + "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" + }, + { + "source_name": "Aditya K Sood July 2019", + "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", + "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" + }, + { + "source_name": "Langner November 2018", + "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", + "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--692324b4-064a-430c-8ffc-7f7acd537778", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec", + "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", + "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:43:39.823Z", + "description": "[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data in information repositories. The modules are named: infostealer 1, infostealer 2 and reconnaissance. (Citation: Symantec)", + "relationship_type": "uses", + "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--87c8ab74-576d-4962-b641-0762d374d1e8", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:49:35.368Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. While the vulnerability does not directly cause the restart or shutdown of the device, the device must be restarted manually before it can resume operations. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.182Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" @@ -11128,32 +16317,221 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--07f4d65d-4572-450f-8cb2-908fee97bd67", + "id": "relationship--107d9a23-991b-44f5-97f6-7f6983c7013a", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.228Z", + "modified": "2022-05-06T17:47:24.099Z", "relationship_type": "mitigates", - "description": "Application control may be able to prevent the running of executables masquerading as other files.\n", - "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--7db9687b-7099-4cb6-a040-bc32fc549a81", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.195Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--0278ddbc-67d5-444d-8082-bf9974dee920", + "id": "relationship--2c641542-2e18-4943-849a-7141b7da4fcd", + "created": "2022-09-20T20:54:36.422Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Pinellas County Sheriffs Office February 2021", + "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", + "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-18T13:25:27.955Z", + "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors raised the sodium hydroxide setpoint value from 100 part-per-million (ppm) to 11,100 ppm, far beyond normal operating levels.(Citation: Pinellas County Sheriffs Office February 2021)", + "relationship_type": "uses", + "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 Magnallium Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/magnallium/" + }, + { + "source_name": "Symantec March 2019", + "description": "Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 ", + "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:42:15.944Z", + "description": "[APT33](https://attack.mitre.org/groups/G0064) utilized PowerShell scripts to establish command and control and install files for execution. (Citation: Symantec March 2019) (Citation: Dragos)", + "relationship_type": "uses", + "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:36:51.486Z", + "description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware. For added context on adversary procedures and background see [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--234da455-b795-4788-bc5d-22b4b58b2dc7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.212Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.184Z", + "relationship_type": "mitigates", + "description": "Allow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--433539bf-cb17-4de1-9c0f-e579b041514f", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Inc. June 2017", + "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:16:26.262Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) attempts to connect with a hardcoded internal proxy on TCP 3128 [default Squid proxy]. If established, the backdoor attempts to reach an external C2 server via the internal proxy. (Citation: Dragos Inc. June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2e0769d7-088e-45d5-a262-6dbc91a95073", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:51:31.992Z", + "description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--22448288-32d9-4d2c-be16-0784e119fff1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.077Z", + "relationship_type": "mitigates", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3c341d13-938e-4535-ac75-10a79abc7017", "created": "2022-05-11T16:22:58.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:47:45.775Z", - "description": "Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.", + "modified": "2022-10-14T16:46:17.575Z", + "description": "Monitor for application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -11161,23 +16539,190 @@ }, { "type": "relationship", - "id": "relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d", - "created": "2022-09-30T15:28:37.614Z", + "id": "relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-30T15:28:37.614Z", - "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.", + "modified": "2022-10-14T16:46:05.831Z", + "description": "Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe). ", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.061Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:55:14.825Z", + "description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1f8abf6f-0dd0-4449-b555-733fe7296177", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:24:19.351Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459", + "created": "2022-09-23T16:35:17.240Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:34:31.627Z", + "description": "Consult asset management systems which may help with the detection of computer systems or network devices that should not exist on a network.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "type": "relationship", + "id": "relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Robert Falcone, Bryan Lee May 2016", + "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", + "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:32:03.970Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.(Citation: Robert Falcone, Bryan Lee May 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2916cd9c-32d5-463a-a83b-448ef7720192", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-21T14:04:49.301Z", + "modified": "2022-05-06T17:47:24.364Z", + "relationship_type": "uses", + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) has been reported to take screenshots of the GUI for ICS equipment, such as HMIs. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", + "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "external_references": [ + { + "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", + "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--0b7f643e-8975-4998-acbb-7405fa944a68", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:54:38.303Z", + "description": "Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.101Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "relationship", "id": "relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab", @@ -11229,6 +16774,25 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "type": "relationship", + "id": "relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d", + "created": "2022-09-30T15:28:37.614Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T15:28:37.614Z", + "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "type": "relationship", "id": "relationship--50b3247a-ea71-455e-b299-f00666c05146", @@ -11255,6 +16819,59 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--07f4d65d-4572-450f-8cb2-908fee97bd67", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.228Z", + "relationship_type": "mitigates", + "description": "Application control may be able to prevent the running of executables masquerading as other files.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--0278ddbc-67d5-444d-8082-bf9974dee920", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:47:45.775Z", + "description": "Monitor for an authentication attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--26e58427-a2bd-4e77-9939-16ef60a072e7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.160Z", + "relationship_type": "mitigates", + "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "relationship", "id": "relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3", @@ -11281,23 +16898,6 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--26e58427-a2bd-4e77-9939-16ef60a072e7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.160Z", - "relationship_type": "mitigates", - "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, { "type": "relationship", "id": "relationship--7258c355-677c-452d-b1fc-27767232437b", @@ -11393,705 +16993,6 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--107d9a23-991b-44f5-97f6-7f6983c7013a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.099Z", - "relationship_type": "mitigates", - "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7db9687b-7099-4cb6-a040-bc32fc549a81", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.195Z", - "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--692324b4-064a-430c-8ffc-7f7acd537778", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Symantec", - "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", - "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:43:39.823Z", - "description": "[Duqu](https://attack.mitre.org/software/S0038) downloads additional modules for the collection of data in information repositories. The modules are named: infostealer 1, infostealer 2 and reconnaissance. (Citation: Symantec)", - "relationship_type": "uses", - "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--87c8ab74-576d-4962-b641-0762d374d1e8", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:49:35.368Z", - "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SIPROTEC DoS module exploits the CVE-2015-5374 vulnerability in order to render a Siemens SIPROTEC device unresponsive. While the vulnerability does not directly cause the restart or shutdown of the device, the device must be restarted manually before it can resume operations. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.182Z", - "relationship_type": "mitigates", - "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.184Z", - "relationship_type": "mitigates", - "description": "Allow for code signing of any project files stored at rest to prevent unauthorized tampering. Ensure the signing keys are not easily accessible on the same system.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--234da455-b795-4788-bc5d-22b4b58b2dc7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.212Z", - "relationship_type": "mitigates", - "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--2e0769d7-088e-45d5-a262-6dbc91a95073", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:51:31.992Z", - "description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--433539bf-cb17-4de1-9c0f-e579b041514f", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Inc. June 2017", - "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", - "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:16:26.262Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) attempts to connect with a hardcoded internal proxy on TCP 3128 [default Squid proxy]. If established, the backdoor attempts to reach an external C2 server via the internal proxy. (Citation: Dragos Inc. June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--2c641542-2e18-4943-849a-7141b7da4fcd", - "created": "2022-09-20T20:54:36.422Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Pinellas County Sheriffs Office February 2021", - "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", - "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-18T13:25:27.955Z", - "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors raised the sodium hydroxide setpoint value from 100 part-per-million (ppm) to 11,100 ppm, far beyond normal operating levels.(Citation: Pinellas County Sheriffs Office February 2021)", - "relationship_type": "uses", - "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:36:51.486Z", - "description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware. For added context on adversary procedures and background see [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos", - "description": "Dragos Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 Magnallium Retrieved. 2019/10/27 ", - "url": "https://dragos.com/resource/magnallium/" - }, - { - "source_name": "Symantec March 2019", - "description": "Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 ", - "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:42:15.944Z", - "description": "[APT33](https://attack.mitre.org/groups/G0064) utilized PowerShell scripts to establish command and control and install files for execution. (Citation: Symantec March 2019) (Citation: Dragos)", - "relationship_type": "uses", - "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:55:14.825Z", - "description": "Monitor for network traffic originating from unknown/unexpected hosts. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1f8abf6f-0dd0-4449-b555-733fe7296177", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Jos Wetzels January 2018", - "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", - "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:24:19.351Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. (Citation: Jos Wetzels January 2018)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.061Z", - "relationship_type": "mitigates", - "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--22448288-32d9-4d2c-be16-0784e119fff1", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.077Z", - "relationship_type": "mitigates", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3c341d13-938e-4535-ac75-10a79abc7017", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:46:17.575Z", - "description": "Monitor for application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:46:05.831Z", - "description": "Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe). ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--0b7f643e-8975-4998-acbb-7405fa944a68", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:54:38.303Z", - "description": "Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Also monitor executed commands and arguments that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. Information may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.101Z", - "relationship_type": "mitigates", - "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459", - "created": "2022-09-23T16:35:17.240Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:34:31.627Z", - "description": "Consult asset management systems which may help with the detection of computer systems or network devices that should not exist on a network.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Robert Falcone, Bryan Lee May 2016", - "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", - "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:32:03.970Z", - "description": "[OilRig](https://attack.mitre.org/groups/G0049) has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.(Citation: Robert Falcone, Bryan Lee May 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2916cd9c-32d5-463a-a83b-448ef7720192", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-21T14:04:49.301Z", - "modified": "2022-05-06T17:47:24.364Z", - "relationship_type": "uses", - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) has been reported to take screenshots of the GUI for ICS equipment, such as HMIs. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", - "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", - "external_references": [ - { - "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", - "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", - "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3858ec3b-5814-4515-9dda-f8009fbf4cd3", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Kevin Savage and Branko Spasojevic", - "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ", - "url": "https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:50:36.629Z", - "description": "[Flame](https://attack.mitre.org/software/S0143) has built-in modules to gather information from compromised computers. (Citation: Kevin Savage and Branko Spasojevic)", - "relationship_type": "uses", - "source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--973f5884-a076-413e-ac96-f0bd01375fb6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T11:15:26.506Z", - "modified": "2022-05-06T17:47:24.153Z", - "relationship_type": "mitigates", - "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--e0aee02c-b424-4781-be10-793d71594c31", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", - "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", - "url": "https://www.f-secure.com/weblog/archives/00002718.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:23:47.107Z", - "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through a trojanized installer attached to emails. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7d5759cd-890e-4ec5-b92b-aba225d52960", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.079Z", - "relationship_type": "mitigates", - "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.177Z", - "relationship_type": "mitigates", - "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ae10e97a-90ac-498b-8601-01081dc4af8b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T18:59:17.429Z", - "modified": "2022-05-06T17:47:24.188Z", - "relationship_type": "mitigates", - "description": "Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.\n", - "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--e9f5096e-b9fc-459a-a303-88763b1269cc", - "type": "relationship", - "created": "2020-05-14T14:41:42.975Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", - "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "source_name": "FireEye FIN6 Apr 2019" - } - ], - "modified": "2020-05-15T19:15:35.568Z", - "description": "(Citation: FireEye FIN6 Apr 2019)", - "relationship_type": "uses", - "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c", - "created": "2022-09-29T01:37:13.671Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - }, - { - "source_name": "Brubaker-Incontroller", - "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", - "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.441Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to download programs to Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:10:43.996Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd", - "created": "2022-09-27T15:27:00.387Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:27:00.387Z", - "description": "Networking devices such as switches may log when new client devices connect (e.g., SNMP notifications). Monitor for any logs documenting changes to network connection status to determine when a new connection has occurred, including the resulting addresses (e.g., IP, MAC) of devices on that network.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -12128,6 +17029,44 @@ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "type": "relationship", + "id": "relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd", + "created": "2022-09-27T15:27:00.387Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:27:00.387Z", + "description": "Networking devices such as switches may log when new client devices connect (e.g., SNMP notifications). Monitor for any logs documenting changes to network connection status to determine when a new connection has occurred, including the resulting addresses (e.g., IP, MAC) of devices on that network.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:17:44.736Z", + "description": "Monitor ICS automation protocols for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many protocols provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -12147,18 +17086,25 @@ }, { "type": "relationship", - "id": "relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b", - "created": "2022-05-11T16:22:58.806Z", + "id": "relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976", + "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T15:17:44.736Z", - "description": "Monitor ICS automation protocols for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many protocols provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "modified": "2022-09-23T18:26:34.069Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) toggles breakers to the open state utilizing unauthorized command messages. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -12231,32 +17177,6 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "type": "relationship", - "id": "relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:26:34.069Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) toggles breakers to the open state utilizing unauthorized command messages. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "type": "relationship", "id": "relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91", @@ -12321,627 +17241,135 @@ }, { "type": "relationship", - "id": "relationship--d7ea83fa-87c7-4d36-96d5-aee554504040", - "created": "2017-05-31T21:33:27.074Z", + "id": "relationship--3858ec3b-5814-4515-9dda-f8009fbf4cd3", + "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Marc-Etienne M.Lveill October 2017", - "description": "Marc-Etienne M.Lveill 2017, October 24 Bad Rabbit: NotPetya is back with improved ransomware Retrieved. 2019/10/27 ", - "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" + "source_name": "Kevin Savage and Branko Spasojevic", + "description": "Kevin Savage and Branko Spasojevic W32.Flamer Retrieved. 2019/11/03 ", + "url": "https://web.archive.org/web/20190930124504/https://www.symantec.com/security-center/writeup/2012-052811-0308-99" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T17:31:02.075Z", - "description": "Several transportation organizations in Ukraine have suffered from being infected by [Bad Rabbit](https://attack.mitre.org/software/S0606), resulting in some computers becoming encrypted, according to media reports. (Citation: Marc-Etienne M.Lveill October 2017)", + "modified": "2022-10-12T17:50:36.629Z", + "description": "[Flame](https://attack.mitre.org/software/S0143) has built-in modules to gather information from compromised computers. (Citation: Kevin Savage and Branko Spasojevic)", "relationship_type": "uses", - "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "source_ref": "malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2018-10-17T00:14:20.652Z", - "modified": "2022-05-06T17:47:24.246Z", - "relationship_type": "uses", - "description": " (Citation: Dragos)", - "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "target_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "external_references": [ - { - "source_name": "Dragos", - "description": "Dragos Xenotime Retrieved. 2019/10/27 ", - "url": "https://dragos.com/resource/xenotime/" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T21:23:21.586Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--604a9bf0-81a3-425b-9005-779c4f0f749d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.195Z", - "relationship_type": "mitigates", - "description": "Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.\n", - "source_ref": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f", + "id": "relationship--e0aee02c-b424-4781-be10-793d71594c31", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", - "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", - "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:28:39.359Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state while using the DCS to create an unsafe state or hazard. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.086Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:57:59.240Z", - "description": "Monitor for known proxy protocols (e.g., SOCKS, Tor, peer-to-peer protocols) and tool usage (e.g., Squid, peer-to-peer software) on the network that are not part of normal operations. Also monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.080Z", - "relationship_type": "mitigates", - "description": "Execution prevention may block malicious software from accessing protected resources through the command line interface.\n", - "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--10e87e4b-a231-42e3-a011-0031f8226936", - "created": "2022-09-26T17:15:51.819Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T17:15:51.819Z", - "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "ICS-CERT August 2018", - "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", - "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:23:33.379Z", - "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. (Citation: ICS-CERT August 2018)", + "modified": "2022-10-12T17:23:47.107Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through a trojanized installer attached to emails. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", "relationship_type": "uses", "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "type": "relationship", - "id": "relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Hydro", - "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", - "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" - }, - { - "source_name": "Kevin Beaumont", - "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", - "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:56:48.612Z", - "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of view which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", - "relationship_type": "uses", - "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", - "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:59:13.486Z", - "description": "Monitor for device alarms produced when parameters are changed, although not all devices will produce such alarms.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--cba8313b-c338-45f7-88ef-a514094882ac", - "created": "2022-09-28T20:28:39.348Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.446Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to exploit a vulnerable Asrock driver (AsrDrv103.sys) using CVE-2020-15368 to load its own unsigned driver on the system.(Citation: Wylie-22)", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1", + "id": "relationship--973f5884-a076-413e-ac96-f0bd01375fb6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.239Z", - "relationship_type": "mitigates", - "description": "Techniques can include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", - "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", - "external_references": [ - { - "source_name": "DHS National Urban Security Technology Laboratory April 2019", - "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", - "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--d8911566-f622-4a01-b765-514dbbfd8201", - "created": "2022-09-28T20:27:01.345Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.447Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can deploy Tcpdump to sniff network traffic and collect PCAP files.(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--be950e87-80ac-49ea-810a-553c7f72151b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.073Z", - "relationship_type": "mitigates", - "description": "Devices should authenticate all messages between master and outstation assets.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67", "created": "2021-04-13T11:15:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:19:13.497Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "modified": "2022-05-06T17:47:24.153Z", + "relationship_type": "mitigates", + "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T17:48:59.046Z", - "description": "In the case of detecting collection from centralized information repositories monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies. For added context on adversary procedures and background see [Data from Information Repositories](https://attack.mitre.org/techniques/T1213).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--8b491011-322d-4e0b-8f79-449e1b2ee185", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:55:26.030Z", - "description": "Monitor newly constructed processes that assist in lateral tool transfers, such as file transfer programs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac", - "created": "2021-04-13T12:28:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Threat Intelligence February 2020", - "description": "Dragos Threat Intelligence 2020, February 03 EKANS Ransomware and ICS Operations Retrieved. 2021/04/12 ", - "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:48:00.088Z", - "description": "[EKANS](https://attack.mitre.org/software/S0605) masquerades itself as a valid executable with the filename update.exe. Many valid programs use the process name update.exe to perform background software updates. (Citation: Dragos Threat Intelligence February 2020)", - "relationship_type": "uses", - "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:32:18.214Z", - "description": "Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Asset management systems should be consulted to understand known-good firmware versions and configurations.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", - "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--3a7d1db3-9383-4171-8938-382e9b0375c6", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Booz Allen Hamilton", - "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", - "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:36:37.304Z", - "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) uses HTTP POST request to contact external command and control servers. (Citation: Booz Allen Hamilton)\n", - "relationship_type": "uses", - "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:19:04.853Z", - "description": "Monitor logon activity for unexpected or unusual access to devices from the Internet.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", - "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd", + "id": "relationship--7d5759cd-890e-4ec5-b92b-aba225d52960", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.197Z", + "modified": "2022-05-06T17:47:24.079Z", "relationship_type": "mitigates", - "description": "Devices should authenticate all messages between master and outstation assets.\n", + "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, - { - "type": "relationship", - "id": "relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:38:23.604Z", - "description": "Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--c0efb24a-2329-401a-bba6-817f2867bb3f", + "id": "relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.183Z", + "modified": "2022-05-06T17:47:24.177Z", "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce", - "created": "2018-04-18T17:59:24.739Z", + "id": "relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c", + "created": "2022-09-29T01:37:13.671Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + }, + { + "source_name": "Brubaker-Incontroller", + "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:27:42.104Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. (Citation: DHS CISA February 2019)", + "modified": "2022-10-13T16:53:47.441Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to download programs to Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can modified program logic on Omron PLCs using either the program download or backup transfer functions available through the HTTP server.(Citation: Wylie-22) ", "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--dadfed22-d70c-482b-9026-964396d75484", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:42:28.053Z", - "description": "Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -12949,22 +17377,28 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "id": "relationship--e9f5096e-b9fc-459a-a303-88763b1269cc", "type": "relationship", - "id": "relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2", + "created": "2020-05-14T14:41:42.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.069Z", - "relationship_type": "mitigates", - "description": "Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" + "external_references": [ + { + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "source_name": "FireEye FIN6 Apr 2019" + } + ], + "modified": "2020-05-15T19:15:35.568Z", + "description": "(Citation: FireEye FIN6 Apr 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--874752f4-59a2-46e9-ae28-befe0142b223", + "id": "relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -12978,11 +17412,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-30T14:37:52.169Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a hardcoded password in the WinCC software's database server as one of the mechanisms used to propagate to nearby systems. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "modified": "2022-09-20T21:10:43.996Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies the input area of an I/O image into data blocks with a one second interval between copies, forming a 21 second recording of the input area. The input area contains information being passed to the PLC from a peripheral. For example, the current state of a valve or the temperature of a device. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -12993,900 +17427,13 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--2ff82993-5010-4450-89e7-341f449f3263", + "id": "relationship--ae10e97a-90ac-498b-8601-01081dc4af8b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.092Z", + "created": "2021-04-12T18:59:17.429Z", + "modified": "2022-05-06T17:47:24.188Z", "relationship_type": "mitigates", - "description": "Consider periodic reviews of accounts and privileges for critical and sensitive repositories.\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.112Z", - "relationship_type": "mitigates", - "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", - "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.091Z", - "relationship_type": "mitigates", - "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions.\n", + "description": "Limit the accounts that may use remote services. Limit the permissions for accounts that are at higher risk of compromise; for example, configure SSH so users can only run specific programs.\n", "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.218Z", - "relationship_type": "mitigates", - "description": "Apply DLP to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).\n", - "source_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--4b57e41c-246f-44b3-b259-1811d5275e10", - "created": "2022-09-26T15:16:32.057Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:16:32.057Z", - "description": "Consult asset management systems to understand expected alarm settings.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--792324b4-064a-430c-8ffc-7f7acd537778", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Symantec", - "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", - "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:44:27.955Z", - "description": "[Duqu](https://attack.mitre.org/software/S0038)'s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party.(Citation: Symantec)", - "relationship_type": "uses", - "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:34:29.743Z", - "description": "Monitor for unexpected ICS protocol command functions to controllers from existing master devices (including from new processes) or from new devices. The latter is like detection for [Rogue Master](https://attack.mitre.org/techniques/T0848) but requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).\n\nMonitoring for unexpected or problematic values below the function level will provide better insights into potentially malicious activity but at the cost of additional false positives depending on the underlying operational process.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6c15ec9f-2b48-419c-adc1-f989833f6187", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-10-14T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.224Z", - "relationship_type": "mitigates", - "description": "Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.\n", - "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.222Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--8f90363e-2825-4178-807f-9268a28760fa", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.195Z", - "relationship_type": "mitigates", - "description": "Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.\n", - "source_ref": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3", - "created": "2022-09-26T15:24:07.122Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:24:07.122Z", - "description": "Monitor asset application logs which may provide information about requests for points or tags. Look for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many devices provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--591620d3-5549-49db-9080-43f86a68a590", - "created": "2021-04-13T12:08:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:25:07.936Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges. (Citation: DHS CISA February 2019)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--10626671-941d-4a82-a835-56059058ef87", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.065Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.218Z", - "relationship_type": "mitigates", - "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.137Z", - "relationship_type": "mitigates", - "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", - "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", - "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:57:51.953Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a Primary Variable Out of Limits misdirecting operators from understanding protective relay status. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5804ae3d-0daf-47a5-b026-d42878f55803", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.166Z", - "relationship_type": "mitigates", - "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.\n", - "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", - "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:26:20.823Z", - "description": "Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.\n\nVarious techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978", - "created": "2022-09-26T14:29:33.111Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:29:33.111Z", - "description": "Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "MDudek-ICS", - "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", - "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:27:55.358Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload. (Citation: MDudek-ICS)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.167Z", - "relationship_type": "mitigates", - "description": "Network connection enumeration is likely obtained by using common system tools (e.g., netstat, ipconfig).\n", - "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", - "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3", - "created": "2022-09-27T17:37:02.670Z", - "revoked": false, - "external_references": [ - { - "source_name": "Nzyme Alerts Intro", - "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.", - "url": "https://www.nzyme.org/docs/alerts/intro" - }, - { - "source_name": "Wireless Intrusion Detection", - "description": "Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.", - "url": "https://apps.dtic.mil/sti/pdfs/ADA466332.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T17:37:02.670Z", - "description": "Purely passive network sniffing cannot be detected effectively. In cases where the adversary interacts with the wireless network (e.g., joining a Wi-Fi network) detection may be possible. Monitor for new or irregular network traffic flows which may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.235Z", - "relationship_type": "mitigates", - "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Implement user accounts for each individual for enforcement and non-repudiation of actions.\n", - "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.198Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f45c2df8-30e7-45d0-8067-7b2870767574", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.180Z", - "relationship_type": "mitigates", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.192Z", - "relationship_type": "mitigates", - "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "external_references": [ - { - "source_name": "D. Parsons and D. Wylie September 2019", - "description": "D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 ", - "url": "https://www.csiac.org/journal-article/practical-industrial-control-system-ics-cybersecurity-it-and-ot-have-converged-discover-and-defend-your-assets/" - }, - { - "source_name": "Colin Gray", - "description": "Colin Gray D. Parsons and D. Wylie 2019, September Practical Industrial Control System (ICS) Cybersecurity: IT and OT Have Converged Discover and Defend Your Assets Retrieved. 2020/09/25 How SDN Can Improve Cybersecurity in OT Networks Retrieved. 2020/09/25 ", - "url": "https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6891_HowSDN_CG_20180720_Web2.pdf?v=20190312-231901" - }, - { - "source_name": "Josh Rinaldi April 2016", - "description": "Josh Rinaldi 2016, April Still a Thrill: OPC UA Device Discovery Retrieved. 2020/09/25 ", - "url": "https://www.rtautomation.com/rtas-blog/still-a-thrill-opc-ua-device-discovery/" - }, - { - "source_name": "Aditya K Sood July 2019", - "description": "Aditya K Sood 2019, July Discovering and fingerprinting BACnet devices Retrieved. 2020/09/25 ", - "url": "https://www.helpnetsecurity.com/2019/07/10/bacnet-devices/" - }, - { - "source_name": "Langner November 2018", - "description": "Langner 2018, November Why Ethernet/IP changes the OT asset discovery game Retrieved. 2020/09/25 ", - "url": "https://www.langner.com/2018/11/why-ethernet-ip-changes-the-ot-asset-discovery-game/" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa", - "created": "2022-09-27T16:35:12.372Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:47:35.207Z", - "description": "Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.227Z", - "relationship_type": "mitigates", - "description": "Prevent the use of unsigned executables, such as installers and scripts.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--01b4a92f-da42-4dfa-8d59-53709b65940e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.203Z", - "relationship_type": "mitigates", - "description": "Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.\n", - "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:56:06.055Z", - "description": "Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9d75333b-2542-4899-923f-55dc1e077a51", - "created": "2022-09-27T16:03:41.224Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:45:52.592Z", - "description": "Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning PowerShell).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.128Z", - "relationship_type": "mitigates", - "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--83c8c216-7ff7-4bd3-9db4-573469628d95", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Joe Slowik August 2019", - "description": "Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ", - "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:48:43.457Z", - "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SPIROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. (Citation: Joe Slowik August 2019)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--76654cf3-5cfe-4bf4-b134-806fd75b1ddb", - "created": "2022-09-20T20:55:00.134Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Pinellas County Sheriffs Office February 2021", - "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", - "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-18T13:25:44.859Z", - "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors utilized the operator HMI interface through the graphical user interface. This action led to immediate operator detection as they were able to see the adversary making changes on their screen.(Citation: Pinellas County Sheriffs Office February 2021)", - "relationship_type": "uses", - "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:42:42.363Z", - "description": "Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--0d540b53-6a5d-4f56-9dee-47707443b149", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-30T16:00:14.208Z", - "description": "Monitor ICS automation network protocols for functions related to reading an operational process state (e.g., “Read” function codes in protocols like DNP3 or Modbus). In some cases, there may be multiple ways to monitor an operational process’ state, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b9e82422-b072-494f-99c1-fcab07b90133", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.146Z", - "relationship_type": "mitigates", - "description": "Require signed binaries.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Booz Allen Hamilton", - "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", - "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:35:50.632Z", - "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. (Citation: Booz Allen Hamilton)\n", - "relationship_type": "uses", - "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.175Z", - "relationship_type": "mitigates", - "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.140Z", - "relationship_type": "mitigates", - "description": "To protect against MITM, authentication mechanisms should not send credentials across the network in plaintext and should also implement mechanisms to prevent replay attacks (such as nonces or timestamps). Challenge-response based authentication techniques that do not directly send credentials over the network provide better protection from MITM.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--81117328-e2bb-431c-a1ca-6ba7e6816637", - "created": "2022-09-26T16:25:38.511Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:25:38.511Z", - "description": "Consult asset management systems to understand expected program versions.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa", - "type": "relationship", - "created": "2017-05-31T21:33:27.070Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", - "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", - "source_name": "iSIGHT Sandworm 2014" - }, - { - "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf", - "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", - "source_name": "F-Secure BlackEnergy 2014" - }, - { - "source_name": "US District Court Indictment GRU Unit 74455 October 2020", - "url": "https://www.justice.gov/opa/press-release/file/1328521/download", - "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." - }, - { - "source_name": "UK NCSC Olympic Attacks October 2020", - "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", - "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020." - }, - { - "source_name": "Secureworks IRON VIKING ", - "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", - "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." - } - ], - "modified": "2022-02-28T17:02:50.401Z", - "description": "(Citation: iSIGHT Sandworm 2014)(Citation: F-Secure BlackEnergy 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.187Z", - "relationship_type": "mitigates", - "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -13897,570 +17444,31 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04", + "id": "relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.218Z", - "relationship_type": "mitigates", - "description": "Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement.\n", - "source_ref": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.180Z", - "relationship_type": "mitigates", - "description": "All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--1d35c947-447f-4693-9ab0-32dff56e664e", - "created": "2021-04-13T12:45:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T20:19:47.429Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) enumerates and parses the System Data Blocks (SDB) using the s7blk_findfirst and s7blk_findnext API calls in s7otbxdx.dll. Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)\n\n[Stuxnet](https://attack.mitre.org/software/S0603) was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--87eb5825-c918-444f-8da5-67da9eea9906", - "created": "2022-09-26T17:14:52.427Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T17:14:52.427Z", - "description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:32:52.932Z", - "description": "Monitor for newly constructed drive letters or mount points to removable media.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a1454196-0d86-49f2-8dcb-61145a16b21e", - "created": "2022-09-26T20:36:04.428Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:33:05.248Z", - "description": "Monitor for files accessed on removable media, particularly those with executable content.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--dc35c44a-a90c-48a1-8811-af2618216e42", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.124Z", - "relationship_type": "mitigates", - "description": "Use strong multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials. Be aware ofmulti-factor authentication interceptiontechniques for some implementations.\n", - "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ca768c2a-0f14-471c-90a5-bce649e88d51", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.105Z", - "relationship_type": "mitigates", - "description": "Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374).\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.216Z", + "modified": "2022-05-06T17:47:24.160Z", "relationship_type": "mitigates", "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", - "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, - { - "type": "relationship", - "id": "relationship--567acebd-4ba2-4723-a74d-514992321ccc", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:03:27.702Z", - "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Jacqueline O'Leary et al. September 2017", - "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", - "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" - }, - { - "source_name": "Junnosuke Yagi March 2017", - "description": "Junnosuke Yagi 2017, March 07 Trojan.Stonedrill Retrieved. 2019/12/05 ", - "url": "https://www.symantec.com/security-center/writeup/2017-030708-4403-99" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:41:15.111Z", - "description": "[APT33](https://attack.mitre.org/groups/G0064) utilize backdoors capable of capturing screenshots once installed on a system. (Citation: Jacqueline O'Leary et al. September 2017)(Citation: Junnosuke Yagi March 2017)", - "relationship_type": "uses", - "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--13809e98-1d74-4c39-b882-9d523c76cbde", - "created": "2021-04-13T12:36:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Jos Wetzels January 2018", - "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", - "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:24:07.929Z", - "description": "[Triton](https://attack.mitre.org/software/S1009)'s imain.bin payload takes commands from the TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex) and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. (Citation: Jos Wetzels January 2018)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--6637d8e6-6578-4d15-a993-d63ced4c4464", + "id": "relationship--7041d8e5-3b74-402a-86b3-fd59def80632", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.099Z", - "relationship_type": "mitigates", - "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2971151c-0e8a-4567-84dc-01cf5dd35005", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.199Z", - "relationship_type": "mitigates", - "description": "Digital signatures may be used to ensure application DLLs are authentic prior to execution.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b1768154-221c-48be-ab2b-549ec1eddafb", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.068Z", - "relationship_type": "mitigates", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "Dwight Anderson 2014", - "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", - "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3", - "created": "2022-09-26T14:44:05.557Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:49:44.728Z", - "description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.147Z", - "relationship_type": "mitigates", - "description": "Use file system access controls to protect system and application folders.\n", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a91002fe-21b2-4417-9c23-af712a7a035c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T11:15:26.506Z", - "modified": "2022-05-06T17:47:24.156Z", - "relationship_type": "mitigates", - "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--641813ea-66a9-4949-848f-db83420aac39", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:56:04.784Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breakers after gaining control of operator workstations and accessing a distribution management system (DMS) client application. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:40:47.334Z", - "description": "Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\". For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.214Z", - "relationship_type": "mitigates", - "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374", - "created": "2022-09-26T14:35:27.430Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:35:27.430Z", - "description": "Monitor for new or unexpected connections to controllers, which could indicate an Unauthorized Command Message being sent via [Rogue Master](https://attack.mitre.org/techniques/T0848).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.145Z", - "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--7912946d-1605-465a-a55c-36bb104235ab", - "created": "2022-09-27T16:08:53.157Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:08:53.157Z", - "description": "Monitor device alarms that indicate the program has changed, although not all devices produce such alarms.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5f03ee5d-534c-454c-aae3-b41130b00286", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T12:08:26.506Z", - "modified": "2022-05-06T17:47:24.117Z", - "relationship_type": "mitigates", - "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", - "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "external_references": [ - { - "source_name": "Dan Goodin March 2017", - "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", - "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--fe22637e-7187-4990-b24a-5dc851eec736", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:08:55.507Z", - "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:53:25.280Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of control. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.097Z", + "modified": "2022-05-06T17:47:24.135Z", "relationship_type": "mitigates", "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", - "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", "external_references": [ { "source_name": "M. Rentschler and H. Heine", @@ -14477,14 +17485,14 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6", + "id": "relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.236Z", + "modified": "2022-05-06T17:47:24.071Z", "relationship_type": "mitigates", - "description": "Ensure wireless networks require the authentication of all devices, and that all wireless devices also authenticate network infrastructure devices (i.e., mutual authentication). For defense-in-depth purposes, utilize VPNs or ensure that application-layer protocols also authenticate the system or device. Use protocols that provide strong authentication (e.g., IEEE 802.1X), and enforce basic protections, such as MAC filtering, when stronger cryptographic techniques are not available.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" @@ -14494,14 +17502,21 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1", + "id": "relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.072Z", + "modified": "2022-05-06T17:47:24.139Z", "relationship_type": "mitigates", - "description": "Implement network allowlists to minimize serial comm port access to only authorized hosts, such as comm servers and RTUs.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" @@ -14510,215 +17525,45 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "id": "relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b", "type": "relationship", - "id": "relationship--088580e9-ccea-426e-9411-c1de60de650d", + "created": "2021-10-04T20:52:20.304Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "ESET Lazarus KillDisk April 2018", + "description": "Kálnai, P., Cherepanov A. (2018, April 03). Lazarus KillDisks Central American casino. Retrieved May 17, 2018.", + "url": "https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/" + } + ], + "modified": "2021-10-04T20:54:09.057Z", + "description": "(Citation: ESET Lazarus KillDisk April 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340", + "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--d08fdedd-12f6-4681-9167-70d070432dee", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.206Z", + "modified": "2022-05-06T17:47:24.208Z", "relationship_type": "mitigates", - "description": "Devices should authenticate all messages between master and outstation assets.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.203Z", - "relationship_type": "mitigates", - "description": "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.\n", - "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov", - "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", - "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:55:23.573Z", - "description": "[KillDisk](https://attack.mitre.org/software/S0607) looks for and terminates two non-standard processes, one of which is an ICS application. (Citation: Anton Cherepanov)", - "relationship_type": "uses", - "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--058396ca-3af4-444b-b261-74485c47e68c", - "created": "2017-05-31T21:33:27.074Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Joe Slowik April 2019", - "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", - "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:30:17.124Z", - "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", - "relationship_type": "uses", - "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.174Z", - "relationship_type": "mitigates", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "Dwight Anderson 2014", - "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", - "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--77821dbb-367e-455f-bcae-b87412e88f1b", - "created": "2022-09-26T16:56:53.939Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:56:53.940Z", - "description": "Monitor asset management systems for device configuration changes which can be used to understand expected parameter settings.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--214eb531-411c-4b90-9dbf-dc0183cbb919", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:34:19.403Z", - "description": "Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--5c695f49-6c76-4818-88b6-4db2bf029e43", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T17:38:22.073Z", - "description": "Monitor for file creation in conjunction with other techniques (e.g., file transfers using [Remote Services](https://attack.mitre.org/techniques/T0886)).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb", - "type": "relationship", - "created": "2021-01-20T21:03:13.436Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "US District Court Indictment GRU Unit 74455 October 2020", - "url": "https://www.justice.gov/opa/press-release/file/1328521/download", - "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." - }, - { - "source_name": "Secureworks IRON VIKING ", - "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", - "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." - } - ], - "modified": "2022-02-28T17:02:50.467Z", - "description": "(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Secureworks IRON VIKING )", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca", + "id": "relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be", "created": "2021-04-13T11:15:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -14732,95 +17577,68 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:02:12.812Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "modified": "2022-10-12T18:02:30.876Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) stops the execution of the user program on the target to enable the transfer of its own code. The worm then copies itself to the target and subsequently starts the target PLC again. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", "relationship_type": "uses", "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.177Z", - "relationship_type": "mitigates", - "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--51eb15a3-48af-470f-94c0-10f25b366d72", - "created": "2022-09-28T20:30:22.148Z", + "id": "relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60", + "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Dragos-Pipedream", - "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", - "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" - }, - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-13T16:53:47.436Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can establish a remote HTTP connection to change the operating mode of Omron PLCs.(Citation: Dragos-Pipedream)(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "modified": "2022-10-14T19:42:04.422Z", + "description": "Monitor for newly constructed files written to disk through a user visiting a website over the normal course of browsing.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_deprecated": false, - "x_mitre_version": "0.1", + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.086Z", - "relationship_type": "mitigates", - "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", - "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", - "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--154de746-5ea2-43b4-97b2-221b2433cbde", + "id": "relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T14:48:49.308Z", - "description": "Monitor ICS automation network protocols for information that an asset has been placed into Firmware Update Mode.", + "modified": "2022-09-26T15:09:35.145Z", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if reporting messages are blocked. ", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--40f63b01-dc59-475d-826a-74f38c6e81b9", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:38:28.550Z", + "description": "Host-based implementations of this technique may utilize networking-based system calls or network utility commands (e.g., iptables) to locally intercept traffic. Monitor for relevant process creation events.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -14831,39 +17649,20 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa", + "id": "relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.237Z", + "modified": "2022-05-06T17:47:24.130Z", "relationship_type": "mitigates", - "description": "Do not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN. (Citation: CISA March 2010) Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to remove indicators of their activity on the system. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "external_references": [ { - "source_name": "CISA March 2010", - "description": "CISA 2010, March 11 https://us-cert.cisa.gov/ncas/tips/ST05-003 Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/ncas/tips/ST05-003" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.133Z", - "relationship_type": "mitigates", - "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", - "external_references": [ + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, { "source_name": "National Institute of Standards and Technology April 2013", "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", @@ -14875,80 +17674,54 @@ "x_mitre_version": "1.0" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.209Z", - "relationship_type": "mitigates", - "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.\n", - "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--7d2db896-3051-483c-bc53-ca21832ee085", - "created": "2022-05-11T16:22:58.807Z", + "id": "relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec", + "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:47:23.983Z", - "description": "Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ea218d63-d9de-4f63-804a-cb039d804025", - "created": "2022-09-20T20:54:08.046Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Pinellas County Sheriffs Office February 2021", - "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", - "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-18T13:26:30.893Z", - "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors gained access to the system through remote access software, allowing for the use of the standard operator HMI interface.(Citation: Pinellas County Sheriffs Office February 2021)", - "relationship_type": "uses", - "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a", - "created": "2022-09-27T15:49:26.908Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:49:26.908Z", - "description": "Monitor asset application logs for information that indicate task parameters have changed.", + "modified": "2022-10-14T18:40:55.168Z", + "description": "Monitor for application logging, messaging, and/or other artifacts that may result from Denial of Service (DoS) attacks which degrade or block the availability of services to users. In addition to network level detections, endpoint logging and instrumentation can be useful for detection.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.186Z", + "relationship_type": "mitigates", + "description": "All remote services should require strong authentication before providing user access.\n", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6157408d-1eb3-4445-8d8a-14619458954f", + "created": "2022-09-27T15:26:40.297Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:26:40.297Z", + "description": "Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) may be helpful in identifying transient assets.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -14957,123 +17730,150 @@ }, { "type": "relationship", - "id": "relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f", + "id": "relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", + "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", + "url": "https://securelist.com/bad-rabbit-ransomware/82851/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:30:30.761Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) ransomware spreads through drive-by attacks where insecure websites are compromised. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actors infrastructure. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.175Z", + "relationship_type": "mitigates", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.183Z", + "relationship_type": "mitigates", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--0e275c19-7688-47f8-8cd5-85eaacec465b", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:32:41.938Z", - "description": "Monitor for newly constructed files copied to or from removable media.", + "modified": "2022-09-26T14:34:04.450Z", + "description": "Monitor industrial process history data for events that correspond with command message functions, such as setpoint modification or changes to system status for key devices. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "type": "relationship", - "id": "relationship--d72e7d01-56be-4fbd-8957-3384533ba83b", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Jos Wetzels January 2018", - "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", - "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:28:23.911Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes. (Citation: Jos Wetzels January 2018)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "type": "relationship", + "id": "relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.075Z", + "relationship_type": "mitigates", + "description": "Allow/denylists can be used to block access when excessive I/O connections are detected from a system or device during a specified time period.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-28T18:44:20.611Z", + "description": "Monitor for unexpected ICS protocol functions from new and existing devices. Monitoring known devices requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "type": "relationship", - "id": "relationship--e4a11381-8608-4c71-966f-df0cbb834fe0", - "created": "2022-09-30T15:35:09.660Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:51:08.392Z", - "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery](https://attack.mitre.org/techniques/T1018).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--43bdf580-b98f-49cf-92d5-3dac50450c86", + "id": "relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.214Z", + "modified": "2022-05-06T17:47:24.097Z", "relationship_type": "mitigates", - "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", - "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.232Z", - "relationship_type": "mitigates", - "description": "Ensure that applications and devices do not store sensitive data or credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). (Citation: CISA June 2013)\n", - "source_ref": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "external_references": [ - { - "source_name": "CISA June 2013", - "description": "CISA 2013, June Risks of Default Passwords on the Internet Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/ncas/alerts/TA13-175A" - } - ], + "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--9cf83701-a347-47b4-a67b-280df95b275d", + "id": "relationship--4631bf49-da0b-4415-a226-112c99ff0f64", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:41:05.460Z", - "description": "Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "modified": "2022-09-26T19:22:17.841Z", + "description": "Monitor for user accounts logged into systems they would not normally access or abnormal access patterns, such as multiple systems over a relatively short period of time. Correlate use of login activity related to remote services with unusual behavior or other malicious or suspicious activity. Adversaries will likely need to learn about an environment and the relationships between systems through Discovery techniques prior to attempting Lateral Movement. For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -15084,70 +17884,135 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca", + "id": "relationship--ade12d27-13bb-4ebf-be08-7039cf699682", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.126Z", + "modified": "2022-05-06T17:47:24.065Z", "relationship_type": "mitigates", - "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.\n", - "source_ref": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, + { + "type": "relationship", + "id": "relationship--f145b7e5-048b-46e7-8439-e2b88917523c", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:48:47.595Z", + "description": "Monitor alarms for information about when an operating mode is changed, although not all devices produce such logs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8", + "id": "relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.080Z", + "modified": "2022-05-06T17:47:24.111Z", "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], + "description": "Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--e257913e-40ba-4a05-ba97-0c3175c966b5", - "created": "2017-12-14T16:46:06.044Z", + "id": "relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4", + "created": "2019-06-24T17:20:24.258Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + "source_name": "Catalin Cimpanu April 2016", + "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:39:25.984Z", + "description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to shutdown and go through security procedures involved with such events, with its staff scanning computer systems and going through all the regular checks and motions before putting the plant back into production. (Citation: Catalin Cimpanu April 2016)", + "relationship_type": "uses", + "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--17525989-242e-4960-b59d-9ea62172263f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17T00:14:20.652Z", + "modified": "2022-05-06T17:47:24.366Z", + "relationship_type": "uses", + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) used the Phishery tool kit to conduct spear phishing attacks and gather credentials. (Citation: Symantec September 2017) (Citation: Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall July 2017) [Dragonfly 2.0](https://attack.mitre.org/groups/G0035) conducted a targeted spear phishing campaign against multiple electric utilities in the North America. (Citation: Dragos Threat Intelligence September 2018) (Citation: Dragos Threat Intelligence 2018) ", + "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "external_references": [ + { + "source_name": "Symantec September 2017", + "description": "Symantec 2017, September 6 Dragonfly: Western energy sector targeted by sophisticated attack group Retrieved. 2017/09/14 ", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" }, { - "source_name": "Ralph Langner November 2013", - "description": "Ralph Langner 2013, November To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve Retrieved. 2018/03/27 ", - "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + "source_name": "Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall July 2017", + "description": "Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall 2017, July 07 Attack on Critical Infrastructure Leverages Template Injection Retrieved. 2019/12/05 ", + "url": "https://blog.talosintelligence.com/2017/07/template-injection.html" + }, + { + "source_name": "Dragos Threat Intelligence September 2018", + "description": "Dragos Threat Intelligence 2018, September 17 THREAT INTELLIGENCE SUMMARY TR-2018-25: Phishing Campaign Targeting Electric Utility Companies Retrieved. 2020/01/03 ", + "url": "https://dragos.com/wp-content/uploads/Sample-WorldView-Report.pdf" + }, + { + "source_name": "Dragos Threat Intelligence 2018", + "description": "Dragos Threat Intelligence 2018 ICS Activity Groups and Threat Landscape Retrieved. 2020/01/03 ", + "url": "https://dragos.com/wp-content/uploads/yir-ics-activity-groups-threat-landscape-2018.pdf" } ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--29b85313-645b-4fb1-b5c2-f580d111760b", + "created": "2022-09-26T19:38:04.844Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-20T21:19:56.001Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions. (Citation: Ralph Langner November 2013) (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "modified": "2022-10-14T19:36:50.910Z", + "description": "Monitor HKLM\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient for changes to the \"EnableMulticast\" DWORD value. A value of \"0\" indicates LLMNR is disabled.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -15156,50 +18021,114 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd", + "id": "relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-10-14T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.226Z", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.132Z", "relationship_type": "mitigates", - "description": "Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "external_references": [ + { + "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", + "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--59c65014-1fee-4c2e-9ece-9883159bbed2", - "created": "2022-05-11T16:22:58.807Z", + "id": "relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8", + "created": "2021-04-11T14:06:54.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, + "external_references": [ + { + "source_name": "ICS CERT September 2018", + "description": "ICS CERT 2018, September 06 Advantech/Broadwin WebAccess RPC Vulnerability (Update B) Retrieved. 2019/12/05 ", + "url": "https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B" + }, + { + "source_name": "ICS-CERT December 2014", + "description": "ICS-CERT 2014, December 10 ICS Alert (ICS-ALERT-14-281-01E) Ongoing Sophisticated Malware Campaign Compromising ICS (Update E) Retrieved. 2019/10/11 ", + "url": "https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-27T19:16:20.286Z", - "description": "Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "modified": "2022-10-12T16:59:07.486Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) actors exploited vulnerabilities in GE's Cimplicity HMI and Advantech/Broadwin WebAccess HMI software which had been directly exposed to the internet. (Citation: ICS-CERT December 2014) (Citation: ICS CERT September 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--66f79019-d52c-46a6-b605-c2335d1d3d20", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:25:59.238Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) has the capability to stop a service itself, or to login as a user and stop a service as that user. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "type": "relationship", + "id": "relationship--ab0b5170-577b-491e-8508-b9a34dc393c1", + "created": "2022-09-27T16:22:57.470Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:22:57.470Z", + "description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs. Data from these platforms can be used to identify modified controller programs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--1c3d966a-5995-48ed-919d-25b972010fe9", + "id": "relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.180Z", + "modified": "2022-05-06T17:47:24.156Z", "relationship_type": "mitigates", "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", "external_references": [ { "source_name": "IEC February 2019", @@ -15213,24 +18142,281 @@ }, { "type": "relationship", - "id": "relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128", - "created": "2021-04-12T18:49:06.044Z", + "id": "relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d", + "created": "2021-04-11T14:06:54.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Tom Fakterman August 2019", - "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", - "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:05:04.619Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. (Citation: Tom Fakterman August 2019)", + "modified": "2022-10-12T16:55:23.567Z", + "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked reporting messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Andy Greenburg June 2019", + "description": "Andy Greenburg 2019, June 20 Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount Retrieved. 2020/01/03 ", + "url": "https://www.wired.com/story/iran-hackers-us-phishing-tensions/" + }, + { + "source_name": "Jacqueline O'Leary et al. September 2017", + "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:41:49.943Z", + "description": "[APT33](https://attack.mitre.org/groups/G0064) sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. (Citation: Jacqueline O'Leary et al. September 2017) [APT33](https://attack.mitre.org/groups/G0064) has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. (Citation: Andy Greenburg June 2019)", + "relationship_type": "uses", + "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--71422483-33e4-4131-a4ec-40322d91d8a0", + "created": "2019-06-24T17:20:24.258Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Catalin Cimpanu April 2016", + "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", + "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" + }, + { + "source_name": "Symantec June 2015", + "description": "Symantec 2015, June 30 Simple steps to protect yourself from the Conficker Worm Retrieved. 2019/12/05 ", + "url": "https://support.symantec.com/us/en/article.tech93179.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-17T15:38:28.233Z", + "description": "[Conficker](https://attack.mitre.org/software/S0608) exploits Windows drive shares. Once it has infected a computer, [Conficker](https://attack.mitre.org/software/S0608) automatically copies itself to all visible open drive shares on other computers inside the network. (Citation: Symantec June 2015) Nuclear power plant officials suspect someone brought in [Conficker](https://attack.mitre.org/software/S0608) by accident on a USB thumb drive, either from home or computers found in the power plant's facility. (Citation: Catalin Cimpanu April 2016)", + "relationship_type": "uses", + "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c9065f74-556d-4728-8072-f96642e70316", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T18:59:24.739Z", + "modified": "2022-05-06T17:47:24.187Z", + "relationship_type": "mitigates", + "description": "Access Management technologies can help enforce authentication on critical remote service, examples include, but are not limited to, device management services (e.g., telnet, SSH), data access servers (e.g., HTTP, Historians), and HMI sessions (e.g., RDP, VNC).\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9fa31b58-d4f3-43e4-b5b2-cafcd0c6a99d", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos October 2018", + "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:58:41.806Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) appears to use MS-SQL access to a pivot machine, allowing code execution throughout the ICS network. (Citation: Dragos October 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--276aa6a6-e700-470a-8f72-02537ba7be9d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.128Z", + "relationship_type": "mitigates", + "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6bf14e79-3287-4b9e-b222-9d527530df1e", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:57:08.560Z", + "description": "Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows , or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--6eaf727c-fec3-4e63-8852-eee27c44d596", + "created": "2022-09-27T15:23:19.486Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:47:06.144Z", + "description": "Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a", + "created": "2022-09-29T14:27:05.757Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-29T14:27:05.757Z", + "description": "Monitor logon sessions for hardcoded credential use, when feasible.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--39963a04-9675-4fa4-87ea-1b34145cc569", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Elastic - Koadiac Detection with EQL", + "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", + "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:51:44.656Z", + "description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe , especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--81add433-49d8-43ec-85d5-f48fe80e56e7", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:44:21.000Z", + "description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b5f94430-be03-43ed-97e1-0424d783073e", + "created": "2021-10-14T21:33:27.046Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos October 2018", + "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:59:39.830Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) transfers executable files as .txt. and then renames them to .exe, likely to avoid detection through extension tracking. (Citation: Dragos October 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_deprecated": false, "x_mitre_version": "1.0", @@ -15239,18 +18425,104 @@ }, { "type": "relationship", - "id": "relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9", - "created": "2022-05-11T16:22:58.805Z", + "id": "relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba", + "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T19:18:27.480Z", - "description": "Monitor for unexpected protocols to/from the Internet. While network traffic content and logon session metadata may directly identify a login event, new Internet-based network flows may also be a reliable indicator of this technique.", + "modified": "2022-09-26T14:49:07.316Z", + "description": "Monitor device alarms that indicate the devices has been placed into Firmware Update Mode, although not all devices produce such alarms.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b", + "created": "2022-09-27T19:06:12.301Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T19:06:12.302Z", + "description": "A manipulated I/O image requires analyzing the application program running on the PLC for specific data block writes. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b7f23af2-e948-4531-af56-1a1b4d03702f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.172Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--86076ad1-8037-4dd0-88e7-9c40ec00af4a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17T00:14:20.652Z", + "modified": "2022-05-06T17:47:24.368Z", + "relationship_type": "uses", + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) trojanized legitimate software to deliver malware disguised as standard windows applications. (Citation: Symantec September 2017)", + "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", + "external_references": [ + { + "source_name": "Symantec September 2017", + "description": "Symantec 2017, September 6 Dragonfly: Western energy sector targeted by sophisticated attack group Retrieved. 2017/09/14 ", + "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:53:56.368Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -15261,14 +18533,464 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--f6b1e463-5db5-40c7-8a6d-5f70194fdadd", + "id": "relationship--04882fef-2a6b-40d0-a101-da9c76a3572e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.128Z", + "relationship_type": "mitigates", + "description": "Restrict the use of untrusted or unknown libraries, such as remote or unknown DLLs.\n", + "source_ref": "course-of-action--2ab9fc6d-3cf6-4d7b-85f1-3ad6949233b3", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.130Z", + "relationship_type": "mitigates", + "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Steps should be taken to periodically inventory internet accessible devices to determine if it differs from the expected.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.073Z", + "relationship_type": "mitigates", + "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:14:57.034Z", + "description": "Monitor for alarm setting changes observable in automation or management network protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.175Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b13417ea-d8da-497f-818f-d2d90562039a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.142Z", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that can identify traffic patterns indicative of MiTM activity can be used to mitigate activity at the network level.\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.201Z", + "relationship_type": "mitigates", + "description": "Execution prevention may prevent malicious scripts from accessing protected resources.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ab306654-2abb-4983-8d30-df4058adb06c", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Selena Larson, Camille Singleton December 2020", + "description": "Selena Larson, Camille Singleton 2020, December RANSOMWARE IN ICS ENVIRONMENTS Retrieved. 2021/04/12 ", + "url": "https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf?utm_referrer=https%3A%2F%2Fwww.dragos.com%2Fresource%2Fransomware-in-ics-environments%2F" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:06:16.474Z", + "description": "The [REvil](https://attack.mitre.org/software/S0496) malware gained access to an organizations network and encrypted sensitive files used by OT equipment. (Citation: Selena Larson, Camille Singleton December 2020)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c", + "created": "2022-05-06T17:47:21.168Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Carl Hurd March 2019", + "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", + "url": "https://www.youtube.com/watch?v=yuZazP22rpI" + }, + { + "source_name": "William Largent June 2018", + "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", + "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:31:07.308Z", + "description": "The [VPNFilter](https://attack.mitre.org/software/S1010)'s ssler module configures the device's iptables to redirect all traffic destined for port 80 to its local service listening on port 8888. Any outgoing web requests on port 80 are now intercepted by ssler and can be inspected by the ps module and manipulated before being sent to the legitimate HTTP service. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", + "relationship_type": "uses", + "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59", + "created": "2022-09-26T17:08:21.214Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:08:21.214Z", + "description": "Monitor device communication patterns to identify irregular bulk transfers of data between the embedded ICS asset and other nodes within the network. Note these indicators are dependent on the profile of normal operations and the capabilities of the industrial automation protocols involved (e.g., partial program uploads).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:30.482Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:11:26.196Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) examines fields recorded by the DP_RECV monitor to determine if the target system is in a particular state of operation. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f", + "created": "2021-10-08T15:42:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Inc. June 2017", + "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:01:24.078Z", + "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) establishes an internal proxy prior to the installation of backdoors within the network. (Citation: Dragos Inc. June 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--65a45501-10de-46a2-89bf-03bbf17aba33", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--31897c41-1d47-4a34-b531-21c3f74651a8", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:00:39.796Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) utilizes the PLC communication and management API to load executable Program Organization Units. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + }, + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:25:29.480Z", + "description": "[Triton](https://attack.mitre.org/software/S1009)'s argument-setting and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle. (Citation: DHS CISA February 2019) (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--63453d2f-30f6-40ab-b32c-506d940ecd20", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.061Z", + "relationship_type": "mitigates", + "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918)", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:52:05.598Z", + "description": "The name of the [Industroyer](https://attack.mitre.org/software/S0604) payload DLL is supplied by the attackers via a command line parameter supplied in one of the main backdoors execute a shell command commands. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.111Z", + "relationship_type": "mitigates", + "description": "Web Application Firewalls may be used to limit exposure of applications to prevent exploit traffic from reaching the application. (Citation: Karen Scarfone; Paul Hoffman September 2009)\n", + "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--e5afc447-a241-4773-9a8a-3d6fd205d926", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.106Z", + "relationship_type": "mitigates", + "description": "Utilize exploit protection to prevent activities which may be exploited through malicious web sites.\n", + "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f862418a-e7b4-4783-8949-7145f3dee665", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.104Z", + "relationship_type": "mitigates", + "description": "Authenticate connections from software and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3168a905-f398-403f-9345-de5893de1326", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2021-04-21T14:04:49.301Z", - "modified": "2022-05-06T17:47:24.361Z", + "modified": "2022-05-06T17:47:24.363Z", "relationship_type": "uses", - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", "external_references": [ { "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", @@ -15280,24 +19002,166 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, + { + "type": "relationship", + "id": "relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd", + "created": "2021-10-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T17:31:56.055Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects DLL's associated with the WinCC Simatic manager which are responsible for opening project files. If a user opens an uninfected project file using a compromised manager, the file will be infected with Stuxnet code. If an infected project is opened with the Simatic manager, the modified data file will trigger a search for the `xyz.dll` file. If the `xyz.dll` file is not found in any of the specified locations, the malicious DLL will be loaded and executed by the manager. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f", + "created": "2022-09-27T18:40:11.818Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:40:11.818Z", + "description": "In the case of detecting collection from shared network drives monitor for unexpected and abnormal accesses to network shares. For added context on adversary procedures and background see [Data from Network Shared Drive](https://attack.mitre.org/techniques/T1039).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1f785984-791e-4612-be32-9ee6903a9c0b", + "created": "2022-09-28T20:26:09.928Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.433Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can login to Omron PLCs using hardcoded credentials, which is documented in CVE-2022-34151.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--78972893-5d8c-480f-a05d-481adc0c8bb0", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:12:25.316Z", + "description": "Monitor ICS automation network protocols for functions related to reading an asset’s operating mode. In some cases, there may be multiple ways to detect a device’s operating mode, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c4122b58-f1b2-4656-a715-55016700bf75", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:56:39.825Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) automatically collects protocol object data to learn about control devices in the environment. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f", + "created": "2021-04-11T14:06:54.109Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", + "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", + "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T20:08:31.892Z", + "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) developed and used malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108", + "id": "relationship--efb80069-e4be-4055-bd34-06d1376b4601", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.133Z", + "modified": "2022-05-06T17:47:24.109Z", "relationship_type": "mitigates", - "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system is compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", - "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", - "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "description": "Access Management technologies can be used to enforce authorization policies and decisions, especially when existing field devices do not provide capabilities to support user identification and authentication. (Citation: McCarthy, J et al. July 2018) These technologies typically utilize an in-line network device or gateway system to prevent access to unauthenticated users, while also integrating with an authentication service to first verify user credentials.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", "external_references": [ { - "source_name": "M. Rentschler and H. Heine", - "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", - "url": "https://ieeexplore.ieee.org/document/6505877" + "source_name": "McCarthy, J et al. July 2018", + "description": "McCarthy, J et al. 2018, July NIST SP 1800-2 Identity and Access Management for Electric Utilities Retrieved. 2020/09/17 ", + "url": "https://doi.org/10.6028/NIST.SP.1800-2" } ], "x_mitre_attack_spec_version": "2.1.0", @@ -15306,24 +19170,289 @@ }, { "type": "relationship", - "id": "relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740", - "created": "2018-10-17T00:14:20.652Z", + "id": "relationship--97641754-f215-4b8f-b0cd-0d3142053c76", + "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Eduard Kovacs May 2018", - "description": "Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved. 2020/01/03 ", - "url": "https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/" + "source_name": "McAfee CHIPSEC Blog", + "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", + "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/" + }, + { + "source_name": "MITRE Copernicus", + "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", + "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about" + }, + { + "source_name": "Intel HackingTeam UEFI Rootkit", + "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.", + "url": "http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html" + }, + { + "source_name": "Github CHIPSEC", + "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", + "url": "https://github.com/chipsec/chipsec" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T16:33:11.305Z", - "description": "[OilRig](https://attack.mitre.org/groups/G0049) has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. (Citation: Eduard Kovacs May 2018)", + "modified": "2022-10-14T16:48:56.024Z", + "description": "Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.216Z", + "relationship_type": "mitigates", + "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A)Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018)Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", + "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "external_references": [ + { + "source_name": "N/A", + "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", + "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" + }, + { + "source_name": "ESET Research Whitepapers September 2018", + "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" + }, + { + "source_name": "Intel", + "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", + "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c6520346-fe47-44ce-af75-d99004ac2977", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:17:59.179Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", - "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--25e7ca82-2784-433a-90a9-a3483615a655", + "type": "relationship", + "created": "2019-04-12T17:01:01.255Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "description": "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.", + "url": "https://content.fireeye.com/apt/rpt-apt38", + "source_name": "FireEye APT38 Oct 2018" + }, + { + "description": "Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.", + "url": "https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/", + "source_name": "LogRhythm WannaCry" + }, + { + "description": "Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", + "source_name": "FireEye WannaCry 2017" + }, + { + "source_name": "SecureWorks WannaCry Analysis", + "url": "https://www.secureworks.com/research/wcry-ransomware-analysis", + "description": "Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019." + } + ], + "modified": "2019-09-09T19:15:45.677Z", + "description": "(Citation: FireEye APT38 Oct 2018)(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)(Citation: SecureWorks WannaCry Analysis)", + "relationship_type": "uses", + "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", + "target_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:46:37.894Z", + "description": "Analyze network data for uncommon data flows (e.g., new protocols in use between hosts, unexpected ports in use). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4", + "created": "2022-05-11T16:22:58.808Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:45:39.703Z", + "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--79324bdd-cdab-4d0a-af60-af1047c1d117", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.170Z", + "relationship_type": "mitigates", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:23:18.048Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is loaded. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T18:41:15.273Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c22acaab-baa4-45b0-9c4b-9330715e5455", + "created": "2022-10-13T21:18:17.775Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Pinellas County Sheriffs Office February 2021", + "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", + "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-18T13:26:03.133Z", + "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors utilized an operator HMI to manipulate process control setpoint values far beyond normal operating levels.(Citation: Pinellas County Sheriffs Office February 2021)", + "relationship_type": "uses", + "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--042243fd-bfe0-4961-96de-a36232d3ff74", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec Security Response July 2014", + "description": "Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 ", + "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries." + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:04:03.547Z", + "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) utilized watering hole attacks on energy sector websites by injecting a redirect iframe to deliver [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) or [Trojan.Karagany](https://attack.mitre.org/software/S0094). (Citation: Symantec Security Response July 2014)", + "relationship_type": "uses", + "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_deprecated": false, "x_mitre_version": "1.0", @@ -15332,18 +19461,236 @@ }, { "type": "relationship", - "id": "relationship--949b498c-ca3f-4704-90bd-a22a4d34067f", - "created": "2022-05-11T16:22:58.803Z", + "id": "relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654", + "created": "2021-04-12T10:12:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", + "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", + "url": "https://www.f-secure.com/weblog/archives/00002718.html" + }, + { + "source_name": "ICS-CERT August 2018", + "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:22:33.586Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has the capability of enumerating OPC tags, in addition to more generic OPC server information. The server data and tag names can provide information about the names and function of control devices. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--064dfd6f-db5d-48e8-b350-9dd47a270911", + "created": "2022-09-28T20:22:09.916Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:16:59.156Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely read the OCP UA structure from devices.(Citation: CISA-AA22-103A) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:25:44.864Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) communicates with Triconex controllers using a custom component framework written entirely in Python. The modules that implement the TriStation communication protocol and other supporting components are found in a separate file -- library.zip -- the main script that employs this functionality is compiled into a standalone py2exe Windows executable -- trilog.exe which includes a Python environment. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7", + "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T15:37:55.042Z", - "description": "Monitor for loss of operational process data which could indicate alarms are being suppressed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "modified": "2022-10-14T16:57:47.375Z", + "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f347b4fe-d829-427d-851a-fff3393441db", + "created": "2021-04-12T07:57:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos October 2018", + "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:58:31.152Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) contained a module which leveraged a vulnerability in the Siemens SIPROTEC relays (CVE-2015-5374) to create a Denial of Service against automated protective relays. (Citation: Dragos October 2018)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--2bb4d762-bf4a-4bc3-9318-15cc6a354163", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--06f15629-d050-434a-aed1-3bb3f90c97b2", + "created": "2022-09-27T15:22:37.864Z", + "revoked": false, + "external_references": [ + { + "source_name": "Elastic - Koadiac Detection with EQL", + "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", + "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:22:37.864Z", + "description": "Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.(Citation: Elastic - Koadiac Detection with EQL) For added context on adversary procedures and background see [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos December 2017", + "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", + "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:06:08.814Z", + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) used valid credentials when laterally moving through RDP jump boxes into the ICS environment. (Citation: Dragos December 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:51:47.079Z", + "description": "Monitor ICS automation protocols for functions that restart or shutdown a device. Commands to restart or shutdown devices may also be observable in traditional IT management protocols.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:09:42.474Z", + "description": "Monitor network traffic for ICS functions related to write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:12:43.166Z", + "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if messages over serial COM ports are blocked.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -15354,31 +19701,600 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a", + "id": "relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.098Z", + "modified": "2022-05-06T17:47:24.072Z", "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "description": "Ensure devices have an alternative method for communicating in the event that a valid COM port is unavailable.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--31203165-79d0-42e5-81f1-62150dea2c43", + "id": "relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e", + "created": "2022-09-28T21:21:58.641Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.435Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the HTTP CGI scripts on Omron PLCs to modify parameters on EtherCat connected servo drives.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--42508a8e-44d5-4af1-9e66-bace5fc94734", + "created": "2022-09-27T18:49:25.089Z", + "revoked": false, + "external_references": [ + { + "source_name": "University of Birmingham C2", + "description": "Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.", + "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:49:25.089Z", + "description": "Monitor for mismatches between protocols and their expected ports (e.g., non-HTTP traffic on tcp:80). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--aa205915-7571-47ee-8bc6-5aa1ace86690", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:52:11.111Z", + "description": "Devices may produce alarms about restarts or shutdowns. Monitor for unexpected device restarts or shutdowns.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:40:51.224Z", + "description": "Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8b17ad46-b0cc-4766-9cae-eba32260d468", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.135Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f130282b-f681-455f-966b-55829842be92", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ralph Langner November 2013", + "description": "Ralph Langner 2013, November To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve Retrieved. 2018/03/27 ", + "url": "https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:23:20.356Z", + "description": "One of [Stuxnet](https://attack.mitre.org/software/S0603)'s rootkits is contained entirely in the fake s7otbxdx.dll. In order to continue existing undetected on the PLC it needs to account for at least the following situations: read requests for its own malicious code blocks, read requests for infected blocks (OB1, OB35, DP_RECV), and write requests that could overwrite Stuxnets own code. Stuxnet contains code to monitor and intercept these types of requests. The rootkit modifies these requests so that Stuxnets PLC code is not discovered or damaged. (Citation: Ralph Langner November 2013)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--321fc522-bc6b-4975-bee4-9098624d1e8c", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:32:18.815Z", + "description": "Monitor for network traffic originating from unknown/unexpected devices or addresses. Local network traffic metadata could be used to identify unexpected connections, including unknown/unexpected source MAC addresses connecting to ports associated with operational protocols. Also, network management protocols such as DHCP and ARP may be helpful in identifying unexpected devices. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3ed98d8c-de30-499e-9a62-eae0207519f4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.092Z", + "relationship_type": "mitigates", + "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown default accounts which could be used to gain unauthorized access.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.071Z", + "relationship_type": "mitigates", + "description": "Provide an alternative method for sending critical report messages to operators, this could include using radio/cell communication to obtain messages from field technicians that can locally obtain telemetry and status data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--868db512-b897-4a54-ae56-ac78f6c93a14", + "created": "2022-09-28T20:29:18.027Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.443Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use a Telnet session to load a malware implant on Omron PLCs.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a", + "created": "2019-03-25T19:13:54.947Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:32:08.109Z", + "description": "[WannaCry](https://attack.mitre.org/software/S0366) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:22:50.001Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.115Z", + "relationship_type": "mitigates", + "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017)Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia)Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", + "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", + "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", + "external_references": [ + { + "source_name": "Microsoft Security Response Center August 2017", + "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", + "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" + }, + { + "source_name": "Wikipedia", + "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", + "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7c329018-b591-42c4-8806-4d02ccd47476", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:55:36.262Z", + "description": "Monitor executed commands and arguments for abnormal usage of utilities and command-line arguments that may be used in support of remote transfer of files.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.127Z", + "relationship_type": "mitigates", + "description": "Once an adversary has access to a remote GUI they can abuse system features, such as required HMI functions.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335", + "created": "2021-04-13T12:28:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Ben Hunter and Fred Gutierrez July 2020", + "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", + "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:46:56.223Z", + "description": "[EKANS](https://attack.mitre.org/software/S0605) performs a DNS lookup of an internal domain name associated with its target network to identify if it was deployed on the intended system. (Citation: Ben Hunter and Fred Gutierrez July 2020)", + "relationship_type": "uses", + "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.168Z", + "relationship_type": "mitigates", + "description": "Use multi-factor authentication wherever possible.\n", + "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.202Z", + "relationship_type": "mitigates", + "description": "Ensure proper registry permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", + "source_ref": "course-of-action--3222a807-521b-4a1a-aa13-f1cda45734b3", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--eeeff03f-7436-4f76-8591-42075e6647d4", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.076Z", + "relationship_type": "mitigates", + "description": "All field controllers should restrict operating mode changes to only required authenticated users (e.g., engineers, field technicians), preferably through implementing a role-based access mechanism. Further, physical mechanisms (e.g., keys) can also be used to limit unauthorized operating mode changes.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f6ff74c2-d088-4252-a8e0-189574863765", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.139Z", + "relationship_type": "mitigates", + "description": "Communication authenticity will ensure that any messages tampered with through MITM can be detected, but cannot prevent eavesdropping on these. In addition, providing communication authenticity around various discovery protocols, such as DNS, can be used to prevent various MITM procedures.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:50:54.867Z", + "description": "On Windows and Unix systems monitor executed commands and arguments that may use shell commands for execution. Shells may be common on administrator, developer, or power user systems depending on job function.\n\nOn network device and embedded system CLIs consider reviewing command history if unauthorized or suspicious commands were used to modify device configuration.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--220140ac-d927-4d86-9335-c04aa6ee3c61", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.126Z", + "relationship_type": "mitigates", + "description": "Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Consider a jump server or host into the DMZ for greater access control. Leverage this DMZ or corporate resources for vendor access. (Citation: Keith Stouffer May 2015)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "external_references": [ + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ee89466e-0655-4217-844d-fb8ea4f76247", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.065Z", + "relationship_type": "mitigates", + "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--502a0b7e-048a-468a-b888-e91fde47c6eb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-12T18:59:17.429Z", + "modified": "2022-05-06T17:47:24.189Z", + "relationship_type": "mitigates", + "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "external_references": [ + { + "source_name": "North America Transmission Forum December 2019", + "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", + "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.120Z", + "relationship_type": "mitigates", + "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "external_references": [ + { + "source_name": "Dan Goodin March 2017", + "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", + "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--6baa9172-04e4-416d-a009-668cda23fd5d", + "created": "2021-10-08T15:25:32.143Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T17:13:18.889Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) will store and execute SQL code that will extract and execute Stuxnet from the saved CAB file using xp_cmdshell with the following command: `set @s = master..xp _ cmdshell extrac32 /y +@t+ +@t+x; exec(@s);` (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:16:37.643Z", - "description": "Monitor network data for uncommon data flows (e.g., time of day, unusual source/destination address) that may be related to abuse of [Valid Accounts](https://attack.mitre.org/techniques/T0859) to log into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.", + "modified": "2022-10-14T16:14:40.227Z", + "description": "Monitor executed commands and arguments to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may then perform these actions using [Valid Accounts](https://attack.mitre.org/techniques/T0859).", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", @@ -15390,14 +20306,14 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d", + "id": "relationship--91f29477-2ff6-4dbf-bf68-c8825a938851", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.094Z", + "created": "2021-04-13T12:08:26.506Z", + "modified": "2022-05-06T17:47:24.119Z", "relationship_type": "mitigates", - "description": "System and process restarts should be performed when a timeout condition occurs.\n", - "source_ref": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" @@ -15407,14 +20323,14 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--c8dd2735-bd04-4413-847d-316b77c6de19", + "id": "relationship--46332a77-2fd6-4033-96cf-6163172775ec", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.083Z", + "modified": "2022-05-06T17:47:24.164Z", "relationship_type": "mitigates", - "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" @@ -15424,32 +20340,39 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--b628d878-4f35-4580-8d42-26984d13821e", + "id": "relationship--0491ef92-2941-4841-9fe6-2e1809788b52", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.143Z", + "modified": "2022-05-06T17:47:24.210Z", "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab", - "created": "2022-05-11T16:22:58.804Z", + "id": "relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2", + "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T16:10:18.233Z", - "description": "Some asset application logs may provide information on I/O points related to write commands. Monitor for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "modified": "2022-10-12T18:01:00.053Z", + "description": "The execution on the PLC can be stopped by violating the cycle time limit. The [PLC-Blaster](https://attack.mitre.org/software/S1006) implements an endless loop triggering an error condition within the PLC with the impact of a DoS. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -15460,14 +20383,14 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0", + "id": "relationship--671043a9-337f-411a-9ca9-3112e897ab09", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.125Z", + "modified": "2022-05-06T17:47:24.184Z", "relationship_type": "mitigates", - "description": "Consider removal of remote services which are not regularly in use, or only enabling them when required (e.g., vendor remote access). Ensure all external remote access point (e.g., jump boxes, VPN concentrator) are configured with least functionality, especially the removal of unnecessary services. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -15481,21 +20404,66 @@ }, { "type": "relationship", - "id": "relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c", - "created": "2022-09-26T16:50:56.298Z", + "id": "relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T16:50:56.298Z", - "description": "Monitor for a loss of network communications, which may indicate a device has been shutdown or restarted. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "modified": "2022-10-14T19:45:37.289Z", + "description": "Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of [Valid Accounts](https://attack.mitre.org/techniques/T0859).", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", "x_mitre_deprecated": false, - "x_mitre_version": "0.1", + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0", + "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:02:57.267Z", + "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:16:10.677Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) attempts to contact command and control servers on port 80 to send basic information about the computer it has compromised. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -15503,18 +20471,101 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--63323b12-86db-4b91-a701-90daf3f98f7c", + "id": "relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.122Z", + "modified": "2022-05-06T17:47:24.109Z", "relationship_type": "mitigates", - "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "description": "Application isolation will limit the other processes and system features an exploited target can access. Examples of built in features are software restriction policies, AppLocker for Windows, and SELinux or AppArmor for Linux.\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, + { + "type": "relationship", + "id": "relationship--6902da63-3b59-46f3-99e0-6008dd47ab70", + "created": "2022-09-27T15:33:16.221Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:38:13.560Z", + "description": "Monitor executed commands and arguments related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host’s GUI.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:52:31.059Z", + "description": "Device restarts and shutdowns may be observable in device application logs. Monitor for unexpected device restarts or shutdowns.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--dda89758-9d0b-446d-b594-85acc7f9cb90", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:40.524Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:53:22.510Z", + "description": "Monitor for file names that are mismatched between the file name on disk and that of the binary's metadata. This is a likely indicator that a binary was renamed after it was compiled. For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -15578,37 +20629,18 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1", + "id": "relationship--63323b12-86db-4b91-a701-90daf3f98f7c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.082Z", + "modified": "2022-05-06T17:47:24.122Z", "relationship_type": "mitigates", - "description": "Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.\n", + "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, - { - "type": "relationship", - "id": "relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55", - "created": "2022-09-27T18:41:43.617Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T18:41:43.617Z", - "description": "Collecting information from the I/O image requires analyzing the application program running on the PLC for specific data block reads. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", - "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "type": "relationship", "id": "relationship--d90b1271-a90d-41c7-9df7-bec47880c82e", @@ -15650,18 +20682,37 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52", + "id": "relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.142Z", + "modified": "2022-05-06T17:47:24.082Z", "relationship_type": "mitigates", - "description": "Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of MiTM activity.\n", + "description": "Configure internal and external firewalls to block traffic using common ports that associate to network protocols that may be unnecessary for that particular network segment.\n", "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, + { + "type": "relationship", + "id": "relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55", + "created": "2022-09-27T18:41:43.617Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T18:41:43.617Z", + "description": "Collecting information from the I/O image requires analyzing the application program running on the PLC for specific data block reads. Detecting this requires obtaining and analyzing a PLC’s application program, either directly from the device or from asset management platforms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "type": "relationship", "id": "relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca", @@ -15682,70 +20733,21 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "type": "relationship", - "id": "relationship--9ad74496-e164-4068-a0f5-379f507ba864", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:47:23.576Z", - "description": "Monitor for logon behavior that may abuse credentials of existing accounts as a means of gaining Lateral Movement or Persistence. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "type": "relationship", + "id": "relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.142Z", + "relationship_type": "mitigates", + "description": "Network segmentation can be used to isolate infrastructure components that do not require broad network access. This may mitigate, or at least alleviate, the scope of MiTM activity.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--d4968f45-d06b-4843-8f72-6e08beb94cab", - "type": "relationship", - "created": "2017-05-31T21:33:27.070Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "Symantec Dragonfly", - "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", - "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" - }, - { - "source_name": "Gigamon Berserk Bear October 2021", - "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", - "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021." - } - ], - "modified": "2021-12-07T18:39:07.922Z", - "description": "(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)", - "relationship_type": "uses", - "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:42:35.018Z", - "description": "Monitor Windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" }, { "object_marking_refs": [ @@ -15792,32 +20794,39 @@ }, { "type": "relationship", - "id": "relationship--6681bc38-0b55-4714-b690-c609956b40bf", - "created": "2022-09-28T20:27:33.506Z", + "id": "relationship--9ad74496-e164-4068-a0f5-379f507ba864", + "created": "2022-05-11T16:22:58.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "CISA-AA22-103A", - "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" - }, - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-13T16:53:47.438Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can brute force password-based authentication to Schneider PLCs over the CODESYS protocol (UDP port 1740).(Citation: CISA-AA22-103A)\n\n [INCONTROLLER](https://attack.mitre.org/software/S1045) can perform brute force guessing of passwords to OPC UA servers using a predefined list of passwords.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "modified": "2022-10-14T16:47:23.576Z", + "description": "Monitor for logon behavior that may abuse credentials of existing accounts as a means of gaining Lateral Movement or Persistence. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access). ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_deprecated": false, - "x_mitre_version": "0.1", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:42:35.018Z", + "description": "Monitor Windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", + "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -15826,179 +20835,198 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--520aad6a-2483-45bc-a172-2417137f6ca0", + "id": "relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.098Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--d4968f45-d06b-4843-8f72-6e08beb94cab", + "type": "relationship", + "created": "2017-05-31T21:33:27.070Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "Symantec Dragonfly", + "description": "Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.", + "url": "https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" + }, + { + "source_name": "Gigamon Berserk Bear October 2021", + "url": "https://vblocalhost.com/uploads/VB2021-Slowik.pdf", + "description": "Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021." + } + ], + "modified": "2021-12-07T18:39:07.922Z", + "description": "(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)", + "relationship_type": "uses", + "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", + "target_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--949b498c-ca3f-4704-90bd-a22a4d34067f", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:37:55.042Z", + "description": "Monitor for loss of operational process data which could indicate alarms are being suppressed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Eduard Kovacs May 2018", + "description": "Eduard Kovacs 2018, May 21 Group linked to Shamoon attacks targeting ICS networks in Middle East and UK Retrieved. 2020/01/03 ", + "url": "https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T16:33:11.305Z", + "description": "[OilRig](https://attack.mitre.org/groups/G0049) has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks. (Citation: Eduard Kovacs May 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.133Z", + "relationship_type": "mitigates", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system is compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "external_references": [ + { + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.094Z", + "relationship_type": "mitigates", + "description": "System and process restarts should be performed when a timeout condition occurs.\n", + "source_ref": "course-of-action--98aa0d61-fc9d-4b2d-8f18-b25d03549f53", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b628d878-4f35-4580-8d42-26984d13821e", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.143Z", "relationship_type": "mitigates", - "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, - { - "type": "relationship", - "id": "relationship--7e87ce08-a428-4e55-876e-80d2760121a5", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:37:35.099Z", - "description": "Monitor executed commands and arguments for actions that could be taken to collect internal data.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos", - "description": "Dragos Allanite Retrieved. 2019/10/27 ", - "url": "https://dragos.com/resource/allanite/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:40:08.649Z", - "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized credentials collected through phishing and watering hole attacks. (Citation: Dragos)", - "relationship_type": "uses", - "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:08:06.789Z", - "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--7dedeb73-ef90-4282-a635-cc37326773af", + "id": "relationship--c8dd2735-bd04-4413-847d-316b77c6de19", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.083Z", "relationship_type": "mitigates", - "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", - "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", - "external_references": [ - { - "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", - "description": "Gardiner, J., Cova, M., Nagaraja, S 2014, February Command & Control Understanding, Denying and Detecting Retrieved. 2016/04/20 ", - "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f951d934-d555-45e9-a564-27b84518cae4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.070Z", - "relationship_type": "mitigates", - "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405", - "created": "2018-10-17T00:14:20.652Z", + "id": "relationship--31203165-79d0-42e5-81f1-62150dea2c43", + "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Dragos Inc. June 2017", - "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", - "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-23T18:55:26.032Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files. (Citation: Dragos Inc. June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "modified": "2022-10-14T16:16:37.643Z", + "description": "Monitor network data for uncommon data flows (e.g., time of day, unusual source/destination address) that may be related to abuse of [Valid Accounts](https://attack.mitre.org/techniques/T0859) to log into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--5d33de22-35b0-47fa-bc63-f984522340b7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.068Z", - "relationship_type": "mitigates", - "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e", - "created": "2022-09-27T15:48:55.986Z", + "id": "relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c", + "created": "2022-09-26T16:50:56.298Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-27T15:48:55.986Z", - "description": "Monitor device alarms that indicate controller task parameters have changed, although not all devices produce such alarms.\n \n[Program Download](https://attack.mitre.org/techniques/T0843) may be used to enable this technique. Monitor for program downloads which may be noticeable via operational alarms. Asset management systems should be consulted to understand expected program versions.", + "modified": "2022-09-26T16:50:56.298Z", + "description": "Monitor for a loss of network communications, which may indicate a device has been shutdown or restarted. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -16007,30 +21035,47 @@ }, { "type": "relationship", - "id": "relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba", - "created": "2018-04-18T17:59:24.739Z", + "id": "relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab", + "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Eduard Kovacs May 2018", - "description": "Eduard Kovacs 2018, May 10 'Allanite' Group Targets ICS Networks at Electric Utilities in US, UK Retrieved. 2020/01/03 ", - "url": "https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T15:40:42.440Z", - "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) leverages watering hole attacks to gain access into electric utilities. (Citation: Eduard Kovacs May 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "modified": "2022-09-26T16:10:18.233Z", + "description": "Some asset application logs may provide information on I/O points related to write commands. Monitor for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.125Z", + "relationship_type": "mitigates", + "description": "Consider removal of remote services which are not regularly in use, or only enabling them when required (e.g., vendor remote access). Ensure all external remote access point (e.g., jump boxes, VPN concentrator) are configured with least functionality, especially the removal of unnecessary services. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "relationship", "id": "relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3", @@ -16086,6 +21131,51 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "type": "relationship", + "id": "relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Eduard Kovacs May 2018", + "description": "Eduard Kovacs 2018, May 10 'Allanite' Group Targets ICS Networks at Electric Utilities in US, UK Retrieved. 2020/01/03 ", + "url": "https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T15:40:42.440Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) leverages watering hole attacks to gain access into electric utilities. (Citation: Eduard Kovacs May 2018)", + "relationship_type": "uses", + "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:33:22.909Z", + "description": "Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "type": "relationship", "id": "relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7", @@ -16133,23 +21223,57 @@ }, { "type": "relationship", - "id": "relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6", - "created": "2022-05-11T16:22:58.807Z", + "id": "relationship--66af47d7-c430-4ac9-8020-fd79b7059037", + "created": "2022-09-28T20:28:03.422Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, + "external_references": [ + { + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + }, + { + "source_name": "Dragos-Pipedream", + "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:33:22.909Z", - "description": "Monitor for changes made to Windows registry keys and/or values that may stop or disable services on a system to render those services unavailable to legitimate users.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "modified": "2022-10-13T16:53:47.440Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.(Citation: Dragos-Pipedream)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the FINS (Factory Interface Network Service) protocol to scan for and obtain MAC address associated with Omron devices.(Citation: CISA-AA22-103A)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to perform scans for TCP port 4840 to identify devices running OPC UA servers.(Citation: Wylie-22)", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.228Z", + "relationship_type": "mitigates", + "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.\n", + "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "type": "relationship", "id": "relationship--50c20664-75dc-451e-b026-67b1d309e4b5", @@ -16257,76 +21381,6 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "type": "relationship", - "id": "relationship--66af47d7-c430-4ac9-8020-fd79b7059037", - "created": "2022-09-28T20:28:03.422Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "CISA-AA22-103A", - "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" - }, - { - "source_name": "Dragos-Pipedream", - "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", - "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" - }, - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.440Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can perform a UDP multicast scan of UDP port 27127 to identify Schneider PLCs that use that port for the NetManage protocol.(Citation: Dragos-Pipedream)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the FINS (Factory Interface Network Service) protocol to scan for and obtain MAC address associated with Omron devices.(Citation: CISA-AA22-103A)(Citation: Wylie-22)\n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to perform scans for TCP port 4840 to identify devices running OPC UA servers.(Citation: Wylie-22)", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.228Z", - "relationship_type": "mitigates", - "description": "Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.\n", - "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.072Z", - "relationship_type": "mitigates", - "description": "Restrict unauthorized devices from accessing serial comm ports.\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, { "type": "relationship", "id": "relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e", @@ -16351,508 +21405,32 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--50a2b289-7bce-405d-8515-c2b5424cce5c", + "id": "relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.090Z", + "modified": "2022-05-06T17:47:24.072Z", "relationship_type": "mitigates", - "description": "Information which is sensitive to the operation and architecture of the process environment may be encrypted to ensure confidentiality and restrict access to only those who need to know. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], + "description": "Restrict unauthorized devices from accessing serial comm ports.\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72", + "id": "relationship--7e87ce08-a428-4e55-876e-80d2760121a5", "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T15:01:39.537Z", - "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.140Z", - "relationship_type": "mitigates", - "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some MitM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6ad39b3a-a962-457f-852c-be7fc615e22f", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T21:23:00.355Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.178Z", - "relationship_type": "mitigates", - "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3da977ab-c863-4e6f-a5b7-68173160da00", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.166Z", - "relationship_type": "mitigates", - "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--97538255-b049-4d15-91c4-6b227cbea476", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:16:09.542Z", - "description": "Data about the industrial process may indicate it is operating outside of expected bounds and could help indicate that that an alarm setting has changed. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.152Z", - "relationship_type": "mitigates", - "description": "Limit privileges of user accounts and groups so that only designated administrators or engineers can interact with alarm management and alarm configuration thresholds.\n", - "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a86cee0a-dc49-4c95-b5dc-37405337490b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.079Z", - "relationship_type": "mitigates", - "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--1aa02c37-973e-46bd-ab45-609463e514e9", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.228Z", - "relationship_type": "mitigates", - "description": "If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.\n", - "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034", - "created": "2021-04-13T11:15:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:18:37.808Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.178Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ea817c7a-9424-4204-90a5-6f8fb86037be", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.230Z", - "relationship_type": "mitigates", - "description": "Configure features related to account use like login attempt lockouts, specific login times, and password strength requirements as examples. Consider these features as they relate to assets which may impact safety and availability. (Citation: Keith Stouffer May 2015)\n", - "source_ref": "course-of-action--86b455f2-fb63-4043-93a8-32a3a7703a02", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.089Z", - "relationship_type": "mitigates", - "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to impact data storage. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T11:15:26.506Z", - "modified": "2022-05-06T17:47:24.156Z", - "relationship_type": "mitigates", - "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "external_references": [ - { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--47f15a06-8675-4698-833d-bd141ed9e755", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.122Z", - "relationship_type": "mitigates", - "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017)Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia)Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", - "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "external_references": [ - { - "source_name": "Microsoft Security Response Center August 2017", - "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", - "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" - }, - { - "source_name": "Wikipedia", - "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", - "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "SecureWorks September 2019", - "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", - "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" - }, - { - "source_name": "Tom Fakterman August 2019", - "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", - "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:06:28.859Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) sends HTTPS POST messages with randomly generated URLs to communicate with a remote server. (Citation: Tom Fakterman August 2019) (Citation: SecureWorks September 2019)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--be532c78-daf5-431b-adae-ab11af395513", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:16:39.070Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--ad7770c3-fe24-4285-9ce2-1616a1061472", - "type": "relationship", - "created": "2019-04-17T14:45:59.681Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.", - "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "source_name": "FireEye FIN6 Apr 2019" - } - ], - "modified": "2019-06-28T14:59:17.849Z", - "description": "(Citation: FireEye FIN6 Apr 2019)", - "relationship_type": "uses", - "source_ref": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "target_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--81ca994a-b350-424d-8f39-a0b64aa76260", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.204Z", - "relationship_type": "mitigates", - "description": "Users can be trained to identify social engineering techniques and spearphishing emails.\n", - "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Robert Falcone, Bryan Lee May 2016", - "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", - "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:32:31.072Z", - "description": "[OilRig](https://attack.mitre.org/groups/G0049) communicated with its command and control using HTTP requests. (Citation: Robert Falcone, Bryan Lee May 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.218Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--15a39e3b-124e-4e68-95b5-7b8020225c12", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:30:27.289Z", - "description": "Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. ", + "modified": "2022-10-14T19:37:35.099Z", + "description": "Monitor executed commands and arguments for actions that could be taken to collect internal data.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -16860,52 +21438,55 @@ }, { "type": "relationship", - "id": "relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:11:30.678Z", - "description": "Monitor operational process data for write commands for an excessive number of I/O points or manipulating a single value an excessive number of times. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f", - "created": "2017-12-14T16:46:06.044Z", + "id": "relationship--6681bc38-0b55-4714-b690-c609956b40bf", + "created": "2022-09-28T20:27:33.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Booz Allen Hamilton", - "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", - "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + "source_name": "CISA-AA22-103A", + "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", + "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T17:35:32.480Z", - "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments. (Citation: Booz Allen Hamilton)\n", + "modified": "2022-10-13T16:53:47.438Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can brute force password-based authentication to Schneider PLCs over the CODESYS protocol (UDP port 1740).(Citation: CISA-AA22-103A)\n\n [INCONTROLLER](https://attack.mitre.org/software/S1045) can perform brute force guessing of passwords to OPC UA servers using a predefined list of passwords.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", "relationship_type": "uses", - "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "type": "relationship", - "id": "relationship--5424e327-396f-4b07-94a3-408ffc915686", + "id": "relationship--520aad6a-2483-45bc-a172-2417137f6ca0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.143Z", + "relationship_type": "mitigates", + "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--1af9e3fd-2bcc-414d-adbd-fe3b95c02ca1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -16914,513 +21495,16 @@ "source_name": "Dragos", "description": "Dragos Allanite Retrieved. 2019/10/27 ", "url": "https://dragos.com/resource/allanite/" - }, - { - "source_name": "ICS-CERT October 2017", - "description": "ICS-CERT 2017, October 21 Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2017/10/23 ", - "url": "https://www.us-cert.gov/ncas/alerts/TA17-293A" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T15:40:18.975Z", - "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) has been identified to collect and distribute screenshots of ICS systems such as HMIs. (Citation: Dragos) (Citation: ICS-CERT October 2017)", + "modified": "2022-10-12T15:40:08.649Z", + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized credentials collected through phishing and watering hole attacks. (Citation: Dragos)", "relationship_type": "uses", "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", - "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.115Z", - "relationship_type": "mitigates", - "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--45ee1822-71e4-4d92-976d-306561b70555", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.106Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.200Z", - "relationship_type": "mitigates", - "description": "Preventing screen capture on a device may require disabling various system calls supported by the operating systems (e.g., Microsoft WindowsGraphicsCaputer APIs), however, these may be needed for other critical applications.\n", - "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", - "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.092Z", - "relationship_type": "mitigates", - "description": "Review vendor documents and security alerts for potentially unknown or overlooked default credentials within existing devices\n", - "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--98d447f4-397b-43e7-9740-c2e5ea6b1714", - "created": "2021-10-14T21:33:27.046Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos October 2018", - "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", - "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:58:02.679Z", - "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used a VBS script to facilitate lateral tool transfer. The VBS script was used to copy ICS-specific payloads with the following command: cscript C:\\\\Backinfo\\\\ufn.vbs C:\\\\Backinfo\\\\101.dll C:\\\\Delta\\\\101.dll (Citation: Dragos October 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:40:22.279Z", - "description": "Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.071Z", - "relationship_type": "mitigates", - "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:56:07.745Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s data wiper component removes the registry image path throughout the system and overwrites all files, rendering the system unusable. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--0df0cb6d-0067-48b2-a33e-495415713ab7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.181Z", - "relationship_type": "mitigates", - "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--309e4558-e591-4d03-9bb9-07d30acf011f", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "McAfee Labs October 2019", - "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", - "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:04:11.691Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) searches for all processes listed in the prc field within its configuration file and then terminates each process. (Citation: McAfee Labs October 2019)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-10T14:13:17.429Z", - "modified": "2022-05-06T17:47:24.188Z", - "relationship_type": "mitigates", - "description": "Enforce strong password requirements to prevent password brute force methods for lateral movement.\n", - "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:41:46.146Z", - "description": "Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T12:36:26.506Z", - "modified": "2022-05-06T17:47:24.166Z", - "relationship_type": "mitigates", - "description": "Minimize the exposure of API calls that allow the execution of code.\n", - "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", - "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.214Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--75a60046-c4d7-498a-b256-9a93b5992dcc", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:55:46.014Z", - "description": "Monitor for unusual processes with internal network connections creating files on-system which may be suspicious. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3b6567a9-6213-4db4-a069-1a86b1098b63", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T12:08:26.506Z", - "modified": "2022-05-06T17:47:24.119Z", - "relationship_type": "mitigates", - "description": "Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: Microsoft Security Response Center August 2017)Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia)Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.\n", - "source_ref": "course-of-action--49363b74-d506-4342-bd63-320586ebadb9", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "external_references": [ - { - "source_name": "Microsoft Security Response Center August 2017", - "description": "Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 ", - "url": "https://msrc-blog.microsoft.com/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/" - }, - { - "source_name": "Wikipedia", - "description": "Wikipedia Microsoft Security Response Center 2017, August Moving Beyond EMET II Windows Defender Exploit Guard Retrieved. 2020/09/25 Control-flow integrity Retrieved. 2020/09/25 ", - "url": "https://en.wikipedia.org/wiki/Control-flow_integrity" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3478c49c-594b-4224-b7f9-2b0b09c67288", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.239Z", - "relationship_type": "mitigates", - "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications. (Citation: Bastille April 2017)\n", - "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", - "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", - "external_references": [ - { - "source_name": "Bastille April 2017", - "description": "Bastille 2017, April 17 Dallas Siren Attack Retrieved. 2020/11/06 ", - "url": "https://www.bastille.net/blogs/2017/4/17/dallas-siren-attack" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.150Z", - "relationship_type": "mitigates", - "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.154Z", - "relationship_type": "mitigates", - "description": "All field controllers should restrict the modification of programs to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a", - "created": "2021-04-13T12:45:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:12:08.899Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) calls system function blocks which are part of the operating system running on the PLC. Theyre used to execute system tasks, such as reading the system clock (SFC1) and generating data blocks on the fly. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.232Z", - "relationship_type": "mitigates", - "description": "Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining access to valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.\n", - "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--d854cc38-adf7-485d-96b5-70606f6cb87e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.208Z", - "relationship_type": "mitigates", - "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device. Allowlist techniques that operate at the application layer (e.g., DNP3, Modbus, HTTP) are addressed in the [Filter Network Traffic](https://attack.mitre.org/mitigations/M0937) mitigation.", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.240Z", - "relationship_type": "mitigates", - "description": "Reduce the range of RF communications to their intended operating range when possible. Propagation reduction methods may include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", - "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", - "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", - "external_references": [ - { - "source_name": "DHS National Urban Security Technology Laboratory April 2019", - "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", - "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:34:32.554Z", - "description": "Monitor for changes made to files that may stop or disable services on a system to render those services unavailable to legitimate users.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -17428,294 +21512,17 @@ }, { "type": "relationship", - "id": "relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:49:59.817Z", - "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--00b98fa6-4913-40a4-8920-befed8621c41", - "created": "2022-05-11T16:22:58.806Z", + "id": "relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915", + "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T15:15:33.180Z", - "description": "Monitor ICS asset application logs that indicate alarm settings have changed, although not all assets will produce such logs.", + "modified": "2022-09-26T15:08:06.789Z", + "description": "Monitor application logs for changes to settings and other events associated with network protocols that may be used to block communications.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--067932c3-0011-4ca2-9bbe-721c631e4e41", - "created": "2021-04-13T12:45:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", - "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", - "url": "https://www.f-secure.com/weblog/archives/00002718.html" - }, - { - "source_name": "ICS-CERT August 2018", - "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", - "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:19:04.571Z", - "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload gathers server information that includes CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth. This information helps indicate the role the server has in the control process. (Citation: ICS-CERT August 2018) (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.101Z", - "relationship_type": "mitigates", - "description": "Ensure remote commands that enable device shutdown are disabled if they are not necessary. Examples include DNP3's 0x0D function code or unnecessary device management functions.\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2", - "created": "2022-09-26T15:37:30.958Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:37:30.958Z", - "description": "Monitor for loss of network traffic which could indicate alarms are being suppressed. A loss of expected communications associated with network protocols used to communicate alarm events or process data could indicate this technique is being used. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f29ecf69-1753-44bb-9b80-1025f49cadda", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:24:02.276Z", - "description": "DP_RECV is the name of a standard function block used by network coprocessors. It is used to receive network frames on the Profibus a standard industrial network bus used for distributed I/O. The original block is copied to FC1869, and then replaced by a malicious block. Each time the function is used to receive a packet, the malicious [Stuxnet](https://attack.mitre.org/software/S0603) block takes control: it will call the original DP_RECV in FC1869 and then perform postprocessing on the packet data. The replaced DP_RECV block (later on referred to as the DP_RECV monitor) is meant to monitor data sent by the frequency converter drives to the 315-2 CPU via CP 342-5 Profibus communication modules. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:00:56.539Z", - "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.227Z", - "relationship_type": "mitigates", - "description": "Ensure anti-virus solution can detect malicious files that allow user execution (e.g., Microsoft Office Macros, program installers).\n", - "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.235Z", - "relationship_type": "mitigates", - "description": "Consider using IP allowlisting along with user account management to ensure that data access is restricted not only to valid users but only from expected IP ranges to mitigate the use of stolen credentials to access data.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.186Z", - "relationship_type": "mitigates", - "description": "When at rest, project files should be encrypted to prevent unauthorized changes. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--99c0c90e-8526-41d6-80ca-b037598c6326", - "created": "2022-09-26T19:37:35.412Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:36:13.269Z", - "description": "Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c", - "created": "2022-09-28T21:16:28.195Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.435Z", - "description": "The [INCONTROLLER](https://attack.mitre.org/software/S1045) PLCProxy module can add an IP route to the CODESYS gateway running on Schneider PLCs to allow it to route messages through the PLC to other devices on that network. This allows the malware to bypass firewall rules that prevent it from directly communicating with devices on the same network as the PLC.(Citation: Wylie-22)", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--64db6a39-64d2-4999-97d7-91c28c32f42e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.101Z", - "relationship_type": "mitigates", - "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3439d550-61d5-40b4-a514-341509d3f701", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:08:28.052Z", - "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_deprecated": false, "x_mitre_version": "1.0", @@ -17724,146 +21531,26 @@ }, { "type": "relationship", - "id": "relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:55:14.211Z", - "description": "Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) in payloads. For added context on adversary procedures and background see [User Execution](https://attack.mitre.org/techniques/T1204) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T18:41:09.265Z", - "description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.201Z", - "relationship_type": "mitigates", - "description": "Audit the integrity of PLC system and application code functionality, such as the manipulation of standard function blocks (e.g., Organizational Blocks) that manage the execution of application logic programs. (Citation: IEC February 2019)\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", - "external_references": [ - { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00", - "created": "2022-09-28T20:25:51.024Z", + "id": "relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405", + "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Dragos-Pipedream", - "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", - "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" - }, - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - }, - { - "source_name": "Brubaker-Incontroller", - "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", - "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" + "source_name": "Dragos Inc. June 2017", + "description": "Dragos Inc. 2017, June 13 Industroyer - Dragos - 201706: Analysis of the Threat to Electic Grid Operations Retrieved. 2017/09/18 ", + "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-13T16:53:47.448Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can wipe the memory of Omron PLCs and reset settings through the remote HTTP service.(Citation: Brubaker-Incontroller)(Citation: Dragos-Pipedream)(Citation: Wylie-22) ", + "modified": "2022-09-23T18:55:26.032Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) has a destructive wiper that overwrites all ICS configuration files across the hard drives and all mapped network drives specifically targeting ABB PCM600 configuration files. (Citation: Dragos Inc. June 2017)", "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.084Z", - "relationship_type": "mitigates", - "description": "If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be domain fronting.\n", - "source_ref": "course-of-action--6a02e38a-9629-40c0-8c7d-e98e3470315c", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--de8b8a69-5f08-421a-96f0-2bed5707508d", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nzyme Alerts Intro", - "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.", - "url": "https://www.nzyme.org/docs/alerts/intro" - }, - { - "source_name": "Wireless Intrusion Detection", - "description": "Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.", - "url": "https://apps.dtic.mil/sti/pdfs/ADA466332.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T18:57:13.322Z", - "description": "New or irregular network traffic flows may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", - "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" @@ -17873,14 +21560,14 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--ff3f0668-98df-44c1-88c2-711f05720eb8", + "id": "relationship--f951d934-d555-45e9-a564-27b84518cae4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.060Z", + "modified": "2022-05-06T17:47:24.070Z", "relationship_type": "mitigates", - "description": "Restrict configurations changes and firmware updating abilities to only authorized individuals.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" @@ -17890,14 +21577,14 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--7411b05d-209a-4907-83ce-00ab1538fbac", + "id": "relationship--7dedeb73-ef90-4282-a635-cc37326773af", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.084Z", + "modified": "2022-05-06T17:47:24.083Z", "relationship_type": "mitigates", - "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: Gardiner, J., Cova, M., Nagaraja, S February 2014)\n", "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", "external_references": [ { "source_name": "Gardiner, J., Cova, M., Nagaraja, S February 2014", @@ -17909,18 +21596,54 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, + { + "type": "relationship", + "id": "relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e", + "created": "2022-09-27T15:48:55.986Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T15:48:55.986Z", + "description": "Monitor device alarms that indicate controller task parameters have changed, although not all devices produce such alarms.\n \n[Program Download](https://attack.mitre.org/techniques/T0843) may be used to enable this technique. Monitor for program downloads which may be noticeable via operational alarms. Asset management systems should be consulted to understand expected program versions.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60", + "id": "relationship--5d33de22-35b0-47fa-bc63-f984522340b7", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.068Z", + "relationship_type": "mitigates", + "description": "Unauthorized connections can be prevented by statically defining the hosts and ports used for automation protocol connections.\n", + "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", "modified": "2022-05-06T17:47:24.236Z", "relationship_type": "mitigates", - "description": "Utilize strong cryptographic techniques and protocols to prevent eavesdropping on network communications.\n", - "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "description": "Ensure wireless networks require the authentication of all devices, and that all wireless devices also authenticate network infrastructure devices (i.e., mutual authentication). For defense-in-depth purposes, utilize VPNs or ensure that application-layer protocols also authenticate the system or device. Use protocols that provide strong authentication (e.g., IEEE 802.1X), and enforce basic protections, such as MAC filtering, when stronger cryptographic techniques are not available.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -17928,64 +21651,7 @@ }, { "type": "relationship", - "id": "relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "ACSC Email Spoofing", - "description": "Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.", - "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" - }, - { - "source_name": "Microsoft Anti Spoofing", - "description": "Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.", - "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:48:02.425Z", - "description": "Monitor mail server and proxy logs for evidence of messages originating from spoofed addresses, including records indicating failed DKIM+SPF validation or mismatched message headers.(Citation: Microsoft Anti Spoofing)(Citation: ACSC Email Spoofing) Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020", - "description": "UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA 2020, October 15 Indictment: Conspiracy to Commit an Offense Against the United States Retrieved. 2021/04/07 ", - "url": "https://www.justice.gov/opa/press-release/file/1328521/download" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:53:50.448Z", - "description": "In the Ukraine 2015 incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) sent spearphishing attachments to three energy distribution companies containing malware to gain access to victim systems. (Citation: UNITED STATES DISTRICT COURT WESTERN DISTRICT OF PENNSYLVANIA October 2020)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1c831708-28c2-47ae-a158-39f1f7b73406", + "id": "relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -17999,11 +21665,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-29T20:10:57.573Z", - "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 payload component has the ability to discover relevant devices in the infected host's network subnet by attempting to connect on port 102.(Citation: Anton Cherepanov, ESET June 2017)\n\n[Industroyer](https://attack.mitre.org/software/S0604) contains an OPC DA module that enumerates all OPC servers using the `ICatInformation::EnumClassesOfCategories` method with `CATID_OPCDAServer20` category identifier and `IOPCServer::GetStatus` to identify the ones running.", + "modified": "2022-09-23T18:53:25.280Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of control. (Citation: Anton Cherepanov, ESET June 2017)", "relationship_type": "uses", "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", + "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -18011,25 +21677,18 @@ }, { "type": "relationship", - "id": "relationship--dc15440d-6683-435a-8c87-64daea29bcaa", - "created": "2021-04-11T14:06:54.109Z", + "id": "relationship--fe22637e-7187-4990-b24a-5dc851eec736", + "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T17:01:03.550Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) blocked command messages by using malicious firmware to render communication devices inoperable. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", + "modified": "2022-09-26T15:08:55.507Z", + "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -18040,19 +21699,19 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605", + "id": "relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.089Z", + "modified": "2022-05-06T17:47:24.097Z", "relationship_type": "mitigates", - "description": "Utilize central storage servers for critical operations where possible (e.g., historians) and keep remote backups. For outstations, use local redundant storage for event recorders. Have backup control system platforms, preferably as hot-standbys to respond immediately to data destruction events. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", + "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", + "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", "external_references": [ { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + "source_name": "M. Rentschler and H. Heine", + "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", + "url": "https://ieeexplore.ieee.org/document/6505877" } ], "x_mitre_attack_spec_version": "2.1.0", @@ -18060,128 +21719,43 @@ "x_mitre_version": "1.0" }, { - "type": "relationship", - "id": "relationship--e323dee4-a896-4a82-85f5-d51d311b0437", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Max Heinemeyer February 2020", - "description": "Max Heinemeyer 2020, February 21 Post-mortem of a targeted Sodinokibi ransomware attack Retrieved. 2021/04/12 ", - "url": "https://www.darktrace.com/en/blog/post-mortem-of-a-targeted-sodinokibi-ransomware-attack/" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:06:56.076Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) uses the SMB protocol to encrypt files located on remotely connected file shares. (Citation: Max Heinemeyer February 2020)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { "type": "relationship", - "id": "relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc", - "created": "2022-09-26T14:27:28.370Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:27:28.370Z", - "description": "Various techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity which may precede this technique.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", + "id": "relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.203Z", + "relationship_type": "mitigates", + "description": "Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--53a54e4a-2b38-4b0c-8f60-252a68767443", + "id": "relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + "source_name": "Anton Cherepanov", + "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", + "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-20T21:12:58.883Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) modifies the Import Address Tables DLLs to hook specific APIs that are used to open project files. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "modified": "2022-10-12T17:55:23.573Z", + "description": "[KillDisk](https://attack.mitre.org/software/S0607) looks for and terminates two non-standard processes, one of which is an ICS application. (Citation: Anton Cherepanov)", "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--df95c619-33ee-4484-934a-78857717323e", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:18:47.783Z", - "description": "Monitor for unusual logins to Internet connected devices or unexpected protocols to/from the Internet. Network traffic content will provide valuable context and details about the content of network flows.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--2057ec71-a94f-49cc-b348-2eeb44899afd", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T18:40:20.312Z", - "description": "Monitor for changes made to a large quantity of files for unexpected modifications in both user directories and directories used to store programs and OS components (e.g., C:\\Windows\\System32). ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T20:51:43.487Z", - "description": "Monitor for unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -18192,39 +21766,88 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca", + "id": "relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.080Z", + "modified": "2022-05-06T17:47:24.072Z", "relationship_type": "mitigates", - "description": "Consider removing or restricting features that are unnecessary to an asset's intended function within the control environment.\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "description": "Implement network allowlists to minimize serial comm port access to only authorized hosts, such as comm servers and RTUs.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--088580e9-ccea-426e-9411-c1de60de650d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.206Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.174Z", + "relationship_type": "mitigates", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", + "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, + { + "source_name": "Keith Stouffer May 2015", + "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" + }, + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" + } + ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--73a48431-3597-4a72-acb8-c1e5019073e2", - "created": "2022-05-11T16:22:58.806Z", + "id": "relationship--5c695f49-6c76-4818-88b6-4db2bf029e43", + "created": "2022-05-11T16:22:58.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Twitter ItsReallyNick Masquerading Update", - "description": "Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.", - "url": "https://twitter.com/ItsReallyNick/status/1055321652777619457" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:41:24.266Z", - "description": "Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.(Citation: Twitter ItsReallyNick Masquerading Update)", + "modified": "2022-09-27T17:38:22.073Z", + "description": "Monitor for file creation in conjunction with other techniques (e.g., file transfers using [Remote Services](https://attack.mitre.org/techniques/T0886)).", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -18232,18 +21855,94 @@ }, { "type": "relationship", - "id": "relationship--b5979643-fefb-460f-b59c-971efe95f121", - "created": "2022-09-27T16:57:48.758Z", + "id": "relationship--214eb531-411c-4b90-9dbf-dc0183cbb919", + "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:42:28.408Z", - "description": "Monitor for changes made to services that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", + "modified": "2022-10-14T19:34:19.403Z", + "description": "Monitor executed commands and arguments that may stop or disable services on a system to render those services unavailable to legitimate users.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--77821dbb-367e-455f-bcae-b87412e88f1b", + "created": "2022-09-26T16:56:53.939Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:56:53.940Z", + "description": "Monitor asset management systems for device configuration changes which can be used to understand expected parameter settings.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--058396ca-3af4-444b-b261-74485c47e68c", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik April 2019", + "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", + "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:30:17.124Z", + "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--51eb15a3-48af-470f-94c0-10f25b366d72", + "created": "2022-09-28T20:30:22.148Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos-Pipedream", + "description": "DRAGOS. (2022, April 13). Pipedream: Chernovite’s Emerging Malware Targeting Industrial Control Systems. Retrieved September 28, 2022.", + "url": "https://hub.dragos.com/hubfs/116-Whitepapers/Dragos_ChernoviteWP_v2b.pdf?hsLang=en" + }, + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.436Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can establish a remote HTTP connection to change the operating mode of Omron PLCs.(Citation: Dragos-Pipedream)(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -18254,21 +21953,243 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f", + "id": "relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.218Z", + "modified": "2022-05-06T17:47:24.086Z", "relationship_type": "mitigates", - "description": "Filter for protocols and payloads associated with firmware activation or updating activity.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", + "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", + "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb", + "type": "relationship", + "created": "2021-01-20T21:03:13.436Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." + }, + { + "source_name": "Secureworks IRON VIKING ", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." + } + ], + "modified": "2022-02-28T17:02:50.467Z", + "description": "(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Secureworks IRON VIKING )", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.177Z", + "relationship_type": "mitigates", + "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", + "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", + "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", + "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:02:12.812Z", + "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) copies itself to various Program Organization Units (POU) on the target device. The POUs include the Data Block, Function, and Function Block. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", + "relationship_type": "uses", + "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:40:47.334Z", + "description": "Collect file hashes. Monitor for file names that do not match their expected hash. Perform file monitoring. Files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\". For added context on adversary procedures and background see [Masquerading](https://attack.mitre.org/techniques/T1036) and applicable sub-techniques.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374", + "created": "2022-09-26T14:35:27.430Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:35:27.430Z", + "description": "Monitor for new or unexpected connections to controllers, which could indicate an Unauthorized Command Message being sent via [Rogue Master](https://attack.mitre.org/techniques/T0848).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.214Z", + "relationship_type": "mitigates", + "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "type": "relationship", - "id": "relationship--82b20c35-88c6-49aa-8241-a59512b17b74", + "id": "relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.145Z", + "relationship_type": "mitigates", + "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5f03ee5d-534c-454c-aae3-b41130b00286", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-13T12:08:26.506Z", + "modified": "2022-05-06T17:47:24.117Z", + "relationship_type": "mitigates", + "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", + "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "external_references": [ + { + "source_name": "Dan Goodin March 2017", + "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", + "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--7912946d-1605-465a-a55c-36bb104235ab", + "created": "2022-09-27T16:08:53.157Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T16:08:53.157Z", + "description": "Monitor device alarms that indicate the program has changed, although not all devices produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--59c65014-1fee-4c2e-9ece-9883159bbed2", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T19:16:20.286Z", + "description": "Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. For example, ChangeServiceConfigW may be used by an adversary to prevent services from starting. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.226Z", + "relationship_type": "mitigates", + "description": "Update software on control network assets when possible. If feasible, use modern operating systems and software to reduce exposure to known vulnerabilities.\n", + "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--e257913e-40ba-4a05-ba97-0c3175c966b5", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -18287,10 +22208,277 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-20T21:14:10.400Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened. (Citation: Ralph Langner November 2013)", + "modified": "2022-09-20T21:19:56.001Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) manipulates the view of operators replaying process input and manipulating the I/O image to evade detection and inhibit protection functions. (Citation: Ralph Langner November 2013) (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--f6b1e463-5db5-40c7-8a6d-5f70194fdadd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-04-21T14:04:49.301Z", + "modified": "2022-05-06T17:47:24.361Z", + "relationship_type": "uses", + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) communicated with command and control over TCP ports 445 and 139 or UDP 137 or 138. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", + "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", + "external_references": [ + { + "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", + "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", + "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1c3d966a-5995-48ed-919d-25b972010fe9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.180Z", + "relationship_type": "mitigates", + "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "external_references": [ + { + "source_name": "IEC February 2019", + "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", + "url": "https://webstore.iec.ch/publication/34421" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:18:27.480Z", + "description": "Monitor for unexpected protocols to/from the Internet. While network traffic content and logon session metadata may directly identify a login event, new Internet-based network flows may also be a reliable indicator of this technique.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128", + "created": "2021-04-12T18:49:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Tom Fakterman August 2019", + "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", + "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:05:04.619Z", + "description": "[REvil](https://attack.mitre.org/software/S0496) searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. (Citation: Tom Fakterman August 2019)", + "relationship_type": "uses", + "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.237Z", + "relationship_type": "mitigates", + "description": "Do not inherently rely on the authenticity provided by the network/link layer (e.g., 802.11, LTE, 802.15.4), as link layer equipment may have long lifespans and protocol vulnerabilities may not be easily patched. Provide defense-in-depth by implementing authenticity within the associated application-layer protocol, or through a network-layer VPN. (Citation: CISA March 2010) Furthermore, ensure communication schemes provide strong replay protection, employing techniques such as timestamps or cryptographic nonces.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "external_references": [ + { + "source_name": "CISA March 2010", + "description": "CISA 2010, March 11 https://us-cert.cisa.gov/ncas/tips/ST05-003 Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/ncas/tips/ST05-003" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--154de746-5ea2-43b4-97b2-221b2433cbde", + "created": "2022-05-11T16:22:58.803Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:48:49.308Z", + "description": "Monitor ICS automation network protocols for information that an asset has been placed into Firmware Update Mode.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7d2db896-3051-483c-bc53-ca21832ee085", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:47:23.983Z", + "description": "Monitor network traffic for suspicious email attachments. Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Use web proxies to review content of emails including sender information, headers, and attachments for potentially malicious content.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ea218d63-d9de-4f63-804a-cb039d804025", + "created": "2022-09-20T20:54:08.046Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Pinellas County Sheriffs Office February 2021", + "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", + "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-18T13:26:30.893Z", + "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors gained access to the system through remote access software, allowing for the use of the standard operator HMI interface.(Citation: Pinellas County Sheriffs Office February 2021)", + "relationship_type": "uses", + "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.133Z", + "relationship_type": "mitigates", + "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", + "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", + "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", + "external_references": [ + { + "source_name": "National Institute of Standards and Technology April 2013", + "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", + "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.209Z", + "relationship_type": "mitigates", + "description": "Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.\n", + "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d72e7d01-56be-4fbd-8957-3384533ba83b", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Jos Wetzels January 2018", + "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", + "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:28:23.911Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes. (Citation: Jos Wetzels January 2018)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:32:41.938Z", + "description": "Monitor for newly constructed files copied to or from removable media.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_deprecated": false, "x_mitre_version": "1.0", @@ -18298,641 +22486,38 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--4966e63c-ca05-466d-91f9-41d799a54471", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T18:59:17.429Z", - "modified": "2022-05-06T17:47:24.186Z", - "relationship_type": "mitigates", - "description": "Provide privileges corresponding to the restriction of a GUI session to control system operations (examples include HMI read-only vs. read-write modes). Ensure local users, such as operators and engineers, are giving prioritization over remote sessions and have the authority to regain control over a remote session if needed. Prevent remote access sessions (e.g., RDP, VNC) from taking over local sessions, especially those used for ICS control, especially HMIs.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T18:59:17.429Z", - "modified": "2022-05-06T17:47:24.189Z", - "relationship_type": "mitigates", - "description": "Filter application-layer protocol messages for remote services to block any unauthorized activity.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.150Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--80a69b56-337d-446a-8167-8b9f63083c4f", - "created": "2022-09-28T21:24:21.810Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "CISA-AA22-103A", - "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" - }, - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.442Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) includes a library that creates Modbus connections with a device to request its device ID.(Citation: CISA-AA22-103A)(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--aaffd26a-728d-42a0-9d1f-423231c55f3e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-21T14:04:49.301Z", - "modified": "2022-05-06T17:47:24.361Z", - "relationship_type": "uses", - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) accessed workstations and servers within the corporate network that contained data from power generation control system environments. The files were related to the ICS and SCADA systems including vendor names and ICS reference documents such as wiring diagrams and panel layouts. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", - "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "external_references": [ - { - "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", - "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", - "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--d464d443-6298-47eb-b767-8f1136f6b6b5", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2018-10-17T00:14:20.652Z", - "modified": "2022-05-06T17:47:24.369Z", - "relationship_type": "uses", - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) leveraged compromised user credentials to access the targets networks and download tools from a remote server. (Citation: Dragos) (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", - "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "external_references": [ - { - "source_name": "Dragos", - "description": "Dragos Dymalloy Retrieved. 2019/10/27 ", - "url": "https://dragos.com/resource/dymalloy/" - }, - { - "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", - "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", - "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6ed07095-c23a-4676-807f-a544deaeb274", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "McAfee Labs October 2019", - "description": "McAfee Labs 2019, October 02 McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service What The Code Tells Us Retrieved. 2021/04/12 ", - "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us" - }, - { - "source_name": "SecureWorks September 2019", - "description": "SecureWorks 2019, September 24 REvil/Sodinokibi Ransomware Retrieved. 2021/04/12 ", - "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:05:35.788Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) sends exfiltrated data from the victims system using HTTPS POST messages sent to the C2 system. (Citation: McAfee Labs October 2019) (Citation: SecureWorks September 2019)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.216Z", - "relationship_type": "mitigates", - "description": "Devices should verify that firmware has been properly signed by the vendor before allowing installation.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.202Z", - "relationship_type": "mitigates", - "description": "Ensure proper process and file permissions are in place to inhibit adversaries from disabling or interfering with critical services.\n", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.204Z", - "relationship_type": "mitigates", - "description": "Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.\n", - "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--26d68f5d-6ee5-4d98-b175-943366ccc038", - "created": "2020-10-14T21:33:27.046Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos October 2018", - "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", - "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:54:09.871Z", - "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) uses the MS-SQL server xp_cmdshell command, and PowerShell to execute commands. (Citation: Dragos October 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a", + "created": "2022-09-27T15:49:26.908Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:36:33.957Z", - "description": "Monitor network traffic for anomalies associated with known AiTM behavior. For Collection activity where transmitted data is not manipulated, anomalies may be present in network management protocols (e.g., ARP, DHCP).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--46edf5ba-ebd3-4976-9cdc-1276ba253c98", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-21T14:04:49.301Z", - "modified": "2022-05-06T17:47:24.364Z", - "relationship_type": "uses", - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) deleted indicators on staging and target devices by uninstalling software, removing event logs, batch scripts, screenshots, registry keys, documents, and tools they brought into the target networks. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", - "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "external_references": [ - { - "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", - "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", - "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--baf7daf3-2116-4051-91b5-f82e146167d0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.235Z", - "relationship_type": "mitigates", - "description": "Routinely audit source code, application configuration files, open repositories, and public cloud storage for insecure use and storage of credentials.\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T17:15:27.767Z", - "description": "Monitor ICS management protocols / file transfer protocols for protocol functions related to firmware changes.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.166Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28", - "created": "2021-04-13T12:28:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Davey Winder June 2020", - "description": "Davey Winder 2020, June 10 Honda Hacked: Japanese Car Giant Confirms Cyber Attack On Global Operations Retrieved. 2021/04/12 ", - "url": "https://www.forbes.com/sites/daveywinder/2020/06/10/honda-hacked-japanese-car-giant-confirms-cyber-attack-on-global-operations-snake-ransomware/?sh=2725c35753ad" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:47:16.775Z", - "description": "[EKANS](https://attack.mitre.org/software/S0605) infection resulted in a temporary production loss within a Honda manufacturing plant. (Citation: Davey Winder June 2020)", - "relationship_type": "uses", - "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Chris Bing May 2018", - "description": "Chris Bing 2018, May 24 Trisis masterminds have expanded operations to target U.S. industrial firms Retrieved. 2020/01/03 ", - "url": "https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:07:07.445Z", - "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilizes watering hole websites to target industrial employees. (Citation: Chris Bing May 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.203Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--0d4f2f88-e176-42c7-8258-52b345045662", - "created": "2022-09-28T20:29:51.844Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "CISA-AA22-103A", - "description": "DHS/CISA. (2022, May 25). Alert (AA22-103A) APT Cyber Tools Targeting ICS/SCADA Devices. Retrieved September 28, 2022.", - "url": "https://www.cisa.gov/uscert/ncas/alerts/aa22-103a" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:17:08.493Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can remotely send commands to a malicious agent uploaded on Omron PLCs over HTTP or HTTPS.(Citation: CISA-AA22-103A) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--d16e8909-d055-4174-aeb1-22c0613b2f73", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.141Z", - "relationship_type": "mitigates", - "description": "Disable unnecessary legacy network protocols that may be used for MiTM if applicable.\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:54:12.966Z", - "description": "Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for API calls that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. For added context on adversary procedures and background see [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) and [System Network Connections Discovery](https://attack.mitre.org/techniques/T1049).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", - "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:33:51.166Z", - "description": "Monitor for new master devices communicating with outstation assets, which may be visible in asset application logs.", + "modified": "2022-09-27T15:49:26.908Z", + "description": "Monitor asset application logs for information that indicate task parameters have changed.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--20f66fab-7a08-4707-ac79-92dac5acd11d", - "created": "2021-04-13T11:15:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:00:13.772Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006)'s code is stored in OB9999. The original code on the target is untouched. The OB is automatically detected by the PLC and executed. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.199Z", - "relationship_type": "mitigates", - "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid reporting messages.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a78e727c-8e42-448c-beb4-463804e18be0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.123Z", - "relationship_type": "mitigates", - "description": "Minimize permissions and access for service accounts to limit impact of exploitation. (Citation: Keith Stouffer May 2015)\n", - "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f", + "id": "relationship--9cf83701-a347-47b4-a67b-280df95b275d", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T17:07:49.346Z", - "description": "Monitor for device alarms produced when program uploads occur, although not all devices will produce such alarms.", + "modified": "2022-10-14T16:41:05.460Z", + "description": "Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--83c29179-4805-403a-acf5-5151c4d2e556", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:27:02.814Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC and IEC 61850 protocol modules include the ability to send stVal requests to read the status of operational variables. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f664bf42-5fb2-41e5-b790-978ddf866da3", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T17:45:58.655Z", - "description": "Monitor for information collection on assets that may indicate deviations from standard operational tools. Examples include unexpected industrial automation protocol functions, new high volume communication sessions, or broad collection across many hosts within the network. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "source_ref": "x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -18943,30 +22528,13 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba", + "id": "relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.222Z", + "modified": "2022-05-06T17:47:24.232Z", "relationship_type": "mitigates", - "description": "Devices should authenticate all messages between master and outstation assets.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.233Z", - "relationship_type": "mitigates", - "description": "Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: CISA June 2013)\n", - "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", + "description": "Ensure that applications and devices do not store sensitive data or credentials insecurely (e.g., plaintext credentials in code, published credentials in repositories, or credentials in public cloud storage). (Citation: CISA June 2013)\n", + "source_ref": "course-of-action--8a3aadd0-b5f4-433a-800e-4893e4196bb7", "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "external_references": [ { @@ -18980,28 +22548,79 @@ "x_mitre_version": "1.0" }, { - "type": "relationship", - "id": "relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "ESET", - "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T17:10:58.645Z", - "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) can collect AutoCad files with drawings. These drawings may contain operational information. (Citation: ESET)\n", - "relationship_type": "uses", - "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "type": "relationship", + "id": "relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.126Z", + "relationship_type": "mitigates", + "description": "Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems.\n", + "source_ref": "course-of-action--49b306c1-a046-42c5-a4d2-30f264ada110", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.080Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--43bdf580-b98f-49cf-92d5-3dac50450c86", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.214Z", + "relationship_type": "mitigates", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", + "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--e4a11381-8608-4c71-966f-df0cbb834fe0", + "created": "2022-09-30T15:35:09.660Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:51:08.392Z", + "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM). For added context on adversary enterprise procedures and background see [Remote System Discovery](https://attack.mitre.org/techniques/T1018).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -19010,179 +22629,56 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--55fe102a-d32b-4a73-85b1-14a02d0e552f", + "id": "relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.227Z", + "relationship_type": "mitigates", + "description": "Prevent the use of unsigned executables, such as installers and scripts.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--01b4a92f-da42-4dfa-8d59-53709b65940e", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.203Z", + "relationship_type": "mitigates", + "description": "Limit privileges of user accounts and groups so that only authorized administrators can change service states and configurations.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--83c8c216-7ff7-4bd3-9db4-573469628d95", "created": "2018-10-17T00:14:20.652Z", - "modified": "2022-05-06T17:47:24.362Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Joe Slowik August 2019", + "description": "Joe Slowik 2019, August 15 CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack Retrieved. 2019/10/22 ", + "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:48:43.457Z", + "description": "The [Industroyer](https://attack.mitre.org/software/S0604) SPIROTEC DoS module places the victim device into firmware update mode. This is a legitimate use case under normal circumstances, but in this case is used the adversary to prevent the SPIROTEC from performing its designed protective functions. As a result the normal safeguards are disabled, leaving an unprotected link in the electric transmission. (Citation: Joe Slowik August 2019)", "relationship_type": "uses", - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) utilized watering hole attacks to gather credentials, by compromising websites that energy sector organizations might access. (Citation: Symantec September 2017) A line of code is injected into the header.php file, this is used to redirect the visitors to an adversary controlled IP. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", - "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "external_references": [ - { - "source_name": "Symantec September 2017", - "description": "Symantec 2017, September 6 Dragonfly: Western energy sector targeted by sophisticated attack group Retrieved. 2017/09/14 ", - "url": "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks" - }, - { - "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", - "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", - "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.094Z", - "relationship_type": "mitigates", - "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f15f24d2-e581-46ce-83e4-a924f572aae6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.065Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c67e3535-69a9-4234-8170-4ad6efc632b7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.211Z", - "relationship_type": "mitigates", - "description": "Implement continuous monitoring of vulnerability sources. Also, use automatic and manual code review tools. (Citation: OWASP)\n", - "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "external_references": [ - { - "source_name": "OWASP", - "description": "OWASP Top 10 Web Application Security Risks Retrieved. 2020/09/25 ", - "url": "https://owasp.org/www-project-top-ten/" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--d1971b32-3a15-4544-9f36-80c05121deb6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.160Z", - "relationship_type": "mitigates", - "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.199Z", - "relationship_type": "mitigates", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "Dwight Anderson 2014", - "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", - "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--3618a010-b94b-4974-b1be-7630d5c853c1", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Robert Falcone, Bryan Lee May 2016", - "description": "Robert Falcone, Bryan Lee 2016, May 26 The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor Retrieved. 2019/11/19 ", - "url": "https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:31:19.923Z", - "description": "[OilRig](https://attack.mitre.org/groups/G0049) used spearphishing emails with malicious Microsoft Excel spreadsheet attachments. (Citation: Robert Falcone, Bryan Lee May 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -19190,24 +22686,43 @@ }, { "type": "relationship", - "id": "relationship--327916f7-fe5d-4858-adeb-f72f74c60c25", - "created": "2021-10-08T15:25:32.143Z", + "id": "relationship--76654cf3-5cfe-4bf4-b134-806fd75b1ddb", + "created": "2022-09-20T20:55:00.134Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + "source_name": "Pinellas County Sheriffs Office February 2021", + "description": "Pinellas County Sheriffs Office 2021, February 8 Treatment Plant Intrusion Press Conference Retrieved. 2021/10/08 ", + "url": "https://www.youtube.com/watch?v=MkXDSOgLQ6M" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-20T21:11:45.996Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) sends an SQL statement that creates a table and inserts a binary value into the table. The binary value is a hex string representation of the main Stuxnet DLL as an executable file (formed using resource 210) and an updated configuration data block. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "modified": "2022-10-18T13:25:44.859Z", + "description": "During the [Oldsmar Treatment Plant Intrusion](https://attack.mitre.org/campaigns/C0009), the threat actors utilized the operator HMI interface through the graphical user interface. This action led to immediate operator detection as they were able to see the adversary making changes on their screen.(Citation: Pinellas County Sheriffs Office February 2021)", "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "source_ref": "campaign--65281d3e-b03c-46b8-8cd8-716363ac3cb2", + "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:56:06.055Z", + "description": "Monitor for alike file hashes or characteristics (ex: filename) that are created on multiple hosts. ", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", "x_mitre_deprecated": false, "x_mitre_version": "1.0", @@ -19216,190 +22731,54 @@ }, { "type": "relationship", - "id": "relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419", + "id": "relationship--9d75333b-2542-4899-923f-55dc1e077a51", + "created": "2022-09-27T16:03:41.224Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:45:52.592Z", + "description": "Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning PowerShell).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.128Z", + "relationship_type": "mitigates", + "description": "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. Perform periodic integrity checks of the device to validate the correctness of the firmware, software, programs, and configurations. Integrity checks, which typically include cryptographic hashes or digital signatures, should be compared to those obtained at known valid states, especially after events like device reboots, program downloads, or program restarts.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95", "created": "2022-05-11T16:22:58.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Atlassian Confluence Logging", - "description": "Atlassian. (2018, January 9). How to Enable User Access Logging. Retrieved April 4, 2018.", - "url": "https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html" - }, - { - "source_name": "Microsoft SharePoint Logging", - "description": "Microsoft. (2017, July 19). Configure audit settings for a site collection. Retrieved April 4, 2018.", - "url": "https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2" - }, - { - "source_name": "Sharepoint Sharing Events", - "description": "Microsoft. (n.d.). Sharepoint Sharing Events. Retrieved October 8, 2021.", - "url": "https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-27T18:01:51.664Z", - "description": "In the case of detecting collection from centralized information repositories monitor for newly constructed logon behavior within Microsoft's SharePoint can be configured to report access to certain pages and documents.(Citation: Microsoft SharePoint Logging) Sharepoint audit logging can also be configured to report when a user shares a resource.(Citation: Sharepoint Sharing Events) The user access logging within Atlassian's Confluence can also be configured to report access to certain pages and documents through AccessLogFilter.(Citation: Atlassian Confluence Logging) Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities. For added context on adversary procedures and background see [Data from Information Repositories](https://attack.mitre.org/techniques/T1213).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af", - "created": "2022-09-27T16:08:15.473Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:08:15.473Z", - "description": "Monitor device application logs that indicate the program has changed, although not all devices produce such logs.", + "modified": "2022-10-14T19:42:42.363Z", + "description": "Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--70113c21-85f2-4232-8755-233f93864277", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T19:17:12.033Z", - "description": "Monitor processes and command-line arguments to see if critical processes are terminated or stop running. For added context on adversary procedures and background see [Service Stop](https://attack.mitre.org/techniques/T1489).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572", - "created": "2018-04-18T17:59:24.739Z", - "x_mitre_version": "1.0", - "external_references": [ - { - "source_name": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015", - "url": "https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf", - "description": "Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell 2015, December 08 A Quantitative Evaluation of the Target Selection of Havex ICS Malware Plugin Retrieved. 2019/04/01 " - } - ], - "x_mitre_deprecated": false, - "revoked": false, - "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) ICS malware plugin relies on Windows networking (WNet) to discover all the servers, including OPC servers, that are reachable by the compromised machine over the network. (Citation: Julian Rrushi, Hassan Farhangi, Clay Howey, Kelly Carmichael, Joey Dabell December 2015)", - "modified": "2022-08-11T13:23:12.321Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.084Z", - "relationship_type": "mitigates", - "description": "Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques likeDomain Fronting.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7", - "created": "2022-09-27T15:30:18.604Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:30:18.604Z", - "description": "Monitor logs from installed applications (e.g., historian logs) for unexpected commands or abuse of system features.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--798919d3-df8b-463f-b2be-4c1aa8089384", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-10-14T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.226Z", - "relationship_type": "mitigates", - "description": "Segment and control software movement between business and OT environments by way of one directional DMZs. Web access should be restricted from the OT environment. Engineering workstations, including transient cyber assets (TCAs) should have minimal connectivity to external networks, including Internet and email, further limit the extent to which these devices are dual-homed to multiple networks. (Citation: North America Transmission Forum December 2019)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "external_references": [ - { - "source_name": "North America Transmission Forum December 2019", - "description": "North America Transmission Forum 2019, December NATF Transient Cyber Asset Guidance Retrieved. 2020/09/25 ", - "url": "https://www.natf.net/docs/natf/documents/resources/security/natf-transient-cyber-asset-guidance.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Hydro", - "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", - "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" - }, - { - "source_name": "Kevin Beaumont", - "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", - "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:57:06.704Z", - "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of control which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", - "relationship_type": "uses", - "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", - "target_ref": "attack-pattern--a81696ef-c106-482c-8f80-59c30f2569fb", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -19407,474 +22786,26 @@ }, { "type": "relationship", - "id": "relationship--92ea1c2a-3835-43de-bb56-24e937a6f322", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:31:12.226Z", - "description": "Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (e.g., JScript.dll, vbscript.dll).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:45:25.119Z", - "description": "Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--111f437a-c67d-40e4-9515-7e9b22e65eff", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.234Z", - "relationship_type": "mitigates", - "description": "Audit domain and local accounts and their permission levels routinely to look for situations that could allow an adversary to gain system wide access with stolen privileged account credentials. (Citation: Microsoft May 2017) (Citation: Microsoft August 2018)These audits should also identify if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft February 2019)\n", - "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "external_references": [ - { - "source_name": "Microsoft May 2017", - "description": "Microsoft 2017, May Attractive Accounts for Credential Theft Retrieved. 2020/09/25 ", - "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft" - }, - { - "source_name": "Microsoft August 2018", - "description": "Microsoft 2018, August Implementing Least-Privilege Administrative Models Retrieved. 2020/09/25 ", - "url": "https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models" - }, - { - "source_name": "Microsoft February 2019", - "description": "Microsoft 2019, February Active Directory administrative tier model Retrieved. 2020/09/25 ", - "url": "https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "FireEye TRITON", - "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.", - "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" - }, - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T20:49:30.525Z", - "description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon. (Citation: DHS CISA February 2019)\n\n[Triton](https://attack.mitre.org/software/S1009) was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.(Citation: FireEye TRITON)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572", + "id": "relationship--0d540b53-6a5d-4f56-9dee-47707443b149", "created": "2022-05-11T16:22:58.806Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:17:25.451Z", - "description": "Monitor for newly executed processes related to services specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to login and may perform follow-on actions that spawn additional processes as the user.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "CopyFromScreen .NET", - "description": "Microsoft. (n.d.). Graphics.CopyFromScreen Method. Retrieved March 24, 2020.", - "url": "https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8" - }, - { - "source_name": "Antiquated Mac Malware", - "description": "Thomas Reed. (2017, January 18). New Mac backdoor using antiquated code. Retrieved July 5, 2017.", - "url": "https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:38:15.307Z", - "description": "Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) The data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", - "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.091Z", - "relationship_type": "mitigates", - "description": "Minimize permissions and access for service accounts to limit the information that may be exposed or collected by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693", - "type": "relationship", - "created": "2022-03-09T23:42:34.056Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "Secureworks IRON VIKING ", - "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", - "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." - } - ], - "modified": "2022-03-09T23:42:34.056Z", - "description": "(Citation: Secureworks IRON VIKING )", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--edf73653-b2d7-422f-b433-b6a428ff12d4", - "created": "2017-05-31T21:33:27.074Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017", - "description": "Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov 2017, October 27 Bad Rabbit Ransomware Retrieved. 2019/10/27 ", - "url": "https://securelist.com/bad-rabbit-ransomware/82851/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:31:21.210Z", - "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) is disguised as an Adobe Flash installer. When the file is opened it starts locking the infected computer. (Citation: Orkhan Mamedov, Fedor Sinitsyn, Anton Ivanov October 2017)", - "relationship_type": "uses", - "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c", - "created": "2022-09-27T15:34:07.320Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:34:07.320Z", - "description": "Monitor DLL file events, specifically creation of these binary files as well as the loading of DLLs into processes associated with remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) may be used to access a host’s GUI.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9e0810a5-ad02-487f-b0a8-bf07decca493", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:07:52.455Z", - "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--3f1f4ccb-9be2-4ff8-8f69-dd972221169b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--966b59c0-8641-432c-84f7-b2a712004d74", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:52:41.680Z", - "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 104 module has 3 modes available to perform its attack. These modes are range, shift, and sequence. The range mode operates in 2 stages. The first stage of range mode gathers Information Object Addresses (IOA) and sends select and execute packets to switch the state. The second stage of range mode has an infinite loop where it will switch the state of all of the previously discovered IOAs. Shift mode is similar to range mode, but instead of staying within the same range, it will add a shift value to the default range values. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:43:54.996Z", - "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee", - "created": "2022-09-29T14:26:04.715Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T14:26:04.715Z", - "description": "Monitor network traffic for hardcoded credential use in protocols that allow unencrypted authentication.", + "modified": "2022-09-30T16:00:14.208Z", + "description": "Monitor ICS automation network protocols for functions related to reading an operational process state (e.g., “Read” function codes in protocols like DNP3 or Modbus). In some cases, there may be multiple ways to monitor an operational process’ state, one of which is typically used in the operational environment. Monitor for the operating mode being checked in unexpected ways.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0", - "created": "2022-09-29T14:28:08.703Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T14:28:08.703Z", - "description": "Ensure embedded controls and network devices are protected through access management, as these devices often have unknown hardcoded accounts which could be used to gain unauthorized access.", - "relationship_type": "mitigates", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9", - "created": "2022-09-23T16:36:40.950Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T15:50:45.583Z", - "description": "Engineering and asset management software will often maintain a copy of the expected program loaded on a controller and may also record any changes made to controller programs and tasks. Data from these platforms can be used to identify modified controller tasking.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--d8f45959-e0fc-4b4f-a074-a3acea926300", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.194Z", - "relationship_type": "mitigates", - "description": "Consider the disabling of features such as AutoRun.\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:50:10.284Z", - "description": "Monitor for processes spawning from known command shell applications (e.g., PowerShell, Bash). Benign activity will need to be allow-listed. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.220Z", - "relationship_type": "mitigates", - "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5", - "created": "2022-09-27T16:38:57.931Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:38:57.931Z", - "description": "Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--3d676c1b-2650-4599-8a57-790c55f9977d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.109Z", - "relationship_type": "mitigates", - "description": "Minimize the exposure of API calls that allow the execution of code.\n", - "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", - "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f", + "id": "relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9", "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -19888,11 +22819,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:26:26.552Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed. (Citation: MDudek-ICS)", + "modified": "2022-10-12T18:27:55.358Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload. (Citation: MDudek-ICS)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -19900,148 +22831,71 @@ }, { "type": "relationship", - "id": "relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Hydro", - "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", - "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" - }, - { - "source_name": "Kevin Beaumont", - "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", - "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:56:30.836Z", - "description": "While Norsk Hydro attempted to recover from a [LockerGoga](https://attack.mitre.org/software/S0372) infection, most of its 160 manufacturing locations switched to manual (non-IT driven) operations. Manual operations can result in a loss of productivity. (Citation: Kevin Beaumont)(Citation: Hydro)", - "relationship_type": "uses", - "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c5fd0969-c151-4849-94c2-83e2e208cff7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.168Z", - "relationship_type": "mitigates", - "description": "Ensure that wired and/or wireless traffic is encrypted when feasible. Use best practices for authentication protocols, such as Kerberos, and ensure web traffic that may contain credentials is protected by SSL/TLS. (Citation: Keith Stouffer May 2015)\n", - "source_ref": "course-of-action--7f153c28-e5f1-4764-88fb-eea1d9b0ad4a", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.114Z", - "relationship_type": "mitigates", - "description": "Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. (Citation: Dan Goodin March 2017)\n", - "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", - "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", - "external_references": [ - { - "source_name": "Dan Goodin March 2017", - "description": "Dan Goodin 2017, March Virtual machine escape fetches $105,000 at Pwn2Own hacking contest Retrieved. 2020/09/25 ", - "url": "https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978", + "created": "2022-09-26T14:29:33.111Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T16:59:40.539Z", - "description": "Monitor device application logs parameter changes, although not all devices will produce such logs.", + "modified": "2022-09-26T14:29:33.111Z", + "description": "Various techniques enable spoofing a reporting message. Monitor for LLMNR/NBT-NS poisoning via new services/daemons which may be used to enable this technique. For added context on adversary procedures and background see [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001).", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:26:20.823Z", + "description": "Spoofed reporting messages may be detected by reviewing the content of automation protocols, either through detecting based on expected values or comparing to other out of band process data sources. Spoofed messages may not precisely match legitimate messages which may lead to malformed traffic, although traffic may be malformed for many benign reasons. Monitor reporting messages for changes in how they are constructed.\n\nVarious techniques enable spoofing a reporting message. Consider monitoring for [Rogue Master](https://attack.mitre.org/techniques/T0848) and [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], "type": "relationship", - "id": "relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.070Z", - "relationship_type": "mitigates", - "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab", - "created": "2021-04-13T12:28:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "id": "relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3", + "created": "2022-09-27T17:37:02.670Z", "revoked": false, "external_references": [ { - "source_name": "Ben Hunter and Fred Gutierrez July 2020", - "description": "Ben Hunter and Fred Gutierrez 2020, July 01 EKANS Ransomware Targeting OT ICS Systems Retrieved. 2021/04/12 ", - "url": "https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems" + "source_name": "Nzyme Alerts Intro", + "description": "Koopmann, Lennart. (n.d.). Nzyme Alerts Introduction. Retrieved September 26, 2022.", + "url": "https://www.nzyme.org/docs/alerts/intro" }, { - "source_name": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020", - "description": "Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly 2020, July 15 Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT Retrieved. 2021/04/12 ", - "url": "https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html" + "source_name": "Wireless Intrusion Detection", + "description": "Tomko, A.; Rieser, C; Buell, H.; Zeret, D.; Turner, W.. (2007, March). Wireless Intrusion Detection. Retrieved September 26, 2022.", + "url": "https://apps.dtic.mil/sti/pdfs/ADA466332.pdf" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T17:45:28.094Z", - "description": "Before encrypting the process, [EKANS](https://attack.mitre.org/software/S0605) first kills the process if its name matches one of the processes defined on the kill-list. (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) (Citation: Daniel Kapellmann Zafra, Keith Lunden, Nathan Brubaker, Jeremy Kennelly July 2020) EKANS also utilizes netsh commands to implement firewall rules that blocks any remote communication with the device. (Citation: Ben Hunter and Fred Gutierrez July 2020)", - "relationship_type": "uses", - "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", + "modified": "2022-09-27T17:37:02.670Z", + "description": "Purely passive network sniffing cannot be detected effectively. In cases where the adversary interacts with the wireless network (e.g., joining a Wi-Fi network) detection may be possible. Monitor for new or irregular network traffic flows which may indicate potentially unwanted devices or sessions on wireless networks. In Wi-Fi networks monitor for changes such as rogue access points or low signal strength, indicating a device is further away from the access point then expected and changes in the physical layer signal.(Citation: Nzyme Alerts Intro) (Citation: Wireless Intrusion Detection) Network traffic content will provide important context, such as hardware (e.g., MAC) addresses, user accounts, and types of messages sent.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--0fe075d5-beac-4d02-b93e-0f874997db72", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { @@ -20049,21 +22903,14 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--58aa90a7-886b-4f37-ab16-a0beb0e64877", + "id": "relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-21T14:04:49.301Z", - "modified": "2022-05-06T17:47:24.368Z", - "relationship_type": "uses", - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0035) captured ICS vendor names, reference documents, wiring diagrams, and panel layouts about the process environment. (Citation: Cybersecurity & Infrastructure Security Agency March 2018)", - "source_ref": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "external_references": [ - { - "source_name": "Cybersecurity & Infrastructure Security Agency March 2018", - "description": "Cybersecurity & Infrastructure Security Agency 2018, March 15 Alert (TA18-074A) Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Retrieved. 2019/10/11 ", - "url": "https://us-cert.cisa.gov/ncas/alerts/TA18-074A" - } - ], + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.167Z", + "relationship_type": "mitigates", + "description": "Network connection enumeration is likely obtained by using common system tools (e.g., netstat, ipconfig).\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" @@ -20073,14 +22920,48 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9", + "id": "relationship--f45c2df8-30e7-45d0-8067-7b2870767574", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.160Z", + "modified": "2022-05-06T17:47:24.180Z", + "relationship_type": "mitigates", + "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", + "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.235Z", + "relationship_type": "mitigates", + "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls. Implement strict IAM controls to prevent access to systems except for the applications, users, and services that require access. Implement user accounts for each individual for enforcement and non-repudiation of actions.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.198Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -20094,105 +22975,18 @@ }, { "type": "relationship", - "id": "relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391", - "created": "2022-05-11T16:22:58.805Z", + "id": "relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa", + "created": "2022-09-27T16:35:12.372Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:43:36.467Z", - "description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.", + "modified": "2022-10-14T16:47:35.207Z", + "description": "Monitor for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.203Z", - "relationship_type": "mitigates", - "description": "Deploy anti-virus on all systems that support external email.\n", - "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.209Z", - "relationship_type": "mitigates", - "description": "Ensure proper network segmentation between higher level corporate resources and the control process environment.\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2fffbea8-c031-4de8-a451-447bbbe3e224", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.201Z", - "relationship_type": "mitigates", - "description": "Consider the use of application isolation and sandboxing to restrict specific operating system interactions such as access through user accounts, services, system calls, registry, and network access. This may be even more useful in cases where the source of the executed script is unknown.\n", - "source_ref": "course-of-action--059ba11e-e3dc-49aa-84ca-88197f40d4ea", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.201Z", - "relationship_type": "mitigates", - "description": "Consider removal or disabling of programs and features which may be used to run malicious scripts (e.g., scripting language IDEs, PowerShell, visual studio).\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6", - "created": "2022-09-27T16:56:30.665Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:39:41.897Z", - "description": "Monitor for newly constructed scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -20203,923 +22997,14 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7", + "id": "relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.150Z", - "relationship_type": "mitigates", - "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--37abb3d5-24fc-4397-844e-07548d324729", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:32:20.552Z", - "description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:49:11.920Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) contains an IEC 61850 module that enumerates all connected network adapters to determine their TCP/IP subnet masks. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.106Z", - "relationship_type": "mitigates", - "description": "Restrict browsers to limit the capabilities of malicious ads and Javascript.\n", - "source_ref": "course-of-action--143b4398-3222-480a-b6a4-e131bc2d3144", - "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--c9c1c589-b5c6-4231-982f-cae0aa41f349", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "ESET", - "description": "ESET ACAD/Medre.A: 10000s of AutoCAD Designs Leaked in Suspected Industrial Espionage Retrieved. 2021/04/13 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/200x/white-papers/ESET_ACAD_Medre_A_whitepaper.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:11:11.693Z", - "description": "[ACAD/Medre.A](https://attack.mitre.org/software/S1000) collects information related to the AutoCAD application. The worm collects AutoCAD (*.dwg) files with drawings from information repositories. (Citation: ESET)\n", - "relationship_type": "uses", - "source_ref": "malware--a4a98eab-b691-45d9-8c48-869ef8fefd57", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.075Z", - "relationship_type": "mitigates", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "Dwight Anderson 2014", - "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", - "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce", - "created": "2022-09-27T15:25:50.596Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:49:19.854Z", - "description": "Use verification of distributed binaries through hash checking or other integrity checking mechanisms. Scan downloads for malicious signatures.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.208Z", - "relationship_type": "mitigates", - "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "external_references": [ - { - "source_name": "Karen Scarfone; Paul Hoffman September 2009", - "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", - "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" - }, - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "Dwight Anderson 2014", - "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", - "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ea50253a-3220-458b-b810-ad032f2b182f", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - }, - { - "source_name": "ICS-CERT December 2018", - "description": "ICS-CERT 2018, December 18 Advisory (ICSA-18-107-02) - Schneider Electric Triconex Tricon (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02" - }, - { - "source_name": "Schneider Electric January 2018", - "description": "Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 ", - "url": "https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s" - }, - { - "source_name": "The Office of Nuclear Reactor Regulation", - "description": "The Office of Nuclear Reactor Regulation Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 Triconex Topical Report 7286-545-1 Retrieved. 2018/05/30 ", - "url": "https://www.nrc.gov/docs/ML1209/ML120900890.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:28:54.342Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) disables a firmware RAM/ROM consistency check after injects a payload (imain.bin) into the firmware memory region. (Citation: DHS CISA February 2019) (Citation: ICS-CERT December 2018) (Citation: Schneider Electric January 2018) Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration. (Citation: The Office of Nuclear Reactor Regulation)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--99ec0a8e-4a4f-427c-89db-163e4b206021", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.094Z", - "relationship_type": "mitigates", - "description": "Hot-standbys in diverse locations can ensure continued operations if the primarily system are compromised or unavailable. At the network layer, protocols such as the Parallel Redundancy Protocol can be used to simultaneously use redundant and diverse communication over a local network. (Citation: M. Rentschler and H. Heine)\n", - "source_ref": "course-of-action--f0f5c87a-a58d-440a-b3b5-ca679d98c6dd", - "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", - "external_references": [ - { - "source_name": "M. Rentschler and H. Heine", - "description": "M. Rentschler and H. Heine The Parallel Redundancy Protocol for industrial IP networks Retrieved. 2020/09/25 ", - "url": "https://ieeexplore.ieee.org/document/6505877" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--26254163-4f25-4d30-8456-ca093459ff32", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:32:29.856Z", - "description": "Monitor for newly executed processes that execute from removable media after it is mounted or when initiated by a user. If a remote access tool is used in this manner to move laterally, then additional actions are likely to occur after execution, such as opening network connections for Command and Control and system and network information Discovery. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.091Z", - "relationship_type": "mitigates", - "description": "Develop and publish policies that define acceptable information to be stored in repositories.\n", - "source_ref": "course-of-action--dc61c280-c29d-44e5-a960-c0dd1623d2ba", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--1f87378c-49fb-4da5-8ed3-3672633d3713", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.123Z", - "relationship_type": "mitigates", - "description": "Regularly scan the internal network for available services to identify new and potentially vulnerable services.\n", - "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--71c81024-ea36-4853-940a-cd9d4cbcabed", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos December 2017", - "description": "Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12 ", - "url": "https://dragos.com/blog/trisis/TRISIS-01.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:05:39.957Z", - "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) utilized remote desktop protocol (RDP) jump boxes to move into the ICS environment. (Citation: Dragos December 2017)", - "relationship_type": "uses", - "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:52:04.484Z", - "description": "Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--4122cdb6-09a4-4b68-b0d1-5d880cf5a4ef", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T18:37:06.013Z", - "description": "In the case of detecting collection from local systems monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (e.g., .pdf, .docx, .jpg, .dwg ) or local databases. For added context on adversary procedures and background see [Data from Local System](https://attack.mitre.org/techniques/T1005).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--72bfda0b-31e9-4958-8d40-6efe816d9989", - "created": "2022-09-27T15:32:03.332Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:33:47.681Z", - "description": "Devices that provide user access to the underlying operating system may allow the installation of custom software to monitor OS API execution. Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", - "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T17:00:17.249Z", - "modified": "2022-05-06T17:47:24.212Z", - "relationship_type": "mitigates", - "description": "A supply chain management program should include methods the assess the trustworthiness and technical maturity of a supplier, along with technical methods (e.g., code-signing, bill of materials) needed to validate the integrity of newly obtained devices and components. Develop procurement language that emphasizes the expectations for suppliers regarding the artifacts, audit records, and technical capabilities needed to validate the integrity of the devices supply chain. (Citation: Robert A. Martin January 2021)\n", - "source_ref": "course-of-action--ac8f3492-7fbb-4a0a-b0b4-b75ec676136c", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "external_references": [ - { - "source_name": "Robert A. Martin January 2021", - "description": "Robert A. Martin 2021, January TRUSTING OUR SUPPLY CHAINS: A COMPREHENSIVE DATA-DRIVEN APPROACH Retrieved. 2021/04/12 ", - "url": "https://www.mitre.org/sites/default/files/publications/pr-20-01465-37-trusting-our-supply-chains-a-comprehensive-data-driven-approach.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:11:33.323Z", - "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--6d822f86-5793-403a-b176-5d533f6b81b3", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", - "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", - "url": "https://www.f-secure.com/weblog/archives/00002718.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:19:43.236Z", - "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) RAT is distributed through trojanized installers planted on compromised vendor sites. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--98b229f8-6020-4fbb-b104-54fd478c14d9", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:29:49.652Z", - "description": "Monitor logon sessions for default credential use.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--dda29418-9570-405a-b7db-97e951e5aa53", - "created": "2022-09-26T19:36:13.409Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:35:58.409Z", - "description": "Monitor application logs for changes to settings and other events associated with network protocols and other services commonly abused for AiTM.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.126Z", - "relationship_type": "mitigates", - "description": "Consider utilizing jump boxes for external remote access. Additionally, dynamic account management may be used to easily remove accounts when not in use.\n", - "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--09977105-562f-4f45-a151-27a11a18031e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.164Z", - "relationship_type": "mitigates", - "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", - "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919", - "created": "2022-09-27T16:30:41.482Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:30:41.482Z", - "description": "Monitor device management protocols for functions that modify programs such as online edit and program append events.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.069Z", - "relationship_type": "mitigates", - "description": "Utilize network allowlists to restrict unnecessary connections to network devices (e.g., comm servers, serial to ethernet converters) and services, especially in cases when devices have limits on the number of simultaneous sessions they support.\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a", - "created": "2022-09-26T14:37:45.140Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:37:45.140Z", - "description": "Monitor for anomalous or unexpected commands that may result in changes to the process operation (e.g., discrete write, logic and device configuration, mode changes) observable via asset application logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:34:07.441Z", - "description": "Alterations to the service binary path or the service startup type changed to disabled may be suspicious.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Eduard Kovacs March 2018", - "description": "Eduard Kovacs 2018, March 1 Five Threat Groups Target Industrial Systems: Dragos Retrieved. 2020/01/03 ", - "url": "https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos" - }, - { - "source_name": "Novetta Threat Research Group February 2016", - "description": "Novetta Threat Research Group 2016, February 24 Operation Blockbuster: Unraveling the Long Thread of the Sony Attack Retrieved. 2016/02/25 ", - "url": "https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:15:30.732Z", - "description": "[Lazarus Group](https://attack.mitre.org/groups/G0032) has been observed targeting organizations using spearphishing documents with embedded malicious payloads. (Citation: Novetta Threat Research Group February 2016) Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company. (Citation: Eduard Kovacs March 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Carl Hurd March 2019", - "description": "Carl Hurd 2019, March 26 VPNFilter Deep Dive Retrieved. 2019/03/28 ", - "url": "https://www.youtube.com/watch?v=yuZazP22rpI" - }, - { - "source_name": "William Largent June 2018", - "description": "William Largent 2018, June 06 VPNFilter Update - VPNFilter exploits endpoints, targets new devices Retrieved. 2019/03/28 ", - "url": "https://blog.talosintelligence.com/2018/06/vpnfilter-update.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:31:19.732Z", - "description": "The [VPNFilter](https://attack.mitre.org/software/S1010) packet sniffer looks for basic authentication as well as monitors ICS traffic, and is specific to the TP-LINK R600-VPN. The malware uses a raw socket to look for connections to a pre-specified IP address, only looking at TCP packets that are 150 bytes or larger. Packets that are not on port 502, are scanned for BasicAuth, and that information is logged. This may have allowed credential harvesting from communications between devices accessing a modbus-enabled HMI. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019)", - "relationship_type": "uses", - "source_ref": "malware--6108f800-10b8-4090-944e-be579f01263d", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--66d637a0-4874-4b12-bd3a-b408acb06d26", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:53:54.118Z", - "description": "Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Also monitor for executed processes that may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5914a482-dbb7-429d-96f3-77f0588ac12d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.123Z", - "relationship_type": "mitigates", - "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", - "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ab8e129c-5411-4784-9194-068fa915da23", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov", - "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", - "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:54:49.878Z", - "description": "[KillDisk](https://attack.mitre.org/software/S0607) deletes application, security, setup, and system event logs from Windows systems. (Citation: Anton Cherepanov)", - "relationship_type": "uses", - "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:32:51.548Z", - "description": "Monitor for newly executed processes that may stop or disable services on a system to render those services unavailable to legitimate users.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--063b5b92-5361-481a-9c3f-95492ed9a2d8", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:37:44.970Z", - "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible, to determine their actions and intent.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--8fcecf74-36df-41ab-9476-539c9ac0b339", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.179Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.145Z", - "relationship_type": "mitigates", - "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a", - "created": "2022-09-30T15:34:29.316Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-30T15:34:29.316Z", - "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c848b096-3703-4962-b8a2-57682e26f31b", - "created": "2021-04-11T14:06:54.109Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos October 2018", - "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", - "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:00:37.718Z", - "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) utilized VBS and batch scripts for file movement and as wrappers for PowerShell execution. (Citation: Dragos October 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.127Z", - "relationship_type": "mitigates", - "description": "Set and enforce secure password policies for accounts.\n", - "source_ref": "course-of-action--5d97c693-e054-48ba-a3a3-eaf6942dfb65", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Jeff Jones May 2018", - "description": "Jeff Jones 2018, May 10 Dragos Releases Details on Suspected Russian Infrastructure Hacking Team ALLANITE Retrieved. 2020/01/03 ", - "url": "https://www.eisac.com/public-news-detail?id=115909" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T15:40:28.784Z", - "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) utilized spear phishing to gain access into energy sector environments. (Citation: Jeff Jones May 2018)", - "relationship_type": "uses", - "source_ref": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", - "target_ref": "attack-pattern--648f995e-9c3a-41e4-aeee-98bb41037426", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--74ec9ce5-3155-488c-ae56-570c47a1d207", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T12:45:26.506Z", - "modified": "2022-05-06T17:47:24.194Z", + "modified": "2022-05-06T17:47:24.192Z", "relationship_type": "mitigates", "description": "ICS environments typically have more statically defined devices, therefore minimize the use of both IT discovery protocols (e.g., DHCP, LLDP) and discovery functions in automation protocols. (Citation: D. Parsons and D. Wylie September 2019) (Citation: Colin Gray) Examples of automation protocols with discovery capabilities include OPC UA Device Discovery (Citation: Josh Rinaldi April 2016), BACnet (Citation: Aditya K Sood July 2019), and Ethernet/IP. (Citation: Langner November 2018)\n", "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", "external_references": [ { "source_name": "D. Parsons and D. Wylie September 2019", @@ -21153,436 +23038,18 @@ }, { "type": "relationship", - "id": "relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42", - "created": "2021-01-04T21:30:14.830Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "ESET Industroyer", - "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - }, - { - "source_name": "Dragos Crashoverride 2017", - "description": "Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.", - "url": "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" - }, - { - "source_name": "Dragos Crashoverride 2018", - "description": "Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.", - "url": "https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - }, - { - "source_name": "Secureworks IRON VIKING", - "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", - "url": "https://www.secureworks.com/research/threat-profiles/iron-viking" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:46:32.756Z", - "description": "(Citation: Dragos Crashoverride 2018)(Citation: Dragos Crashoverride 2017)(Citation: ESET Industroyer)(Citation: Secureworks IRON VIKING)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--892c0bff-17b6-447b-a213-6a3189a1df82", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:51:45.844Z", - "description": "Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--0d305450-d5ca-46fe-8583-36c983dd0a88", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:43:33.144Z", - "description": "Monitor ICS management protocols for functions that change an asset’s operating mode.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625", - "created": "2021-10-14T21:33:27.046Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos", - "description": "Dragos Electrum Retrieved. 2019/10/27 ", - "url": "https://dragos.com/resource/electrum/" - }, - { - "source_name": "Dragos October 2018", - "description": "Dragos 2018, October 12 Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Retrieved. 2019/10/14 ", - "url": "https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" - }, - { - "source_name": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016", - "description": "Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems 2016, March 18 Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case Retrieved. 2018/03/27 ", - "url": "https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6a77276749b76a40/607f235992f0063e5c070fff/E-ISAC_SANS_Ukraine_DUC_5%5b73%5d.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:57:19.471Z", - "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used valid accounts to laterally move through VPN connections and dual-homed systems. (Citation: Dragos) (Citation: Dragos October 2018) In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) used the credentials of valid accounts to interact with client applications and access employee workstations hosting HMI applications. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", - "relationship_type": "uses", - "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.209Z", - "relationship_type": "mitigates", - "description": "When available utilize hardware and software root-of-trust to verify the authenticity of a system. This may be achieved through cryptographic means, such as digital signatures or hashes, of critical software and firmware throughout the supply chain.\n", - "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--a731ad54-0c3c-47bb-9559-d99950782beb", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:22:39.784Z", - "description": "Monitor interactions with network shares, such as reads or file transfers, using remote services such as Server Message Block (SMB). For added context on adversary procedures and background see [Remote Services](https://attack.mitre.org/techniques/T1021) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:24:52.417Z", - "description": "Monitor device alarms for program downloads, although not all devices produce such alarms.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:46:16.720Z", - "description": "When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--351e19c4-c16e-493a-9800-a433107aacf1", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "DHS CISA February 2019", - "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", - "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:24:36.935Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. (Citation: DHS CISA February 2019)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:33:10.450Z", - "description": "Monitor for unexpected changes to project files, although if the malicious modification occurs in tandem with legitimate changes it will be difficult to isolate the unintended changes by analyzing only file systems modifications.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:21:24.221Z", - "description": "When the peripheral output is written to, sequence C intercepts the output and ensures it is not written to the process image output. The output is the instructions the PLC sends to a device to change its operating behavior. By intercepting the peripheral output, [Stuxnet](https://attack.mitre.org/software/S0603) prevents an operator from noticing unauthorized commands sent to the peripheral. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov", - "description": "Anton Cherepanov BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry Retrieved. 2019/10/29 ", - "url": "https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:55:06.661Z", - "description": "[KillDisk](https://attack.mitre.org/software/S0607) is able to delete system files to make the system unbootable and targets 35 different types of files for deletion. (Citation: Anton Cherepanov)", - "relationship_type": "uses", - "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.209Z", - "relationship_type": "mitigates", - "description": "A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--86c94552-de59-453d-ac06-28a6a64db930", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:47:46.836Z", - "description": "Monitor device application logs which may contain information related to operating mode changes, although not all devices produce such logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--0c284ce0-0be2-4164-b686-7c383b246aec", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.164Z", - "relationship_type": "mitigates", - "description": "Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Use Trusted Platform Module technology. (Citation: N/A)Move system's root of trust to hardware to prevent tampering with the SPI flash memory. (Citation: ESET Research Whitepapers September 2018)Technologies such as Intel Boot Guard can assist with this. (Citation: Intel)\n", - "source_ref": "course-of-action--8ac1d6e1-b07f-476a-9732-84984ebc2405", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "external_references": [ - { - "source_name": "N/A", - "description": "N/A Trusted Platform Module (TPM) Summary Retrieved. 2020/09/25 ", - "url": "https://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf" - }, - { - "source_name": "ESET Research Whitepapers September 2018", - "description": "ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" - }, - { - "source_name": "Intel", - "description": "Intel ESET Research Whitepapers 2018, September LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group Retrieved. 2020/09/25 Intel Hardware-based Security Technologies for Intelligent Retail Devices Retrieved. 2020/09/25 ", - "url": "https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--cca191a1-3c50-4d4f-8f79-4247e58af610", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.146Z", - "relationship_type": "mitigates", - "description": "Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.\n", - "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--15188683-7ded-4578-9102-73459ecbe095", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:37:54.914Z", - "description": "Monitor for newly executed processes related to services specifically designed to accept remote graphical connections, such as RDP and VNC. [Remote Services](https://attack.mitre.org/techniques/T0886) and [Valid Accounts](https://attack.mitre.org/techniques/T0859) may be used to access a host’s GUI.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--990f944f-190d-456d-b194-f5ecb17a0868", - "created": "2019-06-24T17:20:24.258Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Catalin Cimpanu April 2016", - "description": "Catalin Cimpanu 2016, April 26 Malware Shuts Down German Nuclear Power Plant on Chernobyl's 30th Anniversary Retrieved. 2019/10/14 ", - "url": "https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:40:11.392Z", - "description": "A [Conficker](https://attack.mitre.org/software/S0608) infection at a nuclear power plant forced the facility to temporarily shutdown. (Citation: Catalin Cimpanu April 2016)", - "relationship_type": "uses", - "source_ref": "malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55", - "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--193c3cd3-0b22-4839-a1fa-413aee61e882", + "id": "relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a", "created": "2022-05-11T16:22:58.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:30:40.378Z", - "description": "Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.", + "modified": "2022-10-14T16:32:52.932Z", + "description": "Monitor for newly constructed drive letters or mount points to removable media.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", + "source_ref": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -21590,34 +23057,27 @@ }, { "type": "relationship", - "id": "relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a", - "created": "2018-10-17T00:14:20.652Z", + "id": "relationship--a1454196-0d86-49f2-8dcb-61145a16b21e", + "created": "2022-09-26T20:36:04.428Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-23T18:54:30.385Z", - "description": "Using its protocol payloads, [Industroyer](https://attack.mitre.org/software/S0604) sends unauthorized commands to RTUs to change the state of equipment. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "modified": "2022-10-14T16:33:05.248Z", + "description": "Monitor for files accessed on removable media, particularly those with executable content.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--bc383819-2e40-49b4-bea9-95eb5d418877", - "created": "2017-12-14T16:46:06.044Z", + "id": "relationship--1d35c947-447f-4693-9ab0-32dff56e664e", + "created": "2021-04-13T12:45:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -21630,103 +23090,46 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-20T21:15:38.341Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a thread to monitor a data block DB890 of sequence A or B. This thread is constantly running and probing this block (every 5 minutes). On an infected PLC, if block DB890 is found and contains a special magic value (used by Stuxnet to identify his own block DB890), this blocks data can be read and written. This thread is likely used to optimize the way sequences A and B work, and modify their behavior when the Step7 editor is opened. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "modified": "2022-09-29T20:19:47.429Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) enumerates and parses the System Data Blocks (SDB) using the s7blk_findfirst and s7blk_findnext API calls in s7otbxdx.dll. Stuxnet must find an SDB with the DWORD at offset 50h equal to 0100CB2Ch. This specifies that the system uses the Profibus communications processor module CP 342-5. In addition, specific values are searched for and counted: 7050h and 9500h. 7050h is assigned to part number KFC750V3 which appears to be a frequency converter drive (also known as variable frequency drive) manufactured by Fararo Paya in Teheran, Iran. 9500h is assigned to Vacon NX frequency converter drives manufactured by Vacon based in Finland.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)\n\n[Stuxnet](https://attack.mitre.org/software/S0603) was specifically targeting CPUs 6ES7-315-2 (Series 300) with special system data block characteristics for sequence A or B and 6ES7-315-2 for sequence C. The PLC type can also be checked using the s7ag_read_szl API.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", "relationship_type": "uses", "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "type": "relationship", - "id": "relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T16:44:06.211Z", - "description": "Monitor for changes made to Windows Registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. For added context on adversary procedures and background see [Indicator Removal](https://attack.mitre.org/techniques/T1070) and applicable sub-techniques.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:10:34.653Z", - "description": "Monitor for a loss of network communications, which may indicate this technique is being used.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4", - "created": "2022-09-26T20:46:23.812Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:30:58.676Z", - "description": "Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. ", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a", + "id": "relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.123Z", + "modified": "2022-05-06T17:47:24.180Z", "relationship_type": "mitigates", - "description": "Update software regularly by employing patch management for internal enterprise endpoints and servers.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", + "description": "All field controllers should restrict program uploads to only certain users (e.g., engineers, field technician), preferably through implementing a role-based access mechanism.\n", + "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--21134484-2d59-46b7-b878-527121fff1e3", - "created": "2022-09-26T14:28:17.209Z", + "id": "relationship--87eb5825-c918-444f-8da5-67da9eea9906", + "created": "2022-09-26T17:14:52.427Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-26T14:28:17.209Z", - "description": "Monitor asset logs for alarms or other information the adversary is unable to directly suppress. Relevant alarms include those from a loss of communications due to [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T0830) activity.", + "modified": "2022-09-26T17:14:52.427Z", + "description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -21738,723 +23141,13 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--48489baf-56c2-423e-964a-0a61688e4a19", + "id": "relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.224Z", + "modified": "2022-05-06T17:47:24.216Z", "relationship_type": "mitigates", - "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.068Z", - "relationship_type": "mitigates", - "description": "Provide an alternative method for alarms to be reported in the event of a communication failure.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--08302021-aacf-428f-a0ce-e1034d925fb0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.115Z", - "relationship_type": "mitigates", - "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", - "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", - "target_ref": "attack-pattern--9f947a1c-3860-48a8-8af0-a2dfa3efde03", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "MDudek-ICS", - "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", - "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:27:15.545Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) uses TriStations default UDP port, 1502, to communicate with devices. (Citation: MDudek-ICS)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos", - "description": "Dragos Chrysene Retrieved. 2019/10/27 ", - "url": "https://dragos.com/resource/chrysene/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:32:49.409Z", - "description": "[OilRig](https://attack.mitre.org/groups/G0049) utilized stolen credentials to gain access to victim machines.(Citation: Dragos)", - "relationship_type": "uses", - "source_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--f7adf126-3580-4b12-9e63-4d4f665e8cc3", - "created": "2022-09-27T18:38:12.667Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T18:38:12.667Z", - "description": "In the case of detecting collection from local systems monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. For added context on adversary procedures and background see [Data from Local System](https://attack.mitre.org/techniques/T1005).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.219Z", - "relationship_type": "mitigates", - "description": "Encrypt any operational data with strong confidentiality requirements, including organizational trade-secrets, recipes, and other intellectual property (IP).\n", + "description": "The encryption of firmware should be considered to prevent adversaries from identifying possible vulnerabilities within the firmware.\n", "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b343e131-e448-46c6-815b-b86e4bd6d638", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Dragos Threat Intelligence August 2019", - "description": "Dragos Threat Intelligence 2019, August Global Oil and Gas Cyber Threat Perspective Retrieved. 2020/01/03 ", - "url": "https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:06:51.429Z", - "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) targeted several ICS vendors and manufacturers. (Citation: Dragos Threat Intelligence August 2019)", - "relationship_type": "uses", - "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.220Z", - "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Jos Wetzels January 2018", - "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", - "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:24:51.471Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. (Citation: Jos Wetzels January 2018)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-12T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.187Z", - "relationship_type": "mitigates", - "description": "All communication sessions to remote services should be authenticated to prevent unauthorized access.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.170Z", - "relationship_type": "mitigates", - "description": "Restrict root or administrator access on user accounts to limit the ability to capture promiscuous traffic on a network through common packet capture tools. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Tom Fakterman August 2019", - "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", - "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:03:36.379Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) initially executes when the user clicks on a JavaScript file included in the phishing emails .zip attachment. (Citation: Tom Fakterman August 2019)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b62da342-4b12-4d88-bb48-9fa84b8c967f", - "created": "2022-09-27T18:39:49.747Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T18:39:49.747Z", - "description": "In the case of detecting collection from local systems monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). For added context on adversary procedures and background see [Data from Local System](https://attack.mitre.org/techniques/T1005).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:40:06.988Z", - "description": "Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.143Z", - "relationship_type": "mitigates", - "description": "Limit access to network infrastructure and resources that can be used to reshape traffic or otherwise produce MiTM conditions.\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a", - "created": "2019-03-25T19:13:54.947Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Joe Slowik April 2019", - "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", - "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:32:23.717Z", - "description": "[WannaCry](https://attack.mitre.org/software/S0366) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", - "relationship_type": "uses", - "source_ref": "malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6895e54e-3968-41a9-9013-a082cd46fa44", - "created": "2020-05-14T14:40:26.221Z", - "x_mitre_version": "1.0", - "external_references": [ - { - "source_name": "Red Canary Hospital Thwarted Ryuk October 2020", - "url": "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "description": "Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020." - }, - { - "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", - "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a", - "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020." - }, - { - "source_name": "CrowdStrike Ryuk January 2019", - "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", - "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." - }, - { - "source_name": "FireEye KEGTAP SINGLEMALT October 2020", - "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020." - }, - { - "source_name": "CrowdStrike Wizard Spider October 2020", - "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", - "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021." - }, - { - "source_name": "Sophos New Ryuk Attack October 2020", - "url": "https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/", - "description": "Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020." - }, - { - "source_name": "DFIR Ryuk 2 Hour Speed Run November 2020", - "url": "https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/", - "description": "The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020." - }, - { - "source_name": "DFIR Ryuk in 5 Hours October 2020", - "url": "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "description": "The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020." - }, - { - "source_name": "DFIR Ryuk's Return October 2020", - "url": "https://thedfirreport.com/2020/10/08/ryuks-return/", - "description": "The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020." - } - ], - "x_mitre_deprecated": false, - "revoked": false, - "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: FireEye KEGTAP SINGLEMALT October 2020)(Citation: DFIR Ryuk's Return October 2020)(Citation: DFIR Ryuk 2 Hour Speed Run November 2020)(Citation: DFIR Ryuk in 5 Hours October 2020)(Citation: Sophos New Ryuk Attack October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", - "modified": "2022-05-20T17:07:10.940Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "relationship_type": "uses", - "source_ref": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "target_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--04bf72de-75ba-4d95-ad24-f93ad835180c", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Booz Allen Hamilton", - "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", - "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:54:26.520Z", - "description": "[KillDisk](https://attack.mitre.org/software/S0607) erases the master boot record (MBR) and system logs, leaving the system unusable. (Citation: Booz Allen Hamilton)", - "relationship_type": "uses", - "source_ref": "malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6", - "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.070Z", - "relationship_type": "mitigates", - "description": "Provide an alternative method for sending critical commands message to outstations, this could include using radio/cell communication to send messages to a field technician that physically performs the control function.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f", - "created": "2022-09-26T18:41:48.947Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T18:41:48.947Z", - "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:11:14.662Z", - "description": "Monitor for the termination of processes or services associated with ICS automation protocols and application software which could help detect blocked communications.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", - "target_ref": "attack-pattern--1c478716-71d9-46a4-9a53-fa5d576adb60", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.097Z", - "relationship_type": "mitigates", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ca64a927-f050-41b3-80d3-93d22cdef26a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.081Z", - "relationship_type": "mitigates", - "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:18:43.413Z", - "description": "Monitor devices configuration logs which may contain alerts that indicate whether a program download has occurred. Devices may maintain application logs that indicate whether a full program download, online edit, or program append function has occurred.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.168Z", - "relationship_type": "mitigates", - "description": "Segment networks and systems appropriately to reduce access to critical system and services communications.\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a22fabd2-836e-4141-9219-c76cc10138ec", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.100Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--9db1ecfe-72eb-42da-a09e-746663a53854", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "MDudek-ICS", - "description": "MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03 ", - "url": "https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T20:46:03.389Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.(Citation: MDudek-ICS)\n\n[Triton](https://attack.mitre.org/software/S1009) contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.(Citation: MDudek-ICS)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:49:29.157Z", - "description": "Monitor asset log which may provide information that an asset has been placed into Firmware Update Mode. Some assets may log firmware updates themselves without logging that the device has been placed into update mode.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.168Z", - "relationship_type": "mitigates", - "description": "Statically defined ARP entries can prevent manipulation and sniffing of switched network traffic, as some MitM techniques depend on sending spoofed ARP messages to manipulate network host's dynamic ARP tables.\n", - "source_ref": "course-of-action--52c7a1a9-3a78-4528-a44f-cd7b0fa3541a", - "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.143Z", - "relationship_type": "mitigates", - "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", - "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", - "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--686cbd74-ef49-4e77-9599-21777d3a4738", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.174Z", - "relationship_type": "mitigates", - "description": "Perform inline allowlisting of automation protocol commands to prevent devices from sending unauthorized command or reporting messages. Allow/denylist techniques need to be designed with sufficient accuracy to prevent the unintended blocking of valid messages.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.104Z", - "relationship_type": "mitigates", - "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--17fdec71-98e8-4314-a1be-037edede58bd", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.212Z", - "relationship_type": "mitigates", - "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", @@ -22465,60 +23158,106 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--147c2158-b2af-4d88-9d59-594c67a9200e", + "id": "relationship--ca768c2a-0f14-471c-90a5-bce649e88d51", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.204Z", + "modified": "2022-05-06T17:47:24.105Z", "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", + "description": "Application denylists can be used to block automation protocol functions used to initiate device shutdowns or restarts, such as DNP3's 0x0D function code, or vulnerabilities that can be used to trigger device shutdowns (e.g., CVE-2014-9195, CVE-2015-5374).\n", + "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", + "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41", - "created": "2022-09-26T19:30:14.122Z", + "id": "relationship--567acebd-4ba2-4723-a74d-514992321ccc", + "created": "2022-05-11T16:22:58.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:15:05.195Z", - "description": "Monitor DLL file events, specifically creation of these files as well as the loading of DLLs into processes specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC.", + "modified": "2022-09-26T15:03:27.702Z", + "description": "Monitor for lack of operational process data which may help identify a loss of communications. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", "x_mitre_deprecated": false, - "x_mitre_version": "0.1", + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "type": "relationship", - "id": "relationship--1e6da55a-ab6c-4583-9e20-583f82096497", - "created": "2022-09-26T14:40:01.334Z", + "id": "relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae", + "created": "2018-04-18T17:59:24.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, + "external_references": [ + { + "source_name": "Jacqueline O'Leary et al. September 2017", + "description": "Jacqueline O'Leary et al. 2017, September 20 Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware Retrieved. 2019/12/02 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" + }, + { + "source_name": "Junnosuke Yagi March 2017", + "description": "Junnosuke Yagi 2017, March 07 Trojan.Stonedrill Retrieved. 2019/12/05 ", + "url": "https://www.symantec.com/security-center/writeup/2017-030708-4403-99" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T16:49:58.047Z", - "description": "Monitor for new ICS protocol connections to existing assets or for device scanning (i.e., a host connecting to many devices) over ICS and enterprise protocols (e.g., ICMP, DCOM, WinRM).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", + "modified": "2022-10-12T15:41:15.111Z", + "description": "[APT33](https://attack.mitre.org/groups/G0064) utilize backdoors capable of capturing screenshots once installed on a system. (Citation: Jacqueline O'Leary et al. September 2017)(Citation: Junnosuke Yagi March 2017)", + "relationship_type": "uses", + "source_ref": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", "x_mitre_deprecated": false, - "x_mitre_version": "0.1", + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "type": "relationship", - "id": "relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7", - "created": "2021-04-13T12:08:26.506Z", + "id": "relationship--dc35c44a-a90c-48a1-8811-af2618216e42", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.124Z", + "relationship_type": "mitigates", + "description": "Use strong multi-factor authentication for remote service accounts to mitigate an adversary's ability to leverage stolen credentials. Be aware ofmulti-factor authentication interceptiontechniques for some implementations.\n", + "source_ref": "course-of-action--ddf3e568-f065-49e2-9106-42029a28ddbd", + "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2971151c-0e8a-4567-84dc-01cf5dd35005", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.199Z", + "relationship_type": "mitigates", + "description": "Digital signatures may be used to ensure application DLLs are authentic prior to execution.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--13809e98-1d74-4c39-b882-9d523c76cbde", + "created": "2021-04-13T12:36:26.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ @@ -22531,1585 +23270,29 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T18:28:11.304Z", - "description": "[Triton](https://attack.mitre.org/software/S1009)'s injector, inject.bin, changes the function pointer of the 'get main processor diagnostic data' TriStation command to the address of imain.bin so that it is executed prior to the normal handler. (Citation: Jos Wetzels January 2018)", + "modified": "2022-10-12T18:24:07.929Z", + "description": "[Triton](https://attack.mitre.org/software/S1009)'s imain.bin payload takes commands from the TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex) and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. (Citation: Jos Wetzels January 2018)", "relationship_type": "uses", "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--ab390887-afc0-4715-826d-b1b167d522ae", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:56:58.977Z", - "description": "Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g., extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g., monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393", - "created": "2022-09-26T14:43:24.136Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Elastic - Koadiac Detection with EQL", - "description": "Stepanic, D.. (2020, January 13). Embracing offensive tooling: Building detections against Koadic using EQL. Retrieved November 30, 2020.", - "url": "https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:49:34.799Z", - "description": "Monitor for newly executed processes that can be used to discover remote systems, such as ping.exe and tracert.exe, especially when executed in quick succession.(Citation: Elastic - Koadiac Detection with EQL) Consider monitoring for new processes engaging in scanning activity or connecting to multiple systems by correlating process creation network data.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1acccbe8-64e1-49ad-87df-215d5c87f050", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:42:43.105Z", - "description": "Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:09:52.454Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) renames s7otbxdx.dll, a dll responsible for handling communications with a PLC. It replaces this dll file with its own version that allows it to intercept any calls that are made to access the PLC. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--cfcbca89-8912-40c0-ac15-47882162b132", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:00:16.899Z", - "description": "Monitor application logs for new or unexpected devices or sessions on wireless networks.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b48be9f9-de0e-4548-ade3-09d47af52798", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:03:58.153Z", - "description": "Monitor asset alarms which may help identify a loss of communications. Consider correlating alarms with other data sources that indicate traffic has been blocked, such as network traffic. In cases where alternative methods of communicating with outstations exist alarms may still be visible even if command messages are blocked.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--366a4cd1-aa95-4985-9d80-b45a2551e298", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.179Z", - "relationship_type": "mitigates", - "description": "Filter for protocols and payloads associated with program download activity to prevent unauthorized device configurations.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361", - "created": "2022-05-11T16:22:58.803Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T15:38:17.130Z", - "description": "Monitor for loss of expected operational process alarms which could indicate alarms are being suppressed. As noted in the technique description, there may be multiple sources of alarms in an ICS environment. Discrepancies between alarms may indicate the adversary is suppressing some but not all the alarms in the environment. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", - "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.169Z", - "relationship_type": "mitigates", - "description": "Systems and devices should restrict access to any data with potential confidentiality concerns, including point and tag information.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:39:30.850Z", - "description": "Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a04169ed-c16b-466b-80ef-22a11067f475", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:54:58.401Z", - "description": "[Industroyer](https://attack.mitre.org/software/S0604) is able to block serial COM channels temporarily causing a denial of view. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e607bb66-e53f-4684-b3f1-36a997e27d01", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.087Z", - "relationship_type": "mitigates", - "description": "Protection devices should have minimal digital components to prevent exposure to related adversarial techniques. Examples include interlocks, rupture disks, release valves, etc. (Citation: A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004) \n", - "source_ref": "course-of-action--8bc4a54e-810c-4600-8b6c-08fa8413a401", - "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", - "external_references": [ - { - "source_name": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004", - "description": "A G Foord, W G Gulland, C R Howard, T Kellacher, W H Smith 2004 APPLYING THE LATEST STANDARD FOR FUNCTIONAL SAFETY IEC 61511 Retrieved. 2020/09/17 ", - "url": "https://www.icheme.org/media/9906/xviii-paper-23.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.128Z", - "relationship_type": "mitigates", - "description": "This technique may not be effectively mitigated against, consider controls for assets and processes that lead to the use of this technique.\n", - "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", - "target_ref": "attack-pattern--53a48c74-0025-45f4-b04a-baa853df8204", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:01:38.884Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) may manipulate any outputs of the PLC. Using the POU POKE any value within the process image may be modified. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--36e9f5bc-ac13-4da4-a2f4-01f4877d9004", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.147Z", - "relationship_type": "mitigates", - "description": "Only authorized personnel should be able to change settings for alarms.\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T11:15:26.506Z", - "modified": "2022-05-06T17:47:24.154Z", - "relationship_type": "mitigates", - "description": "Provide the ability to verify the integrity of control logic or programs loaded on a controller. While techniques like CRCs and checksums are commonly used, they are not cryptographically strong and can be vulnerable to collisions. Preferably cryptographic hash functions (e.g., SHA-2, SHA-3) should be used. (Citation: IEC February 2019)\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", - "external_references": [ - { - "source_name": "IEC February 2019", - "description": "IEC 2019, February Security for industrial automation and control systems - Part 4-2: Technical security requirements for IACS components Retrieved. 2020/09/25 ", - "url": "https://webstore.iec.ch/publication/34421" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.185Z", - "relationship_type": "mitigates", - "description": "Review the integrity of project files to verify they have not been modified by adversary behavior. Verify a cryptographic hash for the file with a known trusted version, or look for other indicators of modification (e.g., timestamps).\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--758d5818-f919-4a6b-9dc2-a212595a11bd", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.062Z", - "relationship_type": "mitigates", - "description": "Authenticateconnections fromsoftware and devices to prevent unauthorized systems from accessing protected management functions.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.102Z", - "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b", - "created": "2017-05-31T21:33:27.074Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Joe Slowik April 2019", - "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", - "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:31:37.216Z", - "description": "[Bad Rabbit](https://attack.mitre.org/software/S0606) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", - "relationship_type": "uses", - "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--18ef2d69-d11a-4d31-a803-da989c4073f7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.096Z", - "relationship_type": "mitigates", - "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.112Z", - "relationship_type": "mitigates", - "description": "Use least privilege for service accounts. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026", - "created": "2021-10-08T15:25:32.143Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", - "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", - "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-20T21:20:42.055Z", - "description": "[Stuxnet](https://attack.mitre.org/software/S0603) executes malicious SQL commands in the WinCC database server to propagate to remote systems. The malicious SQL commands include xp_cmdshell, sp_dumpdbilog, and sp_addextendedproc. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", - "relationship_type": "uses", - "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--4369da69-bb09-4cc8-8600-081a450f50e0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.120Z", - "relationship_type": "mitigates", - "description": "Ensure that unnecessary ports and services are closed to prevent risk of discovery and potential exploitation.\n", - "source_ref": "course-of-action--d0909119-2f71-4923-87db-b649881672d7", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--dded2d68-35c7-42c4-af10-efe7731673e3", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.108Z", - "relationship_type": "mitigates", - "description": "All APIs on remote systems or local processes should require the authentication of users before executing any code or system changes.\n", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--44c857cf-7a4e-405a-87ca-7f6d79000589", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T21:22:38.490Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--e33c7ecc-5a38-497f-beb2-a9a2049a4c20", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--21041206-da58-45c7-adb0-db07caebdcb6", - "created": "2021-04-13T12:36:26.506Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:00:27.700Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) uses the system function blocks TCON and TDISCON to initiate and destroy TCP connections to arbitrary systems. Buffers may be sent and received on these connections with TRCV und TSEND system function blocks. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", "target_ref": "attack-pattern--b52870cc-83f3-473c-b895-72d91751030b", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "type": "relationship", - "id": "relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:59:36.071Z", - "description": "Monitor for unexpected deletion of files.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:45:17.457Z", - "description": "Monitor for network traffic originating from unknown/unexpected systems.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--8d2f3bab-507c-4424-b58b-edc977bd215c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13", + "id": "relationship--6637d8e6-6578-4d15-a993-d63ced4c4464", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.081Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d", - "created": "2022-09-26T16:16:21.749Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:16:21.749Z", - "description": "Monitor applications logs for any access attempts to operational databases (e.g., historians) or other sources of operational data within the ICS environment. These devices should be monitored for adversary collection using techniques relevant to the underlying technologies (e.g., Windows, Linux).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.231Z", - "relationship_type": "mitigates", - "description": "Consider configuration and use of a network-wide authentication service such as Active Directory, LDAP, or RADIUS capabilities which can be found in ICS devices. (Citation: Keith Stouffer May 2015) (Citation: Schweitzer Engineering Laboratories August 2015)\n", - "source_ref": "course-of-action--2f0160b7-e982-49d7-9612-f19b810f1722", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "external_references": [ - { - "source_name": "Keith Stouffer May 2015", - "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" - }, - { - "source_name": "Schweitzer Engineering Laboratories August 2015", - "description": "Schweitzer Engineering Laboratories 2015, August Understanding When to Use LDAP or RADIUS for Centralized Authentication Retrieved. 2020/09/25 ", - "url": "https://cdn.selinc.com/assets/Literature/Publications/Application%20Notes/AN2015-08_20150817.pdf?" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1", - "type": "relationship", - "created": "2020-09-22T19:41:27.951Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "Secureworks REvil September 2019", - "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", - "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." - }, - { - "source_name": "Secureworks GandCrab and REvil September 2019", - "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", - "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." - } - ], - "modified": "2020-09-22T19:41:27.951Z", - "description": "(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)", - "relationship_type": "uses", - "source_ref": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", - "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--1d399f67-090e-444b-b75d-eed4b1780f08", - "created": "2022-09-26T18:42:16.844Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T18:42:16.844Z", - "description": "Monitor device application logs for firmware changes, although not all devices will produce such logs.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Anton Cherepanov, ESET June 2017", - "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-23T18:57:08.952Z", - "description": "In [Industroyer](https://attack.mitre.org/software/S0604) the first COM port from the configuration file is used for the actual communication and the two other COM ports are just opened to prevent other processes accessing them. Thus, the IEC 101 payload component is able to take over and maintain control of the RTU device. (Citation: Anton Cherepanov, ESET June 2017)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--008b8f56-6107-48be-aa9f-746f927dbb61", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.101Z", - "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.139Z", - "relationship_type": "mitigates", - "description": "Provide operators with redundant, out-of-band communication to support monitoring and control of the operational processes, especially when recovering from a network outage (Citation: National Institute of Standards and Technology April 2013). Out-of-band communication should utilize diverse systems and technologies to minimize common failure modes and vulnerabilities within the communications infrastructure. For example, wireless networks (e.g., 3G, 4G) can be used to provide diverse and redundant delivery of data.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--754521fc-4306-4daa-831b-6b6fb45847e2", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.108Z", - "relationship_type": "mitigates", - "description": "All APIs used to perform execution, especially those hosted on embedded controllers (e.g., PLCs), should provide adequate authorization enforcement of user access. Minimize user's access to only required API calls. (Citation: MITRE June 2020)\n", - "source_ref": "course-of-action--e0d38502-decb-481d-ad8b-b8f0a0c330bd", - "target_ref": "attack-pattern--5a2610f6-9fff-41e1-bc27-575ca20383d4", - "external_references": [ - { - "source_name": "MITRE June 2020", - "description": "MITRE 2020, June CWE CATEGORY: 7PK - API Abuse Retrieved. 2020/09/25 ", - "url": "https://cwe.mitre.org/data/definitions/227.html" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T17:00:06.347Z", - "description": "Monitor ICS management protocols for parameter changes, including for unexpected values, changes far exceeding standard values, or for parameters being changed in an unexpected way (e.g., via a new function, at an unusual time).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.207Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--8535b71e-3c12-4258-a4ab-40257a1becc4", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--a75ddacf-e87e-4a99-83f2-618486473163", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.217Z", - "relationship_type": "mitigates", - "description": "Patch the BIOS and EFI as necessary.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.081Z", - "relationship_type": "mitigates", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--e6c31185-8040-4267-83d3-b217b8a92f07", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.228Z", - "relationship_type": "mitigates", - "description": "If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.\n", - "source_ref": "course-of-action--3172222b-4983-43f7-8983-753ded4f13bc", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "McAfee CHIPSEC Blog", - "description": "Beek, C., Samani, R. (2017, March 8). CHIPSEC Support Against Vault 7 Disclosure Scanning. Retrieved March 13, 2017.", - "url": "https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/" - }, - { - "source_name": "MITRE Copernicus", - "description": "Butterworth, J. (2013, July 30). Copernicus: Question Your Assumptions about BIOS Security. Retrieved December 11, 2015.", - "url": "http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about" - }, - { - "source_name": "Intel HackingTeam UEFI Rootkit", - "description": "Intel Security. (2005, July 16). HackingTeam's UEFI Rootkit Details. Retrieved March 20, 2017.", - "url": "http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html" - }, - { - "source_name": "Github CHIPSEC", - "description": "Intel. (2017, March 18). CHIPSEC Platform Security Assessment Framework. Retrieved March 20, 2017.", - "url": "https://github.com/chipsec/chipsec" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:48:28.074Z", - "description": "Monitor firmware for unexpected changes. Asset management systems should be consulted to understand known-good firmware versions. Dump and inspect BIOS images on vulnerable systems and compare against known good images.(Citation: MITRE Copernicus) Analyze differences to determine if malicious changes have occurred. Log attempts to read/write to BIOS and compare against known patching behavior. Likewise, EFI modules can be collected and compared against a known-clean list of EFI executable binaries to detect potentially malicious modules. The CHIPSEC framework can be used for analysis to determine if firmware modifications have been performed.(Citation: McAfee CHIPSEC Blog) (Citation: Github CHIPSEC) (Citation: Intel HackingTeam UEFI Rootkit)", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", - "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.173Z", - "relationship_type": "mitigates", - "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", - "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-04-13T12:08:26.506Z", - "modified": "2022-05-06T17:47:24.118Z", - "relationship_type": "mitigates", - "description": "Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.\n", - "source_ref": "course-of-action--d48b79b2-076d-483e-949c-0d38aa347499", - "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6603a100-d655-4e6b-8d38-73c11b89dde4", - "created": "2019-03-26T16:19:52.358Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Joe Slowik April 2019", - "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", - "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:58:42.847Z", - "description": "[NotPetya](https://attack.mitre.org/software/S0368) initially infected IT networks, but by means of an exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks. (Citation: Joe Slowik April 2019)", - "relationship_type": "uses", - "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e", - "created": "2021-04-12T18:49:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Tom Fakterman August 2019", - "description": "Tom Fakterman 2019, August 05 Sodinokibi: The Crown Prince of Ransomware Retrieved. 2021/04/12 ", - "url": "https://www.cybereason.com/blog/the-sodinokibi-ransomware-attack" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:07:33.947Z", - "description": "[REvil](https://attack.mitre.org/software/S0496) utilizes JavaScript, WScript, and PowerShell scripts to execute. The malicious JavaScript attachment has an obfuscated PowerShell script that executes the malware. (Citation: Tom Fakterman August 2019)", - "relationship_type": "uses", - "source_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "target_ref": "attack-pattern--2dc2b567-8821-49f9-9045-8740f3d0b958", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95", - "created": "2022-09-27T17:22:27.241Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:54:23.870Z", - "description": "Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", - "target_ref": "attack-pattern--ea0c980c-5cf0-43a7-a049-59c4c207566e", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--baf4bd30-4213-43c3-b70c-54418e734caf", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.184Z", - "relationship_type": "mitigates", - "description": "Filter for protocols and payloads associated with program upload activity to prevent unauthorized access to device configurations.\n", - "source_ref": "course-of-action--11f242bc-3121-438c-84b2-5cbd46a4bb17", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.112Z", - "relationship_type": "mitigates", - "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", - "source_ref": "course-of-action--97f33c84-8508-45b9-8a1d-cac921828c9e", - "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016", - "description": "Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke 2016, March 31 Plc-blaster: A worm living solely in the plc. Retrieved. 2017/09/19 ", - "url": "https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:01:18.283Z", - "description": "[PLC-Blaster](https://attack.mitre.org/software/S1006) scans the network to find other Siemens S7 PLC devices to infect. It locates these devices by checking for a service listening on TCP port 102. (Citation: Spenneberg, Ralf, Maik Brggemann, and Hendrik Schwartke March 2016)", - "relationship_type": "uses", - "source_ref": "malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe", - "target_ref": "attack-pattern--d5a69cfb-fc2a-46cb-99eb-74b236db5061", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--3b199bf1-b45c-4d78-bdea-ee1c06fd3734", - "created": "2022-09-27T18:37:39.332Z", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T18:37:39.332Z", - "description": "In the case of detecting collection from local systems monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. For added context on adversary procedures and background see [Data from Local System](https://attack.mitre.org/techniques/T1005).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022", - "created": "2022-09-27T17:39:15.655Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:56:24.399Z", - "description": "Monitor for unexpected network share access, such as files transferred between shares within a network using protocols such as Server Message Block (SMB).", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--5041e17d-6349-4589-8c61-7b43964b5f9b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-10-14T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.227Z", - "relationship_type": "mitigates", - "description": "Integrity checking of transient assets can include performing the validation of the booted operating system and programs using TPM-based technologies, such as Secure Boot and Trusted Boot. (Citation: Emerson Exchange) It can also include verifying filesystem changes, such as programs and configuration files stored on the system, executing processes, libraries, accounts, and open ports. (Citation: National Security Agency February 2016)\n", - "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "external_references": [ - { - "source_name": "Emerson Exchange", - "description": "Emerson Exchange Increase Security with TPM, Secure Boot, and Trusted Boot Retrieved. 2020/09/25 ", - "url": "https://emersonexchange365.com/products/control-safety-systems/f/plc-pac-systems-industrial-computing-forum/8383/increase-security-with-tpm-secure-boot-and-trusted-boot" - }, - { - "source_name": "National Security Agency February 2016", - "description": "National Security Agency 2016, February Position Zero: Integrity Checking Windows-Based ICS/SCADA Systems Retrieved. 2020/09/25 ", - "url": "https://apps.nsa.gov/iaarchive/library/ia-guidance/security-configuration/industrial-control-systems/position-zero-integrity-checking-windows-based-ics-scada-systems.cfm" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2021-10-14T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.226Z", - "relationship_type": "mitigates", - "description": "Consider implementing full disk encryption, especially if engineering workstations are transient assets that are more likely to be lost, stolen, or tampered with. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--9f99fcfd-772e-4e63-9d39-e45612e546dc", - "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--55f3dd59-08be-4e23-a680-b6db7850b399", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:59:50.879Z", - "description": "Monitor for newly executed processes of binaries that could be involved in data destruction activity, such as SDelete.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--383e242a-72d4-4b40-8905-888595c34919", - "created": "2017-12-14T16:46:06.044Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Kelly Jackson Higgins", - "description": "Kelly Jackson Higgins How a Manufacturing Firm Recovered from a Devastating Ransomware Attack Retrieved. 2019/11/03 ", - "url": "https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:20:20.608Z", - "description": "An enterprise resource planning (ERP) manufacturing server was lost to the [Ryuk](https://attack.mitre.org/software/S0446) attack. The manufacturing process had to rely on paper and existing orders to keep the shop floor open. (Citation: Kelly Jackson Higgins)", - "relationship_type": "uses", - "source_ref": "malware--a020a61c-423f-4195-8c46-ba1d21abba37", - "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b8b1739d-dfa2-44e9-907f-7085e262512f", - "created": "2022-05-11T16:22:58.808Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T19:01:52.517Z", - "description": "Monitor login sessions for new or unexpected devices or sessions on wireless networks.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.088Z", - "relationship_type": "mitigates", - "description": "Minimize permissions and access for service accounts to limit the information that may be impacted by malicious users or software. (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--622fe4d4-0e8e-4d17-9c25-6c9cef1f15d5", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "external_references": [ - { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", - "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", - "url": "https://www.f-secure.com/weblog/archives/00002718.html" - }, - { - "source_name": "Kyle Wilhoit", - "description": "Kyle Wilhoit Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ICS Malware: Havex and Black Energy Retrieved. 2019/10/22 ", - "url": "https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:19:26.117Z", - "description": "Execution of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) relies on a user opening a trojanized installer attached to an email. (Citation: Daavid Hentunen, Antti Tikkanen June 2014) (Citation: Kyle Wilhoit)", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--2736b752-4ec5-4421-a230-8977dea7649c", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.077Z", - "relationship_type": "mitigates", - "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--2883c520-7957-46ca-89bd-dab1ad53b601", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T18:41:05.273Z", - "description": "Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.172Z", - "relationship_type": "mitigates", - "description": "Devices should authenticate all messages between master and outstation assets.\n", - "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--b346eec8-de90-407c-b665-387086bb4553", - "created": "2022-09-29T01:36:02.223Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Wylie-22", - "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", - "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" - }, - { - "source_name": "Brubaker-Incontroller", - "description": "Nathan Brubaker, Keith Lunden, Ken Proska, Muhammad Umair, Daniel Kapellmann Zafra, Corey Hildebrandt, Rob Caldwell. (2022, April 13). INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. Retrieved September 28, 2022.", - "url": "https://www.mandiant.com/resources/incontroller-state-sponsored-ics-tool" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-13T16:53:47.444Z", - "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can use the CODESYS protocol to upload programs from Schneider PLCs.(Citation: Wylie-22)(Citation: Brubaker-Incontroller) \n\n[INCONTROLLER](https://attack.mitre.org/software/S1045) can obtain existing program logic from Omron PLCs by using either the program upload or backup functions available through the HTTP server.(Citation: Wylie-22) ", - "relationship_type": "uses", - "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", - "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.170Z", - "relationship_type": "mitigates", - "description": "Protocols used for control functions should provide authenticity through MAC functions or digital signatures. If not, utilize bump-in-the-wire devices or VPNs to enforce communication authenticity between devices that are not capable of supporting this (e.g., legacy controllers, RTUs).\n", - "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", - "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.229Z", + "modified": "2022-05-06T17:47:24.099Z", "relationship_type": "mitigates", "description": "Authenticate all access to field controllers before authorizing access to, or modification of, a device's state, logic, or programs. Centralized authentication techniques can help manage the large number of field controller accounts needed across the ICS.\n", "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", - "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--f584a257-c22a-434b-aa2d-6220987821ab", - "created": "2021-10-13T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Jos Wetzels January 2018", - "description": "Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22 ", - "url": "https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T18:29:11.326Z", - "description": "[Triton](https://attack.mitre.org/software/S1009) can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments. (Citation: Jos Wetzels January 2018)", - "relationship_type": "uses", - "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", - "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58", - "created": "2020-09-21T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Department of Homeland Security October 2009", - "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-19T21:23:11.538Z", - "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", - "relationship_type": "mitigates", - "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", - "target_ref": "attack-pattern--b5b9bacb-97f2-4249-b804-47fd44de1f95", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--a2142552-6b8d-4751-a3d4-1471420c02fc", - "created": "2022-05-11T16:22:58.806Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:15:48.476Z", - "description": "Monitor for newly constructed network connections into a service specifically designed to accept remote connections, such as RDP, Telnet, SSH, and VNC. Monitor network connections involving common remote management protocols, such as ports tcp:3283 and tcp:5900, as well as ports tcp:3389 and tcp:22 for remote logins. The adversary may use [Valid Accounts](https://attack.mitre.org/techniques/T0859) to enable remote logins.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", - "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:39:13.371Z", - "description": "Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", - "target_ref": "attack-pattern--53a26eee-1080-4d17-9762-2027d5a1b805", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.148Z", - "relationship_type": "mitigates", - "description": "All field controllers should require users to authenticate for all remote or local management sessions. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "target_ref": "attack-pattern--2aa406ed-81c3-4c1d-ba83-cfbee5a2847a", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" @@ -24119,26 +23302,14 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--19ab6776-42de-48af-975a-568d31a3bb66", + "id": "relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.152Z", + "modified": "2022-05-06T17:47:24.147Z", "relationship_type": "mitigates", - "description": "Segment operational network and systems to restrict access to critical system functions to predetermined management systems. (Citation: Department of Homeland Security September 2016) (Citation: N/A)\n", - "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", - "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", - "external_references": [ - { - "source_name": "Department of Homeland Security September 2016", - "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", - "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" - }, - { - "source_name": "N/A", - "description": "N/A Department of Homeland Security 2016, September Retrieved. 2020/09/25 Alarm Management for Process Control Retrieved. 2020/09/25 ", - "url": "https://www.exida.com/images/uploads/18492275-Alarm-Management-for-Process-Control.pdf" - } - ], + "description": "Use file system access controls to protect system and application folders.\n", + "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" @@ -24148,40 +23319,21 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135", + "id": "relationship--a91002fe-21b2-4417-9c23-af712a7a035c", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", + "created": "2021-04-13T11:15:26.506Z", "modified": "2022-05-06T17:47:24.156Z", "relationship_type": "mitigates", - "description": "Devices that allow remote management of firmware should require authentication before allowing any changes. The authentication mechanisms should also support [Account Use Policies](https://attack.mitre.org/mitigations/M0936), [Password Policies](https://attack.mitre.org/mitigations/M0927), and [User Account Management](https://attack.mitre.org/mitigations/M0918).", - "source_ref": "course-of-action--66cfe23e-34b6-4583-b178-ed6a412db2b0", - "target_ref": "attack-pattern--efbf7888-f61b-4572-9c80-7e2965c60707", + "description": "Utilize code signatures to verify the integrity of the installed program on safety or control assets has not been changed.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--fc5fda7e-6b2c-4457-b036-759896a2efa2", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { "type": "relationship", - "id": "relationship--e18af08c-3953-4b1d-b46c-45572fdb5187", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-27T19:02:08.013Z", - "description": "Monitor operational data for indicators of temporary data loss which may indicate a Denial of Service. This will not directly detect the technique’s execution, but instead may provide additional evidence that the technique has been used and may complement other detections.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d", + "id": "relationship--641813ea-66a9-4949-848f-db83420aac39", "created": "2021-04-11T14:06:54.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -24195,11 +23347,11 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-12T16:56:37.468Z", - "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) utilized HMI GUIs in the SCADA environment to open breakers. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", + "modified": "2022-10-12T16:56:04.784Z", + "description": "In the Ukraine 2015 Incident, [Sandworm Team](https://attack.mitre.org/groups/G0034) issued unauthorized commands to substation breakers after gaining control of operator workstations and accessing a distribution management system (DMS) client application. (Citation: Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems March 2016)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", - "target_ref": "attack-pattern--b0628bfc-5376-4a38-9182-f324501cb4cf", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", @@ -24207,20 +23359,20 @@ }, { "type": "relationship", - "id": "relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3", - "created": "2022-05-11T16:22:58.803Z", + "id": "relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3", + "created": "2022-09-26T14:44:05.557Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-10-14T19:37:24.268Z", - "description": "Monitor for unexpected files (e.g., .pdf, .docx, .jpg) viewed for collecting internal data.", + "modified": "2022-10-14T16:49:44.728Z", + "description": "Monitor for files (such as /etc/hosts) being accessed that may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", "x_mitre_deprecated": false, - "x_mitre_version": "1.0", + "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -24229,43 +23381,792 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--86f1655a-db46-4d49-9051-6653da83eb13", + "id": "relationship--b1768154-221c-48be-ab2b-549ec1eddafb", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.092Z", + "modified": "2022-05-06T17:47:24.068Z", "relationship_type": "mitigates", - "description": "Protect files stored locally with proper permissions to limit opportunities for adversaries to interact and collect information from databases. (Citation: Keith Stouffer May 2015) (Citation: National Institute of Standards and Technology April 2013)\n", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "description": "Segment operational assets and their management devices based on their functional role within the process. Enabling more strict isolation to more critical control and operational information within the control environment. (Citation: Karen Scarfone; Paul Hoffman September 2009) (Citation: Keith Stouffer May 2015) (Citation: Department of Homeland Security September 2016) (Citation: Dwight Anderson 2014) \n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--2900bbd8-308a-4274-b074-5b8bde8347bc", "external_references": [ + { + "source_name": "Karen Scarfone; Paul Hoffman September 2009", + "description": "Karen Scarfone; Paul Hoffman 2009, September Guidelines on Firewalls and Firewall Policy Retrieved. 2020/09/25 ", + "url": "https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-41r1.pdf" + }, { "source_name": "Keith Stouffer May 2015", "description": "Keith Stouffer 2015, May Guide to Industrial Control Systems (ICS) Security Retrieved. 2018/03/28 ", "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf" }, { - "source_name": "National Institute of Standards and Technology April 2013", - "description": "National Institute of Standards and Technology 2013, April Security and Privacy Controls for Federal Information Systems and Organizations Retrieved. 2020/09/17 ", - "url": "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf" + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + }, + { + "source_name": "Dwight Anderson 2014", + "description": "Dwight Anderson 2014 Protect Critical Infrastructure Systems With Whitelisting Retrieved. 2020/09/25 ", + "url": "https://www.sans.org/reading-room/whitepapers/ICS/protect-critical-infrastructure-systems-whitelisting-35312" } ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, + { + "type": "relationship", + "id": "relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:35:50.632Z", + "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) utilizes valid user and administrator credentials, in addition to creating new administrator accounts to maintain presence. (Citation: Booz Allen Hamilton)\n", + "relationship_type": "uses", + "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "target_ref": "attack-pattern--cd2c76a4-5e23-4ca5-9c40-d5e0604f7101", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.175Z", + "relationship_type": "mitigates", + "description": "Protocols used for device management should authenticate all network messages to prevent unauthorized system changes.\n", + "source_ref": "course-of-action--c7257b6e-4159-4771-b1f3-2bb93adaecac", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6", + "id": "relationship--b9e82422-b072-494f-99c1-fcab07b90133", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.104Z", + "modified": "2022-05-06T17:47:24.146Z", + "relationship_type": "mitigates", + "description": "Require signed binaries.\n", + "source_ref": "course-of-action--71eb7dad-07eb-4bbc-9df0-ac57bf2fba4a", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--81117328-e2bb-431c-a1ca-6ba7e6816637", + "created": "2022-09-26T16:25:38.511Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:25:38.511Z", + "description": "Consult asset management systems to understand expected program versions.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "target_ref": "attack-pattern--be69c571-d746-4b1f-bdd0-c0c9817e9068", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.140Z", + "relationship_type": "mitigates", + "description": "To protect against MITM, authentication mechanisms should not send credentials across the network in plaintext and should also implement mechanisms to prevent replay attacks (such as nonces or timestamps). Challenge-response based authentication techniques that do not directly send credentials over the network provide better protection from MITM.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa", + "type": "relationship", + "created": "2017-05-31T21:33:27.070Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html", + "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", + "source_name": "iSIGHT Sandworm 2014" + }, + { + "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf", + "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", + "source_name": "F-Secure BlackEnergy 2014" + }, + { + "source_name": "US District Court Indictment GRU Unit 74455 October 2020", + "url": "https://www.justice.gov/opa/press-release/file/1328521/download", + "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020." + }, + { + "source_name": "UK NCSC Olympic Attacks October 2020", + "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games", + "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020." + }, + { + "source_name": "Secureworks IRON VIKING ", + "url": "https://www.secureworks.com/research/threat-profiles/iron-viking", + "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020." + } + ], + "modified": "2022-02-28T17:02:50.401Z", + "description": "(Citation: iSIGHT Sandworm 2014)(Citation: F-Secure BlackEnergy 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)(Citation: Secureworks IRON VIKING )", + "relationship_type": "uses", + "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", + "target_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.218Z", + "relationship_type": "mitigates", + "description": "Example mitigations could include minimizing its distribution/storage or obfuscating the information (e.g., facility coverterms, codenames). In many cases this information may be necessary to support critical engineering, maintenance, or operational functions, therefore, it may not be feasible to implement.\n", + "source_ref": "course-of-action--99c746d7-a08a-4169-94f9-b8c0dad716fa", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.187Z", + "relationship_type": "mitigates", + "description": "Network allowlists can be implemented through either host-based files or system host files to specify what external connections (e.g., IP address, MAC address, port, protocol) can be made from a device.\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--e1f9cdd2-9511-4fca-90d7-f3e92cfdd0bf", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08", + "created": "2022-05-11T16:22:58.806Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T16:59:13.486Z", + "description": "Monitor for device alarms produced when parameters are changed, although not all devices will produce such alarms.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--097924ce-a9a9-4039-8591-e0deedfb8722", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--cba8313b-c338-45f7-88ef-a514094882ac", + "created": "2022-09-28T20:28:39.348Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.446Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) has the ability to exploit a vulnerable Asrock driver (AsrDrv103.sys) using CVE-2020-15368 to load its own unsigned driver on the system.(Citation: Wylie-22)", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d8911566-f622-4a01-b765-514dbbfd8201", + "created": "2022-09-28T20:27:01.345Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Wylie-22", + "description": "Jimmy Wylie. (2022, August). Analyzing PIPEDREAM: Challenges in Testing an ICS Attack Toolkit. Defcon 30.", + "url": "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Jimmy%20Wylie%20-%20Analyzing%20PIPEDREAM%20Challenges%20in%20testing%20an%20ICS%20attack%20toolkit.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-13T16:53:47.447Z", + "description": "[INCONTROLLER](https://attack.mitre.org/software/S1045) can deploy Tcpdump to sniff network traffic and collect PCAP files.(Citation: Wylie-22) ", + "relationship_type": "uses", + "source_ref": "malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b", + "target_ref": "attack-pattern--38213338-1aab-479d-949b-c81b66ccca5c", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.239Z", + "relationship_type": "mitigates", + "description": "Techniques can include (i) reducing transmission power on wireless signals, (ii) adjusting antenna gain to prevent extensions beyond organizational boundaries, and (iii) employing RF shielding techniques to block excessive signal propagation. (Citation: DHS National Urban Security Technology Laboratory April 2019)\n", + "source_ref": "course-of-action--fce6866f-9a87-4d3e-a73c-f02d8937fe0e", + "target_ref": "attack-pattern--2877063e-1851-48d2-bcc6-bc1d2733157e", + "external_references": [ + { + "source_name": "DHS National Urban Security Technology Laboratory April 2019", + "description": "DHS National Urban Security Technology Laboratory 2019, April Radio Frequency Detection, Spectrum Analysis, and Direction Finding Equipment Retrieved. 2020/09/17 ", + "url": "https://www.dhs.gov/sites/default/files/saver-msr-rf-detection_cod-508_10july2019.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67", + "created": "2021-04-13T11:15:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-20T21:19:13.497Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) infects OB1 so that its malicious code sequence is executed at the start of a cycle. It also infects OB35. OB35 acts as a watchdog, and on certain conditions, it can stop the execution of OB1. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--09a61657-46e1-439e-b3ed-3e4556a78243", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-27T17:48:59.046Z", + "description": "In the case of detecting collection from centralized information repositories monitor for third-party application logging, messaging, and/or other artifacts that may leverage information repositories to mine valuable information. Information repositories generally have a considerably large user base, detection of malicious use can be non-trivial. At minimum, access to information repositories performed by privileged users (for example, Active Directory Domain, Enterprise, or Schema Administrators) should be closely monitored and alerted upon, as these types of accounts should generally not be used to access information repositories. If the capability exists, it may be of value to monitor and alert on users that are retrieving and viewing a large number of documents and pages; this behavior may be indicative of programmatic means being used to retrieve all data within the repository. In environments with high-maturity, it may be possible to leverage User-Behavioral Analytics (UBA) platforms to detect and alert on user-based anomalies. For added context on adversary procedures and background see [Data from Information Repositories](https://attack.mitre.org/techniques/T1213).", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--be950e87-80ac-49ea-810a-553c7f72151b", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.073Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--8e7089d3-fba2-44f8-94a8-9a79c53920c4", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac", + "created": "2021-04-13T12:28:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Dragos Threat Intelligence February 2020", + "description": "Dragos Threat Intelligence 2020, February 03 EKANS Ransomware and ICS Operations Retrieved. 2021/04/12 ", + "url": "https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:48:00.088Z", + "description": "[EKANS](https://attack.mitre.org/software/S0605) masquerades itself as a valid executable with the filename update.exe. Many valid programs use the process name update.exe to perform background software updates. (Citation: Dragos Threat Intelligence February 2020)", + "relationship_type": "uses", + "source_ref": "malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5", + "target_ref": "attack-pattern--ba203963-3182-41ac-af14-7e7ebc83cd61", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8b491011-322d-4e0b-8f79-449e1b2ee185", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:55:26.030Z", + "description": "Monitor newly constructed processes that assist in lateral tool transfers, such as file transfer programs.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:32:18.214Z", + "description": "Monitor for changes made to firmware for unexpected modifications to settings and/or data that may be used by rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Asset management systems should be consulted to understand known-good firmware versions and configurations.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd", + "target_ref": "attack-pattern--3b6b9246-43f8-4c69-ad7a-2b11cfe0a0d9", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T19:19:04.853Z", + "description": "Monitor logon activity for unexpected or unusual access to devices from the Internet.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "target_ref": "attack-pattern--f8df6b57-14bc-425f-9a91-6f59f6799307", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3a7d1db3-9383-4171-8938-382e9b0375c6", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Booz Allen Hamilton", + "description": "Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 ", + "url": "https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:36:37.304Z", + "description": "[BlackEnergy](https://attack.mitre.org/software/S0089) uses HTTP POST request to contact external command and control servers. (Citation: Booz Allen Hamilton)\n", + "relationship_type": "uses", + "source_ref": "malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4", + "target_ref": "attack-pattern--e076cca8-2f08-45c9-aff7-ea5ac798b387", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2018-10-17T00:14:20.652Z", + "modified": "2022-05-06T17:47:24.246Z", + "relationship_type": "uses", + "description": " (Citation: Dragos)", + "source_ref": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "target_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "external_references": [ + { + "source_name": "Dragos", + "description": "Dragos Xenotime Retrieved. 2019/10/27 ", + "url": "https://dragos.com/resource/xenotime/" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d7ea83fa-87c7-4d36-96d5-aee554504040", + "created": "2017-05-31T21:33:27.074Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Marc-Etienne M.Lveill October 2017", + "description": "Marc-Etienne M.Lveill 2017, October 24 Bad Rabbit: NotPetya is back with improved ransomware Retrieved. 2019/10/27 ", + "url": "https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:31:02.075Z", + "description": "Several transportation organizations in Ukraine have suffered from being infected by [Bad Rabbit](https://attack.mitre.org/software/S0606), resulting in some computers becoming encrypted, according to media reports. (Citation: Marc-Etienne M.Lveill October 2017)", + "relationship_type": "uses", + "source_ref": "malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a", + "target_ref": "attack-pattern--63b6942d-8359-4506-bfb3-cf87aa8120ee", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d", + "created": "2020-09-21T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Department of Homeland Security October 2009", + "description": "Department of Homeland Security 2009, October Developing an Industrial Control Systems Cybersecurity Incident Response Capability Retrieved. 2020/09/17 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/final-RP_ics_cybersecurity_incident_response_100609.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-19T21:23:21.586Z", + "description": "Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise. Maintain and exercise incident response plans (Citation: Department of Homeland Security October 2009), including the management of gold-copy back-up images and configurations for key systems to enable quick recovery and response from adversarial activities that impact control, view, or availability.\n", + "relationship_type": "mitigates", + "source_ref": "course-of-action--ad12819e-3211-4291-b360-069f280cff0a", + "target_ref": "attack-pattern--56ddc820-6cfb-407f-850b-52c035d123ac", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--604a9bf0-81a3-425b-9005-779c4f0f749d", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.195Z", + "relationship_type": "mitigates", + "description": "Harden the system through operating system controls to prevent the known or unknown use of malicious removable media.\n", + "source_ref": "course-of-action--9a945a29-5233-4422-a9e3-3e957b0e8bce", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.086Z", "relationship_type": "mitigates", "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", - "target_ref": "attack-pattern--25dfc8ad-bd73-4dfd-84a9-3c3d383f76e9", + "target_ref": "attack-pattern--83ebd22f-b401-4d59-8219-2294172cf916", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017", + "description": "Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12 ", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:28:39.359Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state while using the DCS to create an unsafe state or hazard. (Citation: Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer December 2017)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Hydro", + "description": "Hydro Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 Retrieved. 2019/10/16 ", + "url": "https://www.hydro.com/en/media/on-the-agenda/cyber-attack/" + }, + { + "source_name": "Kevin Beaumont", + "description": "Kevin Beaumont How Lockergoga took down Hydro ransomware used in targeted attacks aimed at big business Retrieved. 2019/10/16 ", + "url": "https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:56:48.612Z", + "description": "Some of Norsk Hydro's production systems were impacted by a [LockerGoga](https://attack.mitre.org/software/S0372) infection. This resulted in a loss of view which forced the company to switch to manual operations. (Citation: Kevin Beaumont) (Citation: Hydro)", + "relationship_type": "uses", + "source_ref": "malware--5af7a825-2d9f-400d-931a-e00eb9e27f48", + "target_ref": "attack-pattern--138979ba-0430-4de6-a128-2fc0b056ba36", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "ICS-CERT August 2018", + "description": "ICS-CERT 2018, August 22 Advisory (ICSA-14-178-01) Retrieved. 2019/04/01 ", + "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:23:33.379Z", + "description": "The [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) payload has caused multiple common OPC platforms to intermittently crash. This could cause a denial of service effect on applications reliant on OPC communications. (Citation: ICS-CERT August 2018)", + "relationship_type": "uses", + "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", + "target_ref": "attack-pattern--1b22b676-9347-4c55-9a35-ef0dc653db5b", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35", + "created": "2022-05-11T16:22:58.804Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T16:57:59.240Z", + "description": "Monitor for known proxy protocols (e.g., SOCKS, Tor, peer-to-peer protocols) and tool usage (e.g., Squid, peer-to-peer software) on the network that are not part of normal operations. Also monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "target_ref": "attack-pattern--d67adac8-e3b9-44f9-9e6d-6c2a7d69dbe4", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.080Z", + "relationship_type": "mitigates", + "description": "Execution prevention may block malicious software from accessing protected resources through the command line interface.\n", + "source_ref": "course-of-action--4fa717d9-cabe-47c8-8cdd-86e9e2e37f30", + "target_ref": "attack-pattern--24a9253e-8948-4c98-b751-8e2aee53127c", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--10e87e4b-a231-42e3-a011-0031f8226936", + "created": "2022-09-26T17:15:51.819Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T17:15:51.819Z", + "description": "Monitor for firmware changes which may be observable via operational alarms from devices.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--4b57e41c-246f-44b3-b259-1811d5275e10", + "created": "2022-09-26T15:16:32.057Z", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T15:16:32.057Z", + "description": "Consult asset management systems to understand expected alarm settings.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "target_ref": "attack-pattern--e5de767e-f513-41cd-aa15-33f6ce5fbf92", + "x_mitre_deprecated": false, + "x_mitre_version": "0.1", + "x_mitre_attack_spec_version": "2.1.0", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "type": "relationship", + "id": "relationship--792324b4-064a-430c-8ffc-7f7acd537778", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Symantec", + "description": "Symantec W32.Duqu The precursor to the next Stuxnet Retrieved. 2019/11/03 ", + "url": "https://docs.broadcom.com/doc/w32-duqu-11-en" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T17:44:27.955Z", + "description": "[Duqu](https://attack.mitre.org/software/S0038)'s purpose is to gather intelligence data and assets from entities such as industrial infrastructure and system manufacturers, amongst others not in the industrial sector, in order to more easily conduct a future attack against another third party.(Citation: Symantec)", + "relationship_type": "uses", + "source_ref": "malware--68dca94f-c11d-421e-9287-7c501108e18c", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--10626671-941d-4a82-a835-56059058ef87", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.065Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--19a71d1e-6334-4233-8260-b749cae37953", "external_references": [ { "source_name": "Department of Homeland Security September 2016", @@ -24282,278 +24183,31 @@ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "relationship", - "id": "relationship--52855d5d-e835-470f-a675-751c2779c861", + "id": "relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.140Z", + "modified": "2022-05-06T17:47:24.218Z", "relationship_type": "mitigates", - "description": "Utilize out-of-band communication to validate the integrity of data from the primary channel.\n", - "source_ref": "course-of-action--b11cad63-ef30-4eb8-af0d-6cc46eef3f3e", - "target_ref": "attack-pattern--9a505987-ab05-4f46-a9a6-6441442eec3b", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T16:29:38.448Z", - "description": "Monitor network traffic for default credential use in protocols that allow unencrypted authentication.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--8bb4538f-f16f-49f0-a431-70b5444c7349", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--62e818b8-38e6-42ff-9424-9a327332eb2a", - "created": "2022-09-29T20:02:37.671Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "ESET Industroyer", - "description": "Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.", - "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-29T20:08:03.342Z", - "description": "The [Industroyer](https://attack.mitre.org/software/S0604) IEC 61850 componentsends the domain-specific MMSgetNameListrequest to determine what logical nodes the device supports. It then searches the logical nodes for the CSW value, which indicates the device performs a circuit breaker or switch control function.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604)'s OPC DA module also uses IOPCBrowseServerAddressSpace to look for items with the following strings: ctlSelOn, ctlOperOn, ctlSelOff, ctlOperOff, Pos and stVal.(Citation: ESET Industroyer)\n\n[Industroyer](https://attack.mitre.org/software/S0604) IEC 60870-5-104 module includes a range mode to discover Information Object Addresses (IOAs) by enumerating through each.(Citation: ESET Industroyer)", - "relationship_type": "uses", - "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "0.1", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835", - "created": "2022-05-11T16:22:58.807Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-09-26T14:39:20.443Z", - "description": "Monitor for anomalies related to discovery related ICS functions, including devices that have not previously used these functions or for functions being sent to many outstations. Note that some ICS protocols use broadcast or multicast functionality, which may produce false positives. Also monitor for hosts enumerating network connected resources using non-ICS enterprise protocols.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--2fedbe69-581f-447d-8a78-32ee7db939a9", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.185Z", - "relationship_type": "mitigates", - "description": "Ensure permissions restrict project file access to only engineer and technician user groups and accounts.\n", - "source_ref": "course-of-action--f9fcb3ec-6de0-4559-8cd9-ef1c0c7d1971", - "target_ref": "attack-pattern--e72425f8-9ae6-41d3-bfdb-e1b865e60722", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "x_mitre_version": "1.0" - }, - { - "type": "relationship", - "id": "relationship--6258c355-677c-452d-b1fc-27767232437b", - "created": "2019-03-26T16:19:52.358Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Joe Slowik April 2019", - "description": "Joe Slowik 2019, April 10 Implications of IT Ransomware for ICS Environments Retrieved. 2019/10/27 ", - "url": "https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:58:23.141Z", - "description": "[NotPetya](https://attack.mitre.org/software/S0368) can move laterally through industrial networks by means of the SMB service. (Citation: Joe Slowik April 2019)", - "relationship_type": "uses", - "source_ref": "malware--5719af9d-6b16-46f9-9b28-fb019541ddbb", - "target_ref": "attack-pattern--ead7bd34-186e-4c79-9a4d-b65bcce6ed9d", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161", - "created": "2022-05-11T16:22:58.804Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T16:58:34.751Z", - "description": "Monitor executed commands and arguments for binaries that could be involved in data destruction activity, such as SDelete.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--493832d9-cea6-4b63-abe7-9a65a6473675", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a", - "created": "2022-05-11T16:22:58.805Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-14T19:44:27.451Z", - "description": "Use deep packet inspection to look for artifacts of common exploit traffic, such as known payloads.", - "relationship_type": "detects", - "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "target_ref": "attack-pattern--85a45294-08f1-4539-bf00-7da08aa7b0ee", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "relationship", - "id": "relationship--68d30c45-766f-48b6-9405-0c969243332b", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "created": "2020-09-21T17:59:24.739Z", - "modified": "2022-05-06T17:47:24.214Z", - "relationship_type": "mitigates", - "description": "All devices or systems changes, including all administrative functions, should require authentication. Consider using access management technologies to enforce authorization on all management interface access attempts, especially when the device does not inherently provide strong authentication and authorization functions.\n", - "source_ref": "course-of-action--3992ce42-43e9-4bea-b8db-a102ec3ec1e3", + "description": "Perform integrity checks of firmware before uploading it on a device. Utilize cryptographic hashes to verify the firmware has not been tampered with by comparing it to a trusted hash of the firmware. This could be from trusted data sources (e.g., vendor site) or through a third-party verification service.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--65adbdda-7069-40ed-9825-b79ec87e4916", "type": "relationship", - "created": "2021-09-21T15:47:37.522Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "IBM Ransomware Trends September 2020", - "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/", - "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021." - }, - { - "source_name": "CrowdStrike Carbon Spider August 2021", - "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", - "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021." - }, - { - "source_name": "FBI Flash FIN7 USB", - "url": "https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/", - "description": "The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022." - } - ], - "modified": "2022-01-14T17:29:16.633Z", - "description": "(Citation: IBM Ransomware Trends September 2020)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: FBI Flash FIN7 USB)", - "relationship_type": "uses", - "source_ref": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "target_ref": "malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Symantec Security Response July 2014", - "description": "Symantec Security Response 2014, July 7 Dragonfly: Cyberespionage Attacks Against Energy Suppliers Retrieved. 2016/04/08 ", - "url": "https://docs.broadcom.com/doc/dragonfly_threat_against_western_energy_suppliers#:~:text=The%20attackers%2C%20known%20to%20Symantec,supply%20in%20the%20affected%20countries." - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T16:12:48.097Z", - "description": "[Dragonfly](https://attack.mitre.org/groups/G0035) trojanized legitimate ICS equipment providers software packages available for download on their websites.(Citation: Symantec Security Response July 2014)", - "relationship_type": "uses", - "source_ref": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1", - "target_ref": "attack-pattern--5e0f75da-e108-4688-a6de-a4f07cc2cbe3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572", - "created": "2018-04-18T17:59:24.739Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "Daavid Hentunen, Antti Tikkanen June 2014", - "description": "Daavid Hentunen, Antti Tikkanen 2014, June 23 Havex Hunts For ICS/SCADA Systems Retrieved. 2019/04/01 ", - "url": "https://www.f-secure.com/weblog/archives/00002718.html" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "modified": "2022-10-12T17:20:08.002Z", - "description": "Using OPC, a component of [Backdoor.Oldrea](https://attack.mitre.org/software/S0093) gathers any details about connected devices and sends them back to the C2 for the attackers to analyze. (Citation: Daavid Hentunen, Antti Tikkanen June 2014)", - "relationship_type": "uses", - "source_ref": "malware--083bb47b-02c8-4423-81a2-f9ef58572974", - "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", - "x_mitre_deprecated": false, - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "type": "relationship", - "id": "relationship--28395db7-feee-4711-b704-48e418e13ee1", - "created": "2022-09-27T18:05:21.608Z", + "id": "relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3", + "created": "2022-09-26T15:24:07.122Z", "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "modified": "2022-09-27T18:05:21.608Z", - "description": "In the case of detecting collection from local systems monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). For added context on adversary procedures and background see [Data from Local System](https://attack.mitre.org/techniques/T1005).\n\nIn the case of detecting collection from shared network drives monitor executed commands and arguments for actions that could be taken to collect files from a network share. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). For added context on adversary procedures and background see [Data from Network Shared Drive](https://attack.mitre.org/techniques/T1039).\n\nIn the case of detecting collection from removable media monitor executed commands and arguments for actions that could be taken to collect files from a system's connected removable media. For example, data may be acquired through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1059/001). For added context on adversary procedures and background see [Data from Removable Media](https://attack.mitre.org/techniques/T1025).\n", + "modified": "2022-09-26T15:24:07.122Z", + "description": "Monitor asset application logs which may provide information about requests for points or tags. Look for anomalies related to reading point or tag data, such as new assets using these functions, changes in volume or timing, or unusual information being queried. Many devices provide multiple ways to achieve the same result (e.g., functions with/without an acknowledgment or functions that operate on a single point vs. multiple points). Monitor for changes in the functions used.", "relationship_type": "detects", - "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "source_ref": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "target_ref": "attack-pattern--25852363-5968-4673-b81d-341d5ed90bd1", "x_mitre_deprecated": false, "x_mitre_version": "0.1", "x_mitre_attack_spec_version": "2.1.0", @@ -24561,15 +24215,479 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2022-10-07T16:14:39.124Z", - "name": "Command Execution", - "description": "The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )", - "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "type": "relationship", + "id": "relationship--591620d3-5549-49db-9080-43f86a68a590", + "created": "2021-04-13T12:08:26.506Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:25:07.936Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--cfe68e93-ce94-4c0f-a57d-3aa72cedd618", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--6c15ec9f-2b48-419c-adc1-f989833f6187", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2021-10-14T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.224Z", + "relationship_type": "mitigates", + "description": "Install anti-virus software on all workstation and transient assets that may have external access, such as to web, email, or remote file shares.\n", + "source_ref": "course-of-action--faf2b40e-5981-433f-aa46-17458e0026f7", + "target_ref": "attack-pattern--35392fb4-a31d-4c6a-b9f2-1c65b7f5e6b9", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.222Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-26T14:34:29.743Z", + "description": "Monitor for unexpected ICS protocol command functions to controllers from existing master devices (including from new processes) or from new devices. The latter is like detection for [Rogue Master](https://attack.mitre.org/techniques/T0848) but requires ICS function level insight to determine if an unauthorized device is issuing commands (e.g., a historian).\n\nMonitoring for unexpected or problematic values below the function level will provide better insights into potentially malicious activity but at the cost of additional false positives depending on the underlying operational process.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "target_ref": "attack-pattern--40b300ba-f553-48bf-862e-9471b220d455", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--8f90363e-2825-4178-807f-9268a28760fa", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.195Z", + "relationship_type": "mitigates", + "description": "Enforce system policies or physical restrictions to limit hardware such as USB devices on critical assets.\n", + "source_ref": "course-of-action--9e3adcad-0b8f-4ecc-a2f3-06f607f53bf0", + "target_ref": "attack-pattern--c267bbee-bb59-47fe-85e0-3ed210337c21", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Anton Cherepanov, ESET June 2017", + "description": "Anton Cherepanov, ESET 2017, June 12 Win32/Industroyer: A new threat for industrial control systems Retrieved. 2017/09/15 ", + "url": "https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-23T18:57:51.953Z", + "description": "[Industroyer](https://attack.mitre.org/software/S0604)'s OPC module can brute force values and will send out a 0x01 status which for the target systems equates to a Primary Variable Out of Limits misdirecting operators from understanding protective relay status. (Citation: Anton Cherepanov, ESET June 2017)", + "relationship_type": "uses", + "source_ref": "malware--e401d4fe-f0c9-44f0-98e6-f93487678808", + "target_ref": "attack-pattern--4c2e1408-9d68-4187-8e6b-a77bc52700ec", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--5804ae3d-0daf-47a5-b026-d42878f55803", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.166Z", + "relationship_type": "mitigates", + "description": "This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.\n", + "source_ref": "course-of-action--469b78dd-a54d-4f7c-8c3b-4a1dd916b433", + "target_ref": "attack-pattern--2d0d40ad-22fa-4cc8-b264-072557e1364b", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.137Z", + "relationship_type": "mitigates", + "description": "Ensure that all SIS are segmented from operational networks to prevent them from being targeted by additional adversarial behavior.\n", + "source_ref": "course-of-action--da44255d-85c5-492c-baf3-ee823d44f848", + "target_ref": "attack-pattern--5fa00fdd-4a55-4191-94a0-564181d7fec2", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52", + "created": "2022-05-11T16:22:58.807Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:38:23.604Z", + "description": "Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "target_ref": "attack-pattern--c5e3cdbc-0387-4be9-8f83-ff5c0865f377", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.197Z", + "relationship_type": "mitigates", + "description": "Devices should authenticate all messages between master and outstation assets.\n", + "source_ref": "course-of-action--72e46e53-e12d-4106-9c70-33241b6ed549", + "target_ref": "attack-pattern--b14395bd-5419-4ef4-9bd8-696936f509bb", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--dadfed22-d70c-482b-9026-964396d75484", + "created": "2022-05-11T16:22:58.805Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-14T19:42:28.053Z", + "description": "Monitor for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk.", + "relationship_type": "detects", + "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "target_ref": "attack-pattern--7830cfcf-b268-4ac0-a69e-73c6affbae9a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.069Z", + "relationship_type": "mitigates", + "description": "Prevent unauthorized systems from accessing control servers or field devices containing industrial information, especially services used for common automation protocols (e.g., DNP3, OPC).\n", + "source_ref": "course-of-action--1e7ccfc0-94c8-496e-8d27-032120892291", + "target_ref": "attack-pattern--3de230d4-3e42-4041-b089-17e1128feded", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--c0efb24a-2329-401a-bba6-817f2867bb3f", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.183Z", + "relationship_type": "mitigates", + "description": "Use host-based allowlists to prevent devices from accepting connections from unauthorized systems. For example, allowlists can be used to ensure devices can only connect with master stations or known management/engineering workstations. (Citation: Department of Homeland Security September 2016)\n", + "source_ref": "course-of-action--aadac250-bcdc-44e3-a4ae-f52bd0a7a16a", + "target_ref": "attack-pattern--3067b85e-271e-4bc5-81ad-ab1a81d411e3", + "external_references": [ + { + "source_name": "Department of Homeland Security September 2016", + "description": "Department of Homeland Security 2016, September Retrieved. 2020/09/25 ", + "url": "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce", + "created": "2018-04-18T17:59:24.739Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "DHS CISA February 2019", + "description": "DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08 ", + "url": "https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-10-12T18:27:42.104Z", + "description": "[Triton](https://attack.mitre.org/software/S1009) is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. (Citation: DHS CISA February 2019)", + "relationship_type": "uses", + "source_ref": "malware--80099a91-4c86-4bea-9ccb-dac55d61960e", + "target_ref": "attack-pattern--b9160e77-ea9e-4ba9-b1c8-53a3c466b13d", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.112Z", + "relationship_type": "mitigates", + "description": "Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and public disclosure.\n", + "source_ref": "course-of-action--de0bc375-50e1-4e26-a342-a8ff8c9d3037", + "target_ref": "attack-pattern--32632a95-6856-47b9-9ab7-fea5cd7dce00", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "type": "relationship", + "id": "relationship--874752f4-59a2-46e9-ae28-befe0142b223", + "created": "2017-12-14T16:46:06.044Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "Nicolas Falliere, Liam O Murchu, Eric Chien February 2011", + "description": "Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ", + "url": "https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "modified": "2022-09-30T14:37:52.169Z", + "description": "[Stuxnet](https://attack.mitre.org/software/S0603) uses a hardcoded password in the WinCC software's database server as one of the mechanisms used to propagate to nearby systems. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)", + "relationship_type": "uses", + "source_ref": "malware--088f1d6e-0783-47c6-9923-9c79b2af43d4", + "target_ref": "attack-pattern--c9a8d958-fcdb-40d2-af4c-461c8031651a", + "x_mitre_deprecated": false, + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--2ff82993-5010-4450-89e7-341f449f3263", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.092Z", + "relationship_type": "mitigates", + "description": "Consider periodic reviews of accounts and privileges for critical and sensitive repositories.\n", + "source_ref": "course-of-action--bcf91ebc-f316-4e19-b2f6-444e9940c697", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.091Z", + "relationship_type": "mitigates", + "description": "Ensure users and user groups have appropriate permissions for their roles through Identity and Access Management (IAM) controls to prevent misuse. Implement user accounts for each individual that may access the repositories for role enforcement and non-repudiation of actions.\n", + "source_ref": "course-of-action--e57ebc6d-785f-40c8-adb1-b5b5e09b3b48", + "target_ref": "attack-pattern--3405891b-16aa-4bd7-bd7c-733501f9b20f", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "relationship", + "id": "relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "created": "2020-09-21T17:59:24.739Z", + "modified": "2022-05-06T17:47:24.218Z", + "relationship_type": "mitigates", + "description": "Apply DLP to protect the confidentiality of information related to operational processes, facility locations, device configurations, programs, or databases that may have information that can be used to infer organizational trade-secrets, recipes, and other intellectual property (IP).\n", + "source_ref": "course-of-action--337c4e2a-21a7-4d9a-bfee-9efd6cebf0e5", + "target_ref": "attack-pattern--b7e13ee8-182c-4f19-92a4-a88d7d855d54", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "x_mitre_version": "1.0" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Network Traffic Flow", + "description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Module Load", + "description": "Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)", + "x_mitre_data_source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Application Log Content", + "description": "Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)", + "x_mitre_data_source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-21T21:47:33.604Z", + "name": "Software", + "description": "This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).", + "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", + "created": "2022-09-23T16:36:08.632Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Network Traffic Content", + "description": "Logged network traffic data showing both protocol header and body values (ex: PCAP)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-07T16:15:56.932Z", + "name": "Process Creation", + "description": "The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "type": "x-mitre-data-component", - "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", - "created": "2021-10-20T15:05:19.273Z", + "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ @@ -24586,8 +24704,8 @@ "Spirlin" ], "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" + "ics-attack", + "enterprise-attack" ], "x_mitre_contributors": [ "Dragos Threat Intelligence", @@ -24654,232 +24772,21 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "x_mitre_domains": [ - "ics-attack" - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2022-05-11T16:22:58.802Z", - "created": "2022-05-11T16:22:58.802Z", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", - "name": "Device Alarm", - "description": "This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes", - "x_mitre_version": "1.0", - "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.274Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.274Z", - "name": "Network Traffic Flow", - "description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)", - "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.274Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.274Z", - "name": "Logon Session Metadata", - "description": "Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it", - "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.272Z", - "name": "Process Termination", - "description": "Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)", + "modified": "2022-03-30T14:26:51.806Z", + "name": "OS API Execution", + "description": "Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.272Z", - "name": "Application Log Content", - "description": "Logging, messaging, and other artifacts provided by third-party services (ex: metrics, errors, and/or alerts from mail/web applications)", - "x_mitre_data_source_ref": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.272Z", - "name": "Process Metadata", - "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", - "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.271Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.271Z", - "name": "Scheduled Job Metadata", - "description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.", - "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "aliases": [ - "Dragonfly 2.0", - "IRON LIBERTY", - "DYMALLOY", - "Berserk Bear" - ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "intrusion-set", - "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", - "created": "2018-10-17T00:14:20.652Z", - "x_mitre_version": "2.1", - "external_references": [ - { - "source_name": "mitre-attack", - "external_id": "G0074", - "url": "https://attack.mitre.org/groups/G0074" - }, - { - "source_name": "DYMALLOY", - "description": "(Citation: Dragos DYMALLOY )" - }, - { - "source_name": "Berserk Bear", - "description": "(Citation: Fortune Dragonfly 2.0 Sept 2017)" - }, - { - "source_name": "IRON LIBERTY", - "description": "(Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)" - }, - { - "source_name": "Dragonfly 2.0", - "description": "(Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)" - }, - { - "source_name": "Dragos DYMALLOY ", - "url": "https://www.dragos.com/threat/dymalloy/", - "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020." - }, - { - "source_name": "Fortune Dragonfly 2.0 Sept 2017", - "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/", - "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018." - }, - { - "source_name": "Secureworks MCMD July 2019", - "url": "https://www.secureworks.com/research/mcmd-malware-analysis", - "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." - }, - { - "source_name": "Secureworks IRON LIBERTY", - "url": "https://www.secureworks.com/research/threat-profiles/iron-liberty", - "description": "Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020." - }, - { - "source_name": "Symantec Dragonfly Sept 2017", - "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", - "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017." - }, - { - "source_name": "US-CERT TA18-074A", - "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A", - "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018." - } - ], - "x_mitre_deprecated": false, - "revoked": true, - "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", - "modified": "2022-05-11T14:00:00.188Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "Dragonfly 2.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.275Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.275Z", - "name": "Network Share Access", - "description": "Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)", - "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.274Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.274Z", - "name": "Network Traffic Content", - "description": "Logged network traffic data showing both protocol header and body values (ex: PCAP)", - "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "modified": "2022-10-12T20:11:40.313Z", "name": "Sandworm Team", @@ -25004,6 +24911,594 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "aliases": [ + "Dragonfly 2.0", + "IRON LIBERTY", + "DYMALLOY", + "Berserk Bear" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71", + "created": "2018-10-17T00:14:20.652Z", + "x_mitre_version": "2.1", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0074", + "url": "https://attack.mitre.org/groups/G0074" + }, + { + "source_name": "DYMALLOY", + "description": "(Citation: Dragos DYMALLOY )" + }, + { + "source_name": "Berserk Bear", + "description": "(Citation: Fortune Dragonfly 2.0 Sept 2017)" + }, + { + "source_name": "IRON LIBERTY", + "description": "(Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)" + }, + { + "source_name": "Dragonfly 2.0", + "description": "(Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) (Citation: Fortune Dragonfly 2.0 Sept 2017)" + }, + { + "source_name": "Dragos DYMALLOY ", + "url": "https://www.dragos.com/threat/dymalloy/", + "description": "Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020." + }, + { + "source_name": "Fortune Dragonfly 2.0 Sept 2017", + "url": "http://fortune.com/2017/09/06/hack-energy-grid-symantec/", + "description": "Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018." + }, + { + "source_name": "Secureworks MCMD July 2019", + "url": "https://www.secureworks.com/research/mcmd-malware-analysis", + "description": "Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020." + }, + { + "source_name": "Secureworks IRON LIBERTY", + "url": "https://www.secureworks.com/research/threat-profiles/iron-liberty", + "description": "Secureworks. (n.d.). IRON LIBERTY. Retrieved October 15, 2020." + }, + { + "source_name": "Symantec Dragonfly Sept 2017", + "url": "https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group", + "description": "Symantec Security Response. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017." + }, + { + "source_name": "US-CERT TA18-074A", + "url": "https://www.us-cert.gov/ncas/alerts/TA18-074A", + "description": "US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018." + } + ], + "x_mitre_deprecated": false, + "revoked": true, + "description": "[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )", + "modified": "2022-05-11T14:00:00.188Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "Dragonfly 2.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Creation", + "description": "Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Metadata", + "description": "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-05-11T16:22:58.802Z", + "created": "2022-05-11T16:22:58.802Z", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", + "name": "Process/Event Alarm", + "description": "This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)", + "x_mitre_version": "1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-05-11T16:22:58.802Z", + "created": "2022-05-11T16:22:58.802Z", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", + "name": "Process History/Live Data", + "description": "This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices", + "x_mitre_version": "1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "aliases": [ + "OilRig", + "COBALT GYPSY", + "IRN2", + "APT34", + "Helix Kitten" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_contributors": [ + "Robert Falcone", + "Bryan Lee", + "Dragos Threat Intelligence" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "created": "2017-12-14T16:46:06.044Z", + "x_mitre_version": "3.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0049", + "url": "https://attack.mitre.org/groups/G0049" + }, + { + "source_name": "IRN2", + "description": "(Citation: Crowdstrike Helix Kitten Nov 2018)" + }, + { + "source_name": "OilRig", + "description": "(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)" + }, + { + "source_name": "COBALT GYPSY", + "description": "(Citation: Secureworks COBALT GYPSY Threat Profile)" + }, + { + "source_name": "Helix Kitten", + "description": "(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)" + }, + { + "source_name": "Check Point APT34 April 2021", + "url": "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", + "description": "Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021." + }, + { + "source_name": "ClearSky OilRig Jan 2017", + "url": "http://www.clearskysec.com/oilrig/", + "description": "ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017." + }, + { + "source_name": "Palo Alto OilRig May 2016", + "url": "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", + "description": "Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017." + }, + { + "source_name": "Palo Alto OilRig April 2017", + "url": "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", + "description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017." + }, + { + "source_name": "Palo Alto OilRig Oct 2016", + "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", + "description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017." + }, + { + "source_name": "Unit 42 QUADAGENT July 2018", + "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", + "description": "Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018." + }, + { + "source_name": "Crowdstrike Helix Kitten Nov 2018", + "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", + "description": "Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018." + }, + { + "source_name": "FireEye APT34 Dec 2017", + "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", + "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017." + }, + { + "source_name": "Secureworks COBALT GYPSY Threat Profile", + "url": "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", + "description": "Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021." + }, + { + "source_name": "APT34", + "description": "This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. (Citation: Unit 42 QUADAGENT July 2018) (Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)" + }, + { + "source_name": "Unit 42 Playbook Dec 2017", + "url": "https://pan-unit42.github.io/playbook_viewer/", + "description": "Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)", + "modified": "2022-06-02T20:18:52.733Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "OilRig", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "ics-attack" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-05-11T16:22:58.802Z", + "created": "2022-05-11T16:22:58.802Z", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298", + "name": "Device Alarm", + "description": "This includes alarms associated with unexpected device functions, such as shutdowns, restarts, failures, or configuration changes", + "x_mitre_version": "1.0", + "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-07T16:18:20.802Z", + "name": "Logon Session Creation", + "description": "Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Termination", + "description": "Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Modification", + "description": "Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-07T16:14:39.124Z", + "name": "Command Execution", + "description": "The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )", + "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-20T20:18:06.745Z", + "name": "Network Connection Creation", + "description": "Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "aliases": [ + "TEMP.Veles", + "XENOTIME" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", + "created": "2019-04-16T15:14:38.533Z", + "x_mitre_version": "1.3", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0088", + "url": "https://attack.mitre.org/groups/G0088" + }, + { + "source_name": "TEMP.Veles", + "description": "(Citation: FireEye TRITON 2019)" + }, + { + "source_name": "Dragos Xenotime 2018", + "url": "https://dragos.com/resource/xenotime/", + "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019." + }, + { + "source_name": "FireEye TEMP.Veles 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ", + "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019." + }, + { + "source_name": "FireEye TEMP.Veles 2018 ", + "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", + "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019." + }, + { + "source_name": "FireEye TRITON 2019", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", + "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019." + }, + { + "source_name": "FireEye TEMP.Veles JSON April 2019", + "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html", + "description": "Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019." + }, + { + "source_name": "Pylos Xenotime 2019", + "url": "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/", + "description": "Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019." + }, + { + "source_name": "XENOTIME", + "description": "The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609) .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )" + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://attack.mitre.org/software/S0609), a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", + "modified": "2022-05-24T16:22:20.856Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "TEMP.Veles", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Modification", + "description": "Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "aliases": [ + "FIN6", + "Magecart Group 6", + "ITG08", + "Skeleton Spider" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)", + "Drew Church, Splunk" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", + "created": "2017-05-31T21:32:06.015Z", + "x_mitre_version": "3.2", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0037", + "url": "https://attack.mitre.org/groups/G0037" + }, + { + "source_name": "Skeleton Spider", + "description": "(Citation: Crowdstrike Global Threat Report Feb 2018)" + }, + { + "source_name": "FIN6", + "description": "(Citation: FireEye FIN6 April 2016)" + }, + { + "source_name": "Magecart Group 6", + "description": "(Citation: Security Intelligence ITG08 April 2020)" + }, + { + "source_name": "ITG08", + "description": "(Citation: Security Intelligence More Eggs Aug 2019)" + }, + { + "source_name": "Crowdstrike Global Threat Report Feb 2018", + "url": "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report", + "description": "CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018." + }, + { + "source_name": "FireEye FIN6 April 2016", + "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", + "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016." + }, + { + "source_name": "FireEye FIN6 Apr 2019", + "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", + "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019." + }, + { + "source_name": "Security Intelligence ITG08 April 2020", + "url": "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", + "description": "Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020." + }, + { + "source_name": "Security Intelligence More Eggs Aug 2019", + "url": "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", + "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019." + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", + "modified": "2022-06-02T20:11:01.957Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "FIN6", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "aliases": [ + "ALLANITE", + "Palmetto Fusion" + ], + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", + "created": "2017-05-31T21:31:57.307Z", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G1000", + "url": "https://attack.mitre.org/groups/G1000" + }, + { + "source_name": "Dragos", + "url": "https://dragos.com/resource/allanite/", + "description": "Dragos Allanite Retrieved. 2019/10/27 " + } + ], + "x_mitre_deprecated": false, + "revoked": false, + "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)", + "modified": "2022-05-24T19:26:10.721Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "ALLANITE", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Creation", + "description": "Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "modified": "2022-10-19T22:09:02.443Z", "name": "Dragonfly", @@ -25143,14 +25638,14 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2022-10-07T16:15:56.932Z", - "name": "Process Creation", - "description": "The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)", - "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "modified": "2022-10-07T16:16:55.269Z", + "name": "Script Execution", + "description": "The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)", + "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "type": "x-mitre-data-component", - "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", + "id": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, @@ -25161,97 +25656,197 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "x_mitre_domains": [ - "ics-attack" - ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2022-05-11T16:22:58.802Z", - "created": "2022-05-11T16:22:58.802Z", + "id": "x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa", "type": "x-mitre-data-component", - "id": "x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e", - "name": "Process/Event Alarm", - "description": "This includes a list of any process alarms or alerts produced to indicate unusual or concerning activity within the operational process (e.g., increased temperature/pressure)", + "created": "2021-10-20T15:05:19.275Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.275Z", + "name": "Network Share Access", + "description": "Opening a network share, which makes the contents available to the requestor (ex: Windows EID 5140 or 5145)", + "x_mitre_data_source_ref": "x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Creation", + "description": "Initial construction of a new file (ex: Sysmon EID 11)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "x_mitre_version": "1.0", - "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { "aliases": [ - "TEMP.Veles", - "XENOTIME" + "FIN7", + "GOLD NIAGARA", + "ITG14", + "Carbon Spider" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_contributors": [ - "Dragos Threat Intelligence" + "Edward Millington" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "type": "intrusion-set", - "id": "intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4", - "created": "2019-04-16T15:14:38.533Z", - "x_mitre_version": "1.3", + "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", + "created": "2017-05-31T21:32:09.460Z", + "x_mitre_version": "2.1", "external_references": [ { "source_name": "mitre-attack", - "external_id": "G0088", - "url": "https://attack.mitre.org/groups/G0088" + "external_id": "G0046", + "url": "https://attack.mitre.org/groups/G0046" }, { - "source_name": "TEMP.Veles", - "description": "(Citation: FireEye TRITON 2019)" + "source_name": "Carbon Spider", + "description": "(Citation: CrowdStrike Carbon Spider August 2021)" }, { - "source_name": "Dragos Xenotime 2018", - "url": "https://dragos.com/resource/xenotime/", - "description": "Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019." + "source_name": "FIN7", + "description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)" }, { - "source_name": "FireEye TEMP.Veles 2018", - "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ", - "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019." + "source_name": "GOLD NIAGARA", + "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)" }, { - "source_name": "FireEye TEMP.Veles 2018 ", - "url": "https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html", - "description": "FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019." + "source_name": "FireEye CARBANAK June 2017", + "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", + "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018." }, { - "source_name": "FireEye TRITON 2019", - "url": "https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html", - "description": "Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019." + "source_name": "FireEye FIN7 April 2017", + "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017." }, { - "source_name": "FireEye TEMP.Veles JSON April 2019", - "url": "https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html", - "description": "Miller, S., et al. (2019, April 10). TRITON Appendix C. Retrieved April 29, 2019." + "source_name": "FireEye FIN7 Aug 2018", + "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", + "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018." }, { - "source_name": "Pylos Xenotime 2019", - "url": "https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/", - "description": "Slowik, J.. (2019, April 12). A XENOTIME to Remember: Veles in the Wild. Retrieved April 16, 2019." + "source_name": "Secureworks GOLD NIAGARA Threat Profile", + "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara", + "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021." }, { - "source_name": "XENOTIME", - "description": "The activity group XENOTIME, as defined by Dragos, has overlaps with activity reported upon by FireEye about TEMP.Veles as well as the actors behind [TRITON](https://attack.mitre.org/software/S0609) .(Citation: Dragos Xenotime 2018)(Citation: Pylos Xenotime 2019)(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018 )" + "source_name": "FireEye FIN7 Shim Databases", + "url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017." + }, + { + "source_name": "Morphisec FIN7 June 2017", + "url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry", + "description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017." + }, + { + "source_name": "ITG14", + "description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)" + }, + { + "source_name": "CrowdStrike Carbon Spider August 2021", + "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", + "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021." + }, + { + "source_name": "FireEye FIN7 March 2017", + "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html", + "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017." + }, + { + "source_name": "IBM Ransomware Trends September 2020", + "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/", + "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021." } ], "x_mitre_deprecated": false, "revoked": false, - "description": "[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing [TRITON](https://attack.mitre.org/software/S0609), a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)", - "modified": "2022-05-24T16:22:20.856Z", + "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)", + "modified": "2022-07-20T20:06:44.706Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "TEMP.Veles", + "name": "FIN7", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "File Access", + "description": "Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "aliases": [ + "GOLD SOUTHFIELD" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_contributors": [ + "Thijn Bukkems, Amazon" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", + "type": "intrusion-set", + "created": "2020-09-22T19:41:27.845Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0115", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0115" + }, + { + "source_name": "Secureworks REvil September 2019", + "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", + "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GandCrab and REvil September 2019", + "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", + "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." + }, + { + "source_name": "Secureworks GOLD SOUTHFIELD", + "url": "https://www.secureworks.com/research/threat-profiles/gold-southfield", + "description": "Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020." + } + ], + "modified": "2021-04-26T12:52:34.528Z", + "name": "GOLD SOUTHFIELD", + "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)", + "x_mitre_version": "1.1", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -25268,6 +25863,131 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-03-30T14:26:51.805Z", + "name": "File Deletion", + "description": "Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)", + "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.272Z", + "name": "Process Metadata", + "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Windows Registry Key Modification", + "description": "Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "aliases": [ + "Wizard Spider", + "UNC1878", + "TEMP.MixMaster", + "Grim Spider" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_contributors": [ + "Edward Millington", + "Oleksiy Gayda" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", + "type": "intrusion-set", + "created": "2020-05-12T18:15:29.396Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "external_id": "G0102", + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/groups/G0102" + }, + { + "source_name": "UNC1878", + "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)" + }, + { + "source_name": "TEMP.MixMaster", + "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" + }, + { + "source_name": "Grim Spider", + "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)" + }, + { + "source_name": "CrowdStrike Ryuk January 2019", + "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", + "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." + }, + { + "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", + "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a", + "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020." + }, + { + "source_name": "CrowdStrike Wizard Spider October 2020", + "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", + "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021." + }, + { + "source_name": "FireEye KEGTAP SINGLEMALT October 2020", + "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", + "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020." + }, + { + "source_name": "FireEye Ryuk and Trickbot January 2019", + "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", + "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020." + }, + { + "source_name": "CrowdStrike Grim Spider May 2019", + "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", + "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." + } + ], + "modified": "2021-10-14T17:27:41.194Z", + "name": "Wizard Spider", + "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", + "x_mitre_version": "2.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "aliases": [ "Lazarus Group", @@ -25367,6 +26087,22 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.273Z", + "name": "Service Metadata", + "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "modified": "2022-10-21T15:56:01.070Z", "name": "Oldsmar Treatment Plant Intrusion", @@ -25417,15 +26153,86 @@ ] }, { - "modified": "2022-10-07T16:18:20.802Z", - "name": "Logon Session Creation", - "description": "Initial construction of a successful new user logon following an authentication attempt. (e.g. Windows EID 4624, /var/log/utmp, or /var/log/wmtp)", - "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "aliases": [ + "APT33", + "HOLMIUM", + "Elfin" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_contributors": [ + "Dragos Threat Intelligence" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "type": "intrusion-set", + "id": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", + "created": "2018-04-18T17:59:24.739Z", + "x_mitre_version": "1.4", + "external_references": [ + { + "source_name": "mitre-attack", + "external_id": "G0064", + "url": "https://attack.mitre.org/groups/G0064" + }, + { + "source_name": "APT33", + "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)" + }, + { + "source_name": "HOLMIUM", + "description": "(Citation: Microsoft Holmium June 2020)" + }, + { + "source_name": "Elfin", + "description": "(Citation: Symantec Elfin Mar 2019)" + }, + { + "source_name": "FireEye APT33 Webinar Sept 2017", + "url": "https://www.brighttalk.com/webcast/10703/275683", + "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018." + }, + { + "source_name": "Microsoft Holmium June 2020", + "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/", + "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020." + }, + { + "source_name": "FireEye APT33 Sept 2017", + "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", + "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018." + }, + { + "source_name": "Symantec Elfin Mar 2019", + "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", + "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019." + } + ], "x_mitre_deprecated": false, - "x_mitre_version": "1.1", + "revoked": false, + "description": "[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", + "modified": "2022-05-23T21:22:08.170Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "name": "APT33", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-21T21:47:58.629Z", + "name": "Asset Inventory", + "description": "This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses)", + "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.0", "type": "x-mitre-data-component", - "id": "x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5", - "created": "2021-10-20T15:05:19.274Z", + "id": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", + "created": "2022-09-23T16:34:00.912Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": [ @@ -25435,37 +26242,20 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "x_mitre_domains": [ - "ics-attack" - ], + "modified": "2022-10-07T16:19:46.282Z", + "name": "User Account Authentication", + "description": "An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)", + "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", + "x_mitre_deprecated": false, + "x_mitre_version": "1.1", + "type": "x-mitre-data-component", + "id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", + "created": "2021-10-20T15:05:19.271Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2022-05-11T16:22:58.802Z", - "created": "2022-05-11T16:22:58.802Z", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95", - "name": "Process History/Live Data", - "description": "This includes any data stores that maintain historical or real-time events and telemetry recorded from various sensors or devices", - "x_mitre_version": "1.0", - "x_mitre_data_source_ref": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "Windows Registry Key Modification", - "description": "Changes made to a Registry Key and/or Key value (ex: Windows EID 4657 or Sysmon EID 13|14)", - "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", - "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -25560,156 +26350,15 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "id": "x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c", + "id": "x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc", "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "File Creation", - "description": "Initial construction of a new file (ex: Sysmon EID 11)", - "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2022-10-20T20:18:06.745Z", - "name": "Network Connection Creation", - "description": "Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)", - "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", - "x_mitre_deprecated": false, - "x_mitre_version": "1.1", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", - "created": "2021-10-20T15:05:19.274Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2022-03-30T14:26:51.806Z", - "name": "OS API Execution", - "description": "Initial construction of a WMI object, such as a filter, consumer, subscription, binding, or provider (ex: Sysmon EIDs 19-21)", - "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2022-10-21T21:47:33.604Z", - "name": "Software", - "description": "This includes sources of current and expected software or application programs deployed to a device, along with information on the version and patch level for vendor products, full source code for any application programs, and unique identifiers (e.g., hashes, signatures).", - "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_version": "1.0", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d", - "created": "2022-09-23T16:36:08.632Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "aliases": [ - "APT33", - "HOLMIUM", - "Elfin" - ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_contributors": [ - "Dragos Threat Intelligence" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "intrusion-set", - "id": "intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f", - "created": "2018-04-18T17:59:24.739Z", - "x_mitre_version": "1.4", - "external_references": [ - { - "source_name": "mitre-attack", - "external_id": "G0064", - "url": "https://attack.mitre.org/groups/G0064" - }, - { - "source_name": "APT33", - "description": "(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)" - }, - { - "source_name": "HOLMIUM", - "description": "(Citation: Microsoft Holmium June 2020)" - }, - { - "source_name": "Elfin", - "description": "(Citation: Symantec Elfin Mar 2019)" - }, - { - "source_name": "FireEye APT33 Webinar Sept 2017", - "url": "https://www.brighttalk.com/webcast/10703/275683", - "description": "Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018." - }, - { - "source_name": "Microsoft Holmium June 2020", - "url": "https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/", - "description": "Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020." - }, - { - "source_name": "FireEye APT33 Sept 2017", - "url": "https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html", - "description": "O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018." - }, - { - "source_name": "Symantec Elfin Mar 2019", - "url": "https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage", - "description": "Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019." - } - ], - "x_mitre_deprecated": false, - "revoked": false, - "description": "[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)", - "modified": "2022-05-23T21:22:08.170Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "APT33", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2022-10-07T16:19:46.282Z", - "name": "User Account Authentication", - "description": "An attempt by a user to gain access to a network or computing resource, often by providing credentials (ex: Windows EID 4776 or /var/log/auth.log)", - "x_mitre_data_source_ref": "x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6", - "x_mitre_deprecated": false, - "x_mitre_version": "1.1", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], + "modified": "2021-10-20T15:05:19.271Z", + "name": "Scheduled Job Metadata", + "description": "Contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.", + "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -25717,306 +26366,30 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "id": "x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71", + "id": "x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b", + "type": "x-mitre-data-component", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2021-10-20T15:05:19.274Z", + "name": "Logon Session Metadata", + "description": "Contextual data about a logon session, such as username, logon type, access tokens (security context, user SIDs, logon identifiers, and logon SID), and any activity associated within it", + "x_mitre_data_source_ref": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2021-10-20T15:05:19.273Z", - "name": "File Access", - "description": "Opening a file, which makes the file contents available to the requestor (ex: Windows EID 4663)", - "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2022-10-07T16:16:55.269Z", - "name": "Script Execution", - "description": "The execution of a text file that contains code via the interpreter (e.g. Powershell, WMI, Windows EID 4104, etc.)", - "x_mitre_data_source_ref": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", - "x_mitre_deprecated": false, - "x_mitre_version": "1.1", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2022-10-21T21:47:58.629Z", - "name": "Asset Inventory", - "description": "This includes sources of current and expected devices on the network, including the manufacturer, model, and necessary identifiers (e.g., IP and hardware addresses)", - "x_mitre_data_source_ref": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_version": "1.0", - "type": "x-mitre-data-component", - "id": "x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706", - "created": "2022-09-23T16:34:00.912Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "aliases": [ - "OilRig", - "COBALT GYPSY", - "IRN2", - "APT34", - "Helix Kitten" - ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_contributors": [ - "Robert Falcone", - "Bryan Lee", - "Dragos Threat Intelligence" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "intrusion-set", - "id": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "created": "2017-12-14T16:46:06.044Z", - "x_mitre_version": "3.0", - "external_references": [ - { - "source_name": "mitre-attack", - "external_id": "G0049", - "url": "https://attack.mitre.org/groups/G0049" - }, - { - "source_name": "IRN2", - "description": "(Citation: Crowdstrike Helix Kitten Nov 2018)" - }, - { - "source_name": "OilRig", - "description": "(Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: Unit 42 QUADAGENT July 2018)" - }, - { - "source_name": "COBALT GYPSY", - "description": "(Citation: Secureworks COBALT GYPSY Threat Profile)" - }, - { - "source_name": "Helix Kitten", - "description": "(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018)" - }, - { - "source_name": "Check Point APT34 April 2021", - "url": "https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/", - "description": "Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021." - }, - { - "source_name": "ClearSky OilRig Jan 2017", - "url": "http://www.clearskysec.com/oilrig/", - "description": "ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017." - }, - { - "source_name": "Palo Alto OilRig May 2016", - "url": "http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/", - "description": "Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017." - }, - { - "source_name": "Palo Alto OilRig April 2017", - "url": "http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/", - "description": "Falcone, R.. (2017, April 27). OilRig Actors Provide a Glimpse into Development and Testing Efforts. Retrieved May 3, 2017." - }, - { - "source_name": "Palo Alto OilRig Oct 2016", - "url": "http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/", - "description": "Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017." - }, - { - "source_name": "Unit 42 QUADAGENT July 2018", - "url": "https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/", - "description": "Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018." - }, - { - "source_name": "Crowdstrike Helix Kitten Nov 2018", - "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/", - "description": "Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018." - }, - { - "source_name": "FireEye APT34 Dec 2017", - "url": "https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html", - "description": "Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017." - }, - { - "source_name": "Secureworks COBALT GYPSY Threat Profile", - "url": "https://www.secureworks.com/research/threat-profiles/cobalt-gypsy", - "description": "Secureworks. (n.d.). COBALT GYPSY Threat Profile. Retrieved April 14, 2021." - }, - { - "source_name": "APT34", - "description": "This group was previously tracked under two distinct groups, APT34 and OilRig, but was combined due to additional reporting giving higher confidence about the overlap of the activity. (Citation: Unit 42 QUADAGENT July 2018) (Citation: FireEye APT34 Dec 2017)(Citation: Check Point APT34 April 2021)" - }, - { - "source_name": "Unit 42 Playbook Dec 2017", - "url": "https://pan-unit42.github.io/playbook_viewer/", - "description": "Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017." - } - ], - "x_mitre_deprecated": false, - "revoked": false, - "description": "[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit 42 Playbook Dec 2017)(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)", - "modified": "2022-06-02T20:18:52.733Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "OilRig", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "aliases": [ - "FIN6", - "Magecart Group 6", - "ITG08", - "Skeleton Spider" - ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)", - "Drew Church, Splunk" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "intrusion-set", - "id": "intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb", - "created": "2017-05-31T21:32:06.015Z", - "x_mitre_version": "3.2", - "external_references": [ - { - "source_name": "mitre-attack", - "external_id": "G0037", - "url": "https://attack.mitre.org/groups/G0037" - }, - { - "source_name": "Skeleton Spider", - "description": "(Citation: Crowdstrike Global Threat Report Feb 2018)" - }, - { - "source_name": "FIN6", - "description": "(Citation: FireEye FIN6 April 2016)" - }, - { - "source_name": "Magecart Group 6", - "description": "(Citation: Security Intelligence ITG08 April 2020)" - }, - { - "source_name": "ITG08", - "description": "(Citation: Security Intelligence More Eggs Aug 2019)" - }, - { - "source_name": "Crowdstrike Global Threat Report Feb 2018", - "url": "https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report", - "description": "CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018." - }, - { - "source_name": "FireEye FIN6 April 2016", - "url": "https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf", - "description": "FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016." - }, - { - "source_name": "FireEye FIN6 Apr 2019", - "url": "https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html", - "description": "McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019." - }, - { - "source_name": "Security Intelligence ITG08 April 2020", - "url": "https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/", - "description": "Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020." - }, - { - "source_name": "Security Intelligence More Eggs Aug 2019", - "url": "https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/", - "description": "Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019." - } - ], - "x_mitre_deprecated": false, - "revoked": false, - "description": "[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)", - "modified": "2022-06-02T20:11:01.957Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "FIN6", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.272Z", - "name": "Module Load", - "description": "Attaching a module into the memory of a process/program, typically to access shared resources/features provided by the module (ex: Sysmon EID 7)", - "x_mitre_data_source_ref": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "File Modification", - "description": "Changes made to a file, or its access permissions and attributes, typically to alter the contents of the targeted file (ex: Windows EID 4670 or Sysmon EID 2)", - "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "File Metadata", - "description": "Contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/ower, permissions, etc.", - "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "Drive Creation", - "description": "Initial construction of a drive letter or mount point to a data storage device", - "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", + "name": "Windows Registry Key Deletion", + "description": "Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)", + "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" @@ -26057,355 +26430,385 @@ "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "id": "x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c", + "id": "x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f", "type": "x-mitre-data-component", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "modified": "2021-10-20T15:05:19.273Z", - "name": "Service Metadata", - "description": "Contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.", - "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "name": "Drive Creation", + "description": "Initial construction of a drive letter or mount point to a data storage device", + "x_mitre_data_source_ref": "x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "Windows Registry Key Deletion", - "description": "Removal of a Registry Key (ex: Windows EID 4658 or Sysmon EID 12)", - "x_mitre_data_source_ref": "x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "aliases": [ - "ALLANITE", - "Palmetto Fusion" + "modified": "2022-10-20T20:18:34.334Z", + "name": "Network Traffic", + "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", + "x_mitre_platforms": [ + "IaaS", + "Linux", + "Windows", + "macOS" ], + "x_mitre_deprecated": false, "x_mitre_domains": [ - "ics-attack" + "enterprise-attack" ], + "x_mitre_version": "1.1", "x_mitre_contributors": [ - "Dragos Threat Intelligence" + "Center for Threat-Informed Defense (CTID)", + "ExtraHop" ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host", + "Network" ], - "type": "intrusion-set", - "id": "intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae", - "created": "2017-05-31T21:31:57.307Z", - "x_mitre_version": "1.0", + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "external_id": "G1000", - "url": "https://attack.mitre.org/groups/G1000" - }, - { - "source_name": "Dragos", - "url": "https://dragos.com/resource/allanite/", - "description": "Dragos Allanite Retrieved. 2019/10/27 " + "url": "https://attack.mitre.org/data-sources/DS0029", + "external_id": "DS0029" } ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0011", + "external_id": "DS0011" + }, + { + "source_name": "Microsoft LoadLibrary", + "description": "Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya" + }, + { + "source_name": "Microsoft Module Class", + "description": "Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Module", + "description": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_platforms": [ + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack", + "ics-attack" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0015", + "external_id": "DS0015" + }, + { + "source_name": "Confluence Logs", + "description": "Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.", + "url": "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" + } + ], + "modified": "2022-05-11T14:00:00.188Z", + "name": "Application Log", + "description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)", + "x_mitre_version": "1.0", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-09-26T14:44:35.610Z", + "name": "Asset", + "description": "Data sources with information about the set of devices found within the network, along with their current software and configurations", "x_mitre_deprecated": false, + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_version": "1.0", + "x_mitre_collection_layers": [ + "host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", + "created": "2022-05-11T16:22:58.802Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, - "description": "[ALLANITE](https://attack.mitre.org/groups/G1000) is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group's tactics and techniques are reportedly similar to [Dragonfly](https://attack.mitre.org/groups/G0035), although [ALLANITE](https://attack.mitre.org/groups/G1000)s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence. (Citation: Dragos)", - "modified": "2022-05-24T19:26:10.721Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "ALLANITE", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/data-sources/DS0039", + "external_id": "DS0039" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "modified": "2022-10-21T15:58:32.516Z", + "name": "Process", + "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)", + "x_mitre_platforms": [ + "Linux", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "created": "2021-10-20T15:05:19.272Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/data-sources/DS0009", + "external_id": "DS0009" + }, + { + "source_name": "Microsoft Processes and Threads", + "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + } + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "id": "x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "Service Creation", - "description": "Initial construction of a new service/daemon (ex: Windows EID 4697 or /var/log daemon logs)", - "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", - "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "x_mitre_platforms": [ + "Containers", + "Linux", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Container", + "Host" + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "id": "x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222", - "type": "x-mitre-data-component", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.273Z", - "name": "Service Modification", - "description": "Changes made to a service/daemon, such as changes to name, description, and/or start type (ex: Windows EID 7040 or /var/log daemon logs)", - "x_mitre_data_source_ref": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3", - "type": "x-mitre-data-component", + "id": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "type": "x-mitre-data-source", "created": "2021-10-20T15:05:19.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2021-10-20T15:05:19.271Z", - "name": "Scheduled Job Creation", - "description": "Initial construction of a new scheduled job (ex: Windows EID 4698 or /var/log cron logs)", - "x_mitre_data_source_ref": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0003", + "external_id": "DS0003" + }, + { + "source_name": "Microsoft Tasks", + "description": "Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" + } + ], + "modified": "2022-03-30T14:26:51.806Z", + "name": "Scheduled Job", + "description": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)", "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { + "x_mitre_platforms": [ + "Linux", + "Network", + "Windows", + "macOS" + ], + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Host" + ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], - "id": "x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8", - "type": "x-mitre-data-component", + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2022-03-30T14:26:51.805Z", - "name": "File Deletion", - "description": "Removal of a file (ex: Sysmon EID 23, macOS ESF EID ES_EVENT_TYPE_AUTH_UNLINK, or Linux commands auditd unlink, rename, rmdir, unlinked, or renameat rules)", - "x_mitre_data_source_ref": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "aliases": [ - "Wizard Spider", - "UNC1878", - "TEMP.MixMaster", - "Grim Spider" - ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_contributors": [ - "Edward Millington", - "Oleksiy Gayda" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7", - "type": "intrusion-set", - "created": "2020-05-12T18:15:29.396Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "external_id": "G0102", - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/groups/G0102" - }, - { - "source_name": "UNC1878", - "description": "(Citation: FireEye KEGTAP SINGLEMALT October 2020)" - }, - { - "source_name": "TEMP.MixMaster", - "description": "(Citation: FireEye Ryuk and Trickbot January 2019)" - }, - { - "source_name": "Grim Spider", - "description": "(Citation: CrowdStrike Ryuk January 2019)(Citation: CrowdStrike Grim Spider May 2019)" - }, - { - "source_name": "CrowdStrike Ryuk January 2019", - "url": "https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/", - "description": "Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020." - }, - { - "source_name": "DHS/CISA Ransomware Targeting Healthcare October 2020", - "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-302a", - "description": "DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020." - }, - { - "source_name": "CrowdStrike Wizard Spider October 2020", - "url": "https://www.crowdstrike.com/blog/wizard-spider-adversary-update/", - "description": "Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021." - }, - { - "source_name": "FireEye KEGTAP SINGLEMALT October 2020", - "url": "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", - "description": "Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020." - }, - { - "source_name": "FireEye Ryuk and Trickbot January 2019", - "url": "https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html", - "description": "Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020." - }, - { - "source_name": "CrowdStrike Grim Spider May 2019", - "url": "https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/", - "description": "John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020." - } - ], - "modified": "2021-10-14T17:27:41.194Z", - "name": "Wizard Spider", - "description": "[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)", - "x_mitre_version": "2.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "aliases": [ - "GOLD SOUTHFIELD" - ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_contributors": [ - "Thijn Bukkems, Amazon" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133", - "type": "intrusion-set", - "created": "2020-09-22T19:41:27.845Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "external_id": "G0115", - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/groups/G0115" - }, - { - "source_name": "Secureworks REvil September 2019", - "url": "https://www.secureworks.com/research/revil-sodinokibi-ransomware", - "description": "Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020." - }, - { - "source_name": "Secureworks GandCrab and REvil September 2019", - "url": "https://www.secureworks.com/blog/revil-the-gandcrab-connection", - "description": "Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020." - }, - { - "source_name": "Secureworks GOLD SOUTHFIELD", - "url": "https://www.secureworks.com/research/threat-profiles/gold-southfield", - "description": "Secureworks. (n.d.). GOLD SOUTHFIELD. Retrieved October 6, 2020." - } - ], - "modified": "2021-04-26T12:52:34.528Z", - "name": "GOLD SOUTHFIELD", - "description": "[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)", - "x_mitre_version": "1.1", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "aliases": [ - "FIN7", - "GOLD NIAGARA", - "ITG14", - "Carbon Spider" - ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_contributors": [ - "Edward Millington" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "intrusion-set", - "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", - "created": "2017-05-31T21:32:09.460Z", - "x_mitre_version": "2.1", "external_references": [ { "source_name": "mitre-attack", - "external_id": "G0046", - "url": "https://attack.mitre.org/groups/G0046" + "external_id": "DS0022", + "url": "https://attack.mitre.org/data-sources/DS0022" }, { - "source_name": "Carbon Spider", - "description": "(Citation: CrowdStrike Carbon Spider August 2021)" - }, - { - "source_name": "FIN7", - "description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)" - }, - { - "source_name": "GOLD NIAGARA", - "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)" - }, - { - "source_name": "FireEye CARBANAK June 2017", - "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html", - "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018." - }, - { - "source_name": "FireEye FIN7 April 2017", - "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", - "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017." - }, - { - "source_name": "FireEye FIN7 Aug 2018", - "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", - "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018." - }, - { - "source_name": "Secureworks GOLD NIAGARA Threat Profile", - "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara", - "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021." - }, - { - "source_name": "FireEye FIN7 Shim Databases", - "url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017." - }, - { - "source_name": "Morphisec FIN7 June 2017", - "url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry", - "description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017." - }, - { - "source_name": "ITG14", - "description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)" - }, - { - "source_name": "CrowdStrike Carbon Spider August 2021", - "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/", - "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021." - }, - { - "source_name": "FireEye FIN7 March 2017", - "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html", - "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017." - }, - { - "source_name": "IBM Ransomware Trends September 2020", - "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/", - "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021." + "source_name": "Microsoft File Mgmt", + "url": "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", + "description": "Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021." } ], "x_mitre_deprecated": false, "revoked": false, - "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)", - "modified": "2022-07-20T20:06:44.706Z", + "description": "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)", + "modified": "2022-04-21T14:50:59.123Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "FIN7", + "name": "File", + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "x_mitre_domains": [ + "ics-attack" + ], + "x_mitre_collection_layers": [ + "host" + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2022-05-11T16:22:58.802Z", + "created": "2022-05-11T16:22:58.802Z", + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", + "name": "Operational Databases", + "description": "Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred", + "x_mitre_version": "1.0", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0040", + "external_id": "DS0040" + } + ], + "x_mitre_attack_spec_version": "2.1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, + { + "modified": "2022-10-21T15:56:16.481Z", + "name": "Logon Session", + "description": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)", + "x_mitre_platforms": [ + "Azure AD", + "Google Workspace", + "IaaS", + "Linux", + "Office 365", + "SaaS", + "Windows", + "macOS" + ], + "x_mitre_deprecated": false, + "x_mitre_domains": [ + "enterprise-attack" + ], + "x_mitre_version": "1.1", + "x_mitre_contributors": [ + "Center for Threat-Informed Defense (CTID)" + ], + "x_mitre_collection_layers": [ + "Cloud Control Plane", + "Host", + "Network" + ], + "type": "x-mitre-data-source", + "id": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", + "created": "2021-10-20T15:05:19.274Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "revoked": false, + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/data-sources/DS0028", + "external_id": "DS0028" + }, + { + "source_name": "Microsoft Audit Logon Events", + "description": "Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" + } + ], + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, @@ -26462,133 +26865,57 @@ "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_collection_layers": [ - "host" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2022-05-11T16:22:58.802Z", - "created": "2022-05-11T16:22:58.802Z", - "type": "x-mitre-data-source", - "id": "x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552", - "name": "Operational Databases", - "description": "Operational databases contain information about the status of the operational process and associated devices, including any measurements, events, history, or alarms that have occurred", - "x_mitre_version": "1.0", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0040", - "external_id": "DS0040" - } - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2022-10-20T20:18:34.334Z", - "name": "Network Traffic", - "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", "x_mitre_platforms": [ - "IaaS", "Linux", "Windows", "macOS" ], - "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack" ], - "x_mitre_version": "1.1", - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)", - "ExtraHop" - ], - "x_mitre_collection_layers": [ - "Cloud Control Plane", - "Host", - "Network" - ], - "type": "x-mitre-data-source", - "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", - "created": "2021-10-20T15:05:19.274Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/data-sources/DS0029", - "external_id": "DS0029" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2022-10-21T15:56:16.481Z", - "name": "Logon Session", - "description": "Logon occurring on a system or resource (local, domain, or cloud) to which a user/device is gaining access after successful authentication and authorization(Citation: Microsoft Audit Logon Events)", - "x_mitre_platforms": [ - "Azure AD", - "Google Workspace", - "IaaS", - "Linux", - "Office 365", - "SaaS", - "Windows", - "macOS" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_version": "1.1", "x_mitre_contributors": [ "Center for Threat-Informed Defense (CTID)" ], "x_mitre_collection_layers": [ - "Cloud Control Plane", - "Host", - "Network" - ], - "type": "x-mitre-data-source", - "id": "x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891", - "created": "2021-10-20T15:05:19.274Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/data-sources/DS0028", - "external_id": "DS0028" - }, - { - "source_name": "Microsoft Audit Logon Events", - "description": "Microsoft. (2021, September 6). Audit logon events. Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/basic-audit-logon-events" - } + "Host" ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], + "id": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", + "type": "x-mitre-data-source", + "created": "2021-10-20T15:05:19.273Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "external_references": [ + { + "source_name": "mitre-attack", + "url": "https://attack.mitre.org/datasources/DS0019", + "external_id": "DS0019" + }, + { + "source_name": "Microsoft Services", + "description": "Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications" + }, + { + "source_name": "Linux Services Run Levels", + "description": "The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.", + "url": "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" + } + ], + "modified": "2022-03-30T14:26:51.807Z", + "name": "Service", + "description": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)", + "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, { - "modified": "2022-10-21T15:58:32.516Z", - "name": "Process", - "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)", + "modified": "2022-10-21T15:58:58.335Z", + "name": "Script", + "description": "A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)", "x_mitre_platforms": [ - "Linux", - "Windows", - "macOS" + "Windows" ], "x_mitre_deprecated": false, "x_mitre_domains": [ @@ -26602,20 +26929,30 @@ "Host" ], "type": "x-mitre-data-source", - "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", + "id": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", - "url": "https://attack.mitre.org/data-sources/DS0009", - "external_id": "DS0009" + "url": "https://attack.mitre.org/data-sources/DS0012", + "external_id": "DS0012" }, { - "source_name": "Microsoft Processes and Threads", - "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads" + "source_name": "FireEye PowerShell Logging", + "description": "Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021.", + "url": "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html" + }, + { + "source_name": "Microsoft AMSI", + "description": "Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" + }, + { + "source_name": "Microsoft PowerShell Logging", + "description": "Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021.", + "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7" } ], "object_marking_refs": [ @@ -26624,93 +26961,6 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "x_mitre_platforms": [ - "Google Workspace", - "IaaS", - "Linux", - "Office 365", - "SaaS", - "Windows", - "macOS" - ], - "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" - ], - "x_mitre_collection_layers": [ - "Cloud Control Plane", - "Host" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4", - "type": "x-mitre-data-source", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0015", - "external_id": "DS0015" - }, - { - "source_name": "Confluence Logs", - "description": "Confluence Support. (2021, April 22). Working with Confluence Logs. Retrieved September 23, 2021.", - "url": "https://confluence.atlassian.com/doc/working-with-confluence-logs-108364721.html" - } - ], - "modified": "2022-05-11T14:00:00.188Z", - "name": "Application Log", - "description": "Events collected by third-party services such as mail servers, web applications, or other appliances (not by the native OS or platform)(Citation: Confluence Logs)", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "x_mitre_platforms": [ - "Containers", - "Linux", - "Windows", - "macOS" - ], - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)" - ], - "x_mitre_collection_layers": [ - "Container", - "Host" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883", - "type": "x-mitre-data-source", - "created": "2021-10-20T15:05:19.271Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0003", - "external_id": "DS0003" - }, - { - "source_name": "Microsoft Tasks", - "description": "Microsoft. (2018, May 31). Tasks. Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/windows/win32/taskschd/tasks" - } - ], - "modified": "2022-03-30T14:26:51.806Z", - "name": "Scheduled Job", - "description": "Automated tasks that can be executed at a specific time or on a recurring schedule running in the background (ex: Cron daemon, task scheduler, BITS)(Citation: Microsoft Tasks)", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "x_mitre_platforms": [ "Linux", @@ -26825,80 +27075,6 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "x_mitre_platforms": [ - "Linux", - "Network", - "Windows", - "macOS" - ], - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)" - ], - "x_mitre_collection_layers": [ - "Host" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "type": "x-mitre-data-source", - "id": "x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9", - "created": "2021-10-20T15:05:19.273Z", - "x_mitre_version": "1.0", - "external_references": [ - { - "source_name": "mitre-attack", - "external_id": "DS0022", - "url": "https://attack.mitre.org/data-sources/DS0022" - }, - { - "source_name": "Microsoft File Mgmt", - "url": "https://docs.microsoft.com/en-us/windows/win32/fileio/file-management", - "description": "Microsoft. (2018, May 31). File Management (Local File Systems). Retrieved September 28, 2021." - } - ], - "x_mitre_deprecated": false, - "revoked": false, - "description": "A computer resource object, managed by the I/O system, for storing data (such as images, text, videos, computer programs, or any wide variety of other media).(Citation: Microsoft File Mgmt)", - "modified": "2022-04-21T14:50:59.123Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "name": "File", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "modified": "2022-09-26T14:44:35.610Z", - "name": "Asset", - "description": "Data sources with information about the set of devices found within the network, along with their current software and configurations", - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "ics-attack" - ], - "x_mitre_version": "1.0", - "x_mitre_collection_layers": [ - "host" - ], - "type": "x-mitre-data-source", - "id": "x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c", - "created": "2022-05-11T16:22:58.802Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/data-sources/DS0039", - "external_id": "DS0039" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "modified": "2022-10-21T15:59:59.646Z", "name": "User Account", @@ -26945,103 +27121,6 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "modified": "2022-10-21T15:58:58.335Z", - "name": "Script", - "description": "A file or stream containing a list of commands, allowing them to be launched in sequence(Citation: Microsoft PowerShell Logging)(Citation: FireEye PowerShell Logging)(Citation: Microsoft AMSI)", - "x_mitre_platforms": [ - "Windows" - ], - "x_mitre_deprecated": false, - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_version": "1.1", - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)" - ], - "x_mitre_collection_layers": [ - "Host" - ], - "type": "x-mitre-data-source", - "id": "x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "revoked": false, - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/data-sources/DS0012", - "external_id": "DS0012" - }, - { - "source_name": "FireEye PowerShell Logging", - "description": "Dunwoody, M. (2016, February 11). Greater Visibility Through PowerShell Logging. Retrieved September 28, 2021.", - "url": "https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html" - }, - { - "source_name": "Microsoft AMSI", - "description": "Microsoft. (2019, April 19). Antimalware Scan Interface (AMSI). Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal" - }, - { - "source_name": "Microsoft PowerShell Logging", - "description": "Microsoft. (2020, March 30). about_Logging_Windows. Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7" - } - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, - { - "x_mitre_platforms": [ - "Linux", - "Windows", - "macOS" - ], - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)" - ], - "x_mitre_collection_layers": [ - "Host" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563", - "type": "x-mitre-data-source", - "created": "2021-10-20T15:05:19.272Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0011", - "external_id": "DS0011" - }, - { - "source_name": "Microsoft LoadLibrary", - "description": "Microsoft. (2018, December 5). LoadLibraryA function (libloaderapi.h). Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya" - }, - { - "source_name": "Microsoft Module Class", - "description": "Microsoft. (n.d.). Module Class. Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/dotnet/api/system.reflection.module" - } - ], - "modified": "2022-03-30T14:26:51.806Z", - "name": "Module", - "description": "Executable files consisting of one or more shared classes and interfaces, such as portable executable (PE) format binaries/dynamic link libraries (DLL), executable and linkable format (ELF) binaries/shared libraries, and Mach-O format binaries/shared libraries(Citation: Microsoft LoadLibrary)(Citation: Microsoft Module Class)", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "x_mitre_platforms": [ "Linux", @@ -27083,52 +27162,6 @@ "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, - { - "x_mitre_platforms": [ - "Linux", - "Windows", - "macOS" - ], - "x_mitre_domains": [ - "enterprise-attack" - ], - "x_mitre_contributors": [ - "Center for Threat-Informed Defense (CTID)" - ], - "x_mitre_collection_layers": [ - "Host" - ], - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb", - "type": "x-mitre-data-source", - "created": "2021-10-20T15:05:19.273Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "external_references": [ - { - "source_name": "mitre-attack", - "url": "https://attack.mitre.org/datasources/DS0019", - "external_id": "DS0019" - }, - { - "source_name": "Microsoft Services", - "description": "Microsoft. (2017, March 30). Introduction to Windows Service Applications. Retrieved September 28, 2021.", - "url": "https://docs.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications" - }, - { - "source_name": "Linux Services Run Levels", - "description": "The Linux Foundation. (2006, January 11). An introduction to services, runlevels, and rc.d scripts. Retrieved September 28, 2021.", - "url": "https://www.linux.com/news/introduction-services-runlevels-and-rcd-scripts/" - } - ], - "modified": "2022-03-30T14:26:51.807Z", - "name": "Service", - "description": "A computer process that is configured to execute continuously in the background and perform system tasks, in some cases before any user has logged in(Citation: Microsoft Services)(Citation: Linux Services Run Levels)", - "x_mitre_version": "1.0", - "x_mitre_attack_spec_version": "2.1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "x_mitre_domains": [ "ics-attack" @@ -27148,21 +27181,6 @@ "name": "APT34", "x_mitre_version": "1.0" }, - { - "object_marking_refs": [ - "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" - ], - "id": "relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb", - "type": "relationship", - "created": "2018-10-17T00:14:20.652Z", - "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", - "modified": "2018-10-17T00:14:20.652Z", - "relationship_type": "revoked-by", - "source_ref": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", - "target_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", - "x_mitre_version": "1.0", - "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" - }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" @@ -27182,6 +27200,21 @@ "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" }, + { + "object_marking_refs": [ + "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" + ], + "id": "relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb", + "type": "relationship", + "created": "2018-10-17T00:14:20.652Z", + "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", + "modified": "2018-10-17T00:14:20.652Z", + "relationship_type": "revoked-by", + "source_ref": "intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6", + "target_ref": "intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d", + "x_mitre_version": "1.0", + "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" + }, { "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" diff --git a/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json b/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json index e5f794be00..6404def39d 100644 --- a/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json +++ b/ics-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--298bc022-4458-4bd1-ba4b-34022ad4f2fc", + "id": "bundle--2246484a-accc-4cb4-96b9-cd54dedd425a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json b/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json index b31d19f031..b7932f3a34 100644 --- a/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json +++ b/ics-attack/intrusion-set/intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d0d9301d-e132-4af3-bf27-1c9b6cbc77c6", + "id": "bundle--3d58ee1b-a381-4f32-ba21-a79ddc7922a5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json b/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json index c2778d3ae1..1aa45908fe 100644 --- a/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json +++ b/ics-attack/intrusion-set/intrusion-set--190242d7-73fc-4738-af68-20162f7a5aae.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cb3b5ef9-6555-4544-9d2e-9770b2bdfaa0", + "id": "bundle--0b48c247-bd1a-4982-880c-01c8f0266171", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json b/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json index 41d63905cb..83d0bbfcbf 100644 --- a/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json +++ b/ics-attack/intrusion-set/intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fb518a07-c29c-4ce9-855a-98454a310847", + "id": "bundle--961e8d33-e382-45a8-99db-353843180868", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json b/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json index bdf4694033..c8f253a017 100644 --- a/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json +++ b/ics-attack/intrusion-set/intrusion-set--2a7914cf-dff3-428d-ab0f-1014d1c28aeb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--55433b8d-72df-4c75-94e4-6d3b4c1ddaac", + "id": "bundle--6c1f375a-b575-4c8a-a4f9-1ac0053e5b37", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json b/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json index 11b03c6bdc..e2a7e79e74 100644 --- a/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json +++ b/ics-attack/intrusion-set/intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a40436e8-794a-4067-beaa-6c3a7d3f8f6a", + "id": "bundle--874cb32c-3c4e-4438-a5ad-f0b51d6e07e0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json b/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json index afd3c9647f..62d99d3e52 100644 --- a/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json +++ b/ics-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--48541000-614b-4be7-9b93-932a1f9a6638", + "id": "bundle--908b0a56-b255-498a-8769-4f3234c959ee", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json b/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json index 38a03f1f1c..1e0744767f 100644 --- a/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json +++ b/ics-attack/intrusion-set/intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6b597ec7-a317-4ff0-b002-5f7fe0744af0", + "id": "bundle--eb1a613a-3a24-45b5-bd5f-cb36774dba46", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json b/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json index 19ac91f955..8d7348ee79 100644 --- a/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json +++ b/ics-attack/intrusion-set/intrusion-set--68ba94ab-78b8-43e7-83e2-aed3466882c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d28e2e33-c73a-49d4-890f-32942df979a7", + "id": "bundle--de734ee8-58f7-44cd-b162-02dbfa06403b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json b/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json index bc4dde08ce..685808a0d5 100644 --- a/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json +++ b/ics-attack/intrusion-set/intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e7e0eafd-389b-4b18-9563-bb33b8126ca3", + "id": "bundle--3f027acf-939f-40d5-940b-4164a211cab1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json b/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json index 207e3335f8..446ffe28e1 100644 --- a/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json +++ b/ics-attack/intrusion-set/intrusion-set--9538b1a4-4120-4e2d-bf59-3b11fcab05a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e7a6920b-b810-4bfd-960f-e4b3cd2bf530", + "id": "bundle--43e35cb8-5da4-4f96-b75a-5f72a6bc1977", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json b/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json index 5cee995fca..8c5779feba 100644 --- a/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json +++ b/ics-attack/intrusion-set/intrusion-set--c77c5576-ca19-42ed-a36f-4b4486a84133.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--060e8c5d-957f-4efa-ae5a-e23f7288bd6f", + "id": "bundle--cd7deae8-c156-46ef-b0d7-5662568a6155", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json b/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json index 0fd9f2616a..1ca74dc9a6 100644 --- a/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json +++ b/ics-attack/intrusion-set/intrusion-set--c93fccb1-e8e8-42cf-ae33-2ad1d183913a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f509a7fd-3935-4c9d-9088-89cf1f6c188b", + "id": "bundle--726190c8-2555-4be3-b26c-9a98a916e6ac", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json b/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json index 0fcd25904a..1374c47e27 100644 --- a/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json +++ b/ics-attack/intrusion-set/intrusion-set--dd2d9ca6-505b-4860-a604-233685b802c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a489db60-7969-4607-b317-1530763ac6ea", + "id": "bundle--2bcfa8ef-f394-49c0-9c73-f0ca0ff95405", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json b/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json index 53e1761c07..9dbe46cb0a 100644 --- a/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json +++ b/ics-attack/intrusion-set/intrusion-set--f29b7c5e-2439-42ad-a86f-9f8984fafae3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1238fdf4-830c-44cc-9438-92a340832f57", + "id": "bundle--52f6b945-ddee-4955-a2d7-0a2d03d2b351", "spec_version": "2.0", "objects": [ { @@ -11,8 +11,8 @@ "Spirlin" ], "x_mitre_domains": [ - "enterprise-attack", - "ics-attack" + "ics-attack", + "enterprise-attack" ], "x_mitre_contributors": [ "Dragos Threat Intelligence", diff --git a/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json b/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json index da831cff12..bd0edd31fe 100644 --- a/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json +++ b/ics-attack/intrusion-set/intrusion-set--fbd29c89-18ba-4c2d-b792-51c0adee049f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7b01b695-33bb-4ed0-8c32-1156a956596a", + "id": "bundle--23881334-74c4-4442-8574-e90c8252ee71", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json b/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json index a65519251a..4f9b1d7f9b 100644 --- a/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json +++ b/ics-attack/malware/malware--00e7d565-9883-4ee5-b642-8fd17fd6a3f5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--56ac82fb-8c87-43a0-aa19-9cb7101c4846", + "id": "bundle--45e859ba-ea06-4de5-aed8-88270af031e1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json b/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json index 6762aab7d1..d02f191f19 100644 --- a/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json +++ b/ics-attack/malware/malware--083bb47b-02c8-4423-81a2-f9ef58572974.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8265586e-dd3e-4280-9cda-9bc9ad9d95d3", + "id": "bundle--01a7be91-ddb5-404b-be19-fdbe6977599b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json b/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json index 91a95532e6..0a1425deca 100644 --- a/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json +++ b/ics-attack/malware/malware--088f1d6e-0783-47c6-9923-9c79b2af43d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9f91af89-85de-4a42-a11b-3ae1433d0d7f", + "id": "bundle--df096c4b-5902-45d1-9dbe-222d17d79ddf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json b/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json index 059e42ca88..f635c9b933 100644 --- a/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json +++ b/ics-attack/malware/malware--1d8dccb3-e779-4702-aeb1-6627a22cc585.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--40541271-a878-49a4-a87e-0aaa0143ccba", + "id": "bundle--06baca04-515a-4e8e-8f2a-8207267ee774", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json b/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json index 2632e3bb5a..589e51bcd2 100644 --- a/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json +++ b/ics-attack/malware/malware--242622ca-3903-43d5-8aa0-3bbdaa3020ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f1f8ca22-7470-431a-b729-2a83d9027c94", + "id": "bundle--91a25ef8-7d88-494e-91a6-c31eb84f8665", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json b/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json index 5672086330..eb9ae32ab6 100644 --- a/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json +++ b/ics-attack/malware/malware--2eaa5319-5e1e-4dd7-bbc4-566fced3964a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7b11ca60-5fd7-499e-95d2-f51dec8e8877", + "id": "bundle--b6a38a34-d2cb-4353-acd2-cda6df256c8a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json b/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json index 98a1e28234..7a9bc40a6f 100644 --- a/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json +++ b/ics-attack/malware/malware--496bff4d-0700-4b28-b06f-f30a63002be7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--761270d4-d8e7-467c-aa32-76694f3e8b9c", + "id": "bundle--bdb20039-03e3-4541-97b1-39cc13e2cdec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json b/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json index db12d3e9b7..bc843d5259 100644 --- a/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json +++ b/ics-attack/malware/malware--49c04994-1035-4b58-89b7-cf8956e3b423.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a02119a7-3e7c-4e95-83a2-89a99652fb59", + "id": "bundle--d3f7364d-752a-425d-84e5-c78e44d2a2f7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json b/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json index 2d3e65767a..55ca2a20f4 100644 --- a/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json +++ b/ics-attack/malware/malware--4dcff507-5af8-47ce-964a-8d9569e9ccfe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a231156e-b46c-41f9-8867-6ff4aef0f7a0", + "id": "bundle--d87bf7c6-619a-4a1c-b478-c542f53e1d9b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json b/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json index 93d6f2c094..825a7caf20 100644 --- a/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json +++ b/ics-attack/malware/malware--54cc1d4f-5c53-4f0e-9ef5-11b4998e82e4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a110dbb2-94d1-4d59-8f3f-8867ffbe8d6e", + "id": "bundle--e272bc6f-ca30-4f96-892e-27d118b77bc1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json b/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json index 6501d980f2..bd171d7ccd 100644 --- a/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json +++ b/ics-attack/malware/malware--5719af9d-6b16-46f9-9b28-fb019541ddbb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d12185d0-fb26-4c23-8a9a-dd6f4733f675", + "id": "bundle--958f6cf5-aefe-497b-a270-363401fa21ee", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json b/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json index fb59851cd8..2448a0cd9a 100644 --- a/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json +++ b/ics-attack/malware/malware--58eddbaf-7416-419a-ad7b-e65b9d4c3b55.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e674ea42-3e9a-4253-874a-3145b4208826", + "id": "bundle--ebcbad18-807a-4804-97c6-87c266ca7f8b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json b/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json index c5b74b94cd..87dc8f921e 100644 --- a/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json +++ b/ics-attack/malware/malware--5af7a825-2d9f-400d-931a-e00eb9e27f48.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--12bdcdb8-410c-4f79-8816-835f3c28d10e", + "id": "bundle--bfc401df-6772-4e5e-84cc-b2f459494e57", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json b/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json index 67866b4331..d8778e0d04 100644 --- a/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json +++ b/ics-attack/malware/malware--6108f800-10b8-4090-944e-be579f01263d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--68964979-1414-4d58-9458-80621586ae25", + "id": "bundle--80e0e78c-1ddb-4fe1-abb7-b28e41be56dc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json b/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json index 4021a1913a..102d57b592 100644 --- a/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json +++ b/ics-attack/malware/malware--68dca94f-c11d-421e-9287-7c501108e18c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--815b9b33-b9db-4976-9f55-e62199acd8e6", + "id": "bundle--7a1cfc37-b44f-4e1e-bda3-671f03015735", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json b/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json index 52d89133ae..d34060af5b 100644 --- a/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json +++ b/ics-attack/malware/malware--736a3b71-eccc-48b7-b5ed-adb2b74ca830.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7fe09781-1fed-4ee4-881a-b8e2ac3e4158", + "id": "bundle--6080c3ce-4bf0-42c3-ae1a-ffe6dea9d225", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json b/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json index 9a16c38811..7152be0fff 100644 --- a/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json +++ b/ics-attack/malware/malware--75ecdbf1-c2bb-4afc-a3f9-c8da4de8c661.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--be75e20c-585f-46e2-a20e-cde4fcb1442f", + "id": "bundle--638d30a0-73f5-414c-ac5f-395e1aa5b96b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json b/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json index 49170fd283..2fdaf4a9ba 100644 --- a/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json +++ b/ics-attack/malware/malware--80099a91-4c86-4bea-9ccb-dac55d61960e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c4345ae0-fe55-4c93-9a78-4859299ff254", + "id": "bundle--c9a72ec5-ec52-4524-a1ed-40c88f3c0c13", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json b/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json index 0c4a9952bb..ce377d178d 100644 --- a/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json +++ b/ics-attack/malware/malware--89ab0ca5-f7e0-4d16-bf2a-17d68117fa4b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d9e7d268-5b68-4499-beb0-094ef6c9c333", + "id": "bundle--83db5a67-c977-4c1b-827d-34b59cb79bd2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json b/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json index 9c2970e526..2684989229 100644 --- a/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json +++ b/ics-attack/malware/malware--9e3c9495-5fbd-4676-b3ac-ddecceb57b8f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eba55acf-0836-441c-a534-44183afee971", + "id": "bundle--b0205224-dd64-408b-969f-0cb35296a266", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json b/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json index 306ff6819f..3d5dc39131 100644 --- a/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json +++ b/ics-attack/malware/malware--a020a61c-423f-4195-8c46-ba1d21abba37.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--927f9f08-d646-423d-8327-25d64a0425b3", + "id": "bundle--c8e802c5-6469-42b3-b3d2-2170019b4243", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json b/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json index 659692fd59..6e1bcb151b 100644 --- a/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json +++ b/ics-attack/malware/malware--a4a98eab-b691-45d9-8c48-869ef8fefd57.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4d7a601f-740f-4131-af7c-754149c24d26", + "id": "bundle--e1eb319a-6aa5-4321-b2f1-549fb55ab58e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json b/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json index 49b2f435d3..71373de400 100644 --- a/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json +++ b/ics-attack/malware/malware--ac61f1f9-7bb1-465e-9b8a-c2ce8e88baf5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bf727166-43b2-4c27-a2a5-8f2dd0477960", + "id": "bundle--7187680a-c101-48d3-827d-7e6c1834d209", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json b/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json index 84e42e4310..cee0f365e6 100644 --- a/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json +++ b/ics-attack/malware/malware--d3aa1058-b1b3-4c29-a3ba-9a9b90ccd93b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--719432a1-73cb-40f4-8134-6decf145835f", + "id": "bundle--4ff81e94-bf35-42a8-883d-e9d7507fa7b7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json b/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json index 28a2ddf933..6f578296ba 100644 --- a/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json +++ b/ics-attack/malware/malware--e221eb77-1502-4129-af1d-fe1ad55e7ec6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d3bdfe28-69a9-4cad-b270-b5ee29b85c7e", + "id": "bundle--2d3a20ba-e597-4e8d-a1eb-2230a86accee", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json b/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json index 9e2ede67b2..5c345d000f 100644 --- a/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json +++ b/ics-attack/malware/malware--e401d4fe-f0c9-44f0-98e6-f93487678808.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f943589f-95ea-4659-aea6-55a5909dbc6a", + "id": "bundle--c67c52de-8ff4-4778-9aab-58da38828065", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json b/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json index 8a9c744712..7b60568234 100644 --- a/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json +++ b/ics-attack/malware/malware--ff6840c9-4c87-4d07-bbb6-9f50aa33d498.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--31dd5f8a-caa6-46f7-b6da-c9883194f944", + "id": "bundle--2a032994-4aa9-4c64-aa40-6586f182de10", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json b/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json index c3055cfd75..82209caefb 100644 --- a/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json +++ b/ics-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3cbba8e1-5a6d-418b-9ea7-c67e9ab2c80e", + "id": "bundle--e5f47e91-b7d9-4a16-9226-6df4e52ed70c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json b/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json index 91deee8c3d..94b7f4fb90 100644 --- a/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json +++ b/ics-attack/relationship/relationship--00b98fa6-4913-40a4-8920-befed8621c41.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--19b88717-a6d9-49d2-8d31-bb986432cf4e", + "id": "bundle--e1f5dffb-373b-42ba-99d1-b03c08e87f84", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json b/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json index ae85204ee4..c430b114af 100644 --- a/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json +++ b/ics-attack/relationship/relationship--00e6c22b-9275-4039-b6d4-2ac0680325d6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--30083ba1-fdf8-4f95-affa-c845e0fbe419", + "id": "bundle--5988a40c-5e22-46d6-bb81-15f9eeebb941", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json b/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json index 7f6765fbc6..f1d5a4f1fd 100644 --- a/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json +++ b/ics-attack/relationship/relationship--01b4a92f-da42-4dfa-8d59-53709b65940e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--75f43214-1f4b-4f8d-8c4b-2ca8883db4b8", + "id": "bundle--02f00b17-fc49-4930-83e4-b88cd0bbf0f5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json b/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json index d3c7bb70ca..cbab127ab1 100644 --- a/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json +++ b/ics-attack/relationship/relationship--0278ddbc-67d5-444d-8082-bf9974dee920.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--27cb1365-7db9-44e1-aae2-5b2c8ab87c2d", + "id": "bundle--b5bb14cc-b523-4383-ad02-3465f450d0de", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json b/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json index f615061fd6..aba27a4703 100644 --- a/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json +++ b/ics-attack/relationship/relationship--028a3bcc-f299-4061-a0f2-8da85e0a3c81.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--234fc14f-d113-4271-83f7-cd6aedf87337", + "id": "bundle--6908aa60-143c-4d7b-a212-99a0b3bebe8b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json b/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json index 13884b1096..c53cb70549 100644 --- a/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json +++ b/ics-attack/relationship/relationship--03a9cdc7-3cc5-43e3-9a9c-97d1c4310e35.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--48c9f2ff-48c6-4708-b660-bd522d7adeee", + "id": "bundle--d46bd04d-64a7-42f6-8b42-9e14a5404345", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json b/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json index dd97346acf..ff9ec338a6 100644 --- a/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json +++ b/ics-attack/relationship/relationship--03ad6a9a-4443-4e33-a7a5-933e22f2e022.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b5a1ed01-e627-4ca5-a0f8-f310ab63bb82", + "id": "bundle--8bacc75f-aa09-4b41-9093-49476592e6b6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json b/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json index c0d7661a68..d1b399956b 100644 --- a/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json +++ b/ics-attack/relationship/relationship--03d44496-7a15-4e23-820f-b6f1079dbbd3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d8d9213f-60ae-483c-bc84-98c80abffae6", + "id": "bundle--8b358cb9-4087-496d-b9a9-f84c50588ee0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json b/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json index 019e756417..1ed5c5f27c 100644 --- a/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json +++ b/ics-attack/relationship/relationship--042243fd-bfe0-4961-96de-a36232d3ff74.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a803c6c-8ae4-4bcb-a4af-ed93b8f8ad86", + "id": "bundle--d78256c7-b2f9-47a7-a1c1-682cd14dde83", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json b/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json index f2f239ebe3..9bbc6ea5c7 100644 --- a/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json +++ b/ics-attack/relationship/relationship--04882fef-2a6b-40d0-a101-da9c76a3572e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8fbdd193-8ecb-4dcd-9312-391b61f48353", + "id": "bundle--4e7891d4-2b45-4b6b-a553-1e23981da869", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json b/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json index 2f52bc08bc..7b46d76bd9 100644 --- a/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json +++ b/ics-attack/relationship/relationship--0491ef92-2941-4841-9fe6-2e1809788b52.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4b166eb1-55c7-4cf3-9c2a-4d6502b869ef", + "id": "bundle--38ceb47a-ca1d-481c-9c20-629819b99842", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json b/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json index 532ee9c9c2..4a0438e2d0 100644 --- a/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json +++ b/ics-attack/relationship/relationship--04bf72de-75ba-4d95-ad24-f93ad835180c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a15d1be4-a591-4b3e-be86-44fcefdf17e9", + "id": "bundle--678d4faf-d957-4012-997e-ceab26b1c0c9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json b/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json index 1ca3651831..b7f22373f5 100644 --- a/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json +++ b/ics-attack/relationship/relationship--04fa6b94-d633-40ff-9ab2-88f58c07c3e1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1c74d1e6-eeb1-41da-bf4c-de832984da70", + "id": "bundle--c644dc7e-2fdc-4c93-8598-3d928bcb5019", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json b/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json index 2b9e0a7ee5..af454fabbf 100644 --- a/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json +++ b/ics-attack/relationship/relationship--058396ca-3af4-444b-b261-74485c47e68c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fdadf8dc-2a89-43a0-936c-1fb41b3a352c", + "id": "bundle--1283d4c8-11fe-48c2-b121-662f53266d06", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json b/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json index 9f46308d53..fadf927812 100644 --- a/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json +++ b/ics-attack/relationship/relationship--064dfd6f-db5d-48e8-b350-9dd47a270911.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bbcc468e-0e17-4dad-ab0a-6359caacb44f", + "id": "bundle--b046dfbe-cfab-4088-8f9a-b11f8342fee2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json b/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json index 9f708f5a44..87c26351a9 100644 --- a/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json +++ b/ics-attack/relationship/relationship--067932c3-0011-4ca2-9bbe-721c631e4e41.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c6be940c-e19b-4371-8dbd-a49292145fb6", + "id": "bundle--a49a9397-8e0d-455c-a53a-d12d1899a43e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json b/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json index d43a64052e..8d480f8cfe 100644 --- a/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json +++ b/ics-attack/relationship/relationship--06c663f8-fcf1-47eb-ab79-284e93eafa6b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e0e3dd5a-a596-4a6e-9e14-fab7f8588948", + "id": "bundle--4ca9662e-dc6c-43cf-8d9b-2587333669ce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json b/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json index 4debbd54da..fb71a3a989 100644 --- a/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json +++ b/ics-attack/relationship/relationship--06f15629-d050-434a-aed1-3bb3f90c97b2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1e9be55c-cd18-4561-b441-e80beac64c28", + "id": "bundle--28845d7d-45cd-4853-b78b-810239f33cdd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json b/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json index 5953823235..05d477c3ec 100644 --- a/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json +++ b/ics-attack/relationship/relationship--06fc6ec4-7857-4f59-9bbf-df373152bcfd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc2253ca-7b08-4fc0-84b8-01a7c13be56c", + "id": "bundle--71c11ae9-cf88-4d67-a9d6-73beb29b4474", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json b/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json index a06490c7f8..141f66e36d 100644 --- a/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json +++ b/ics-attack/relationship/relationship--07f4d65d-4572-450f-8cb2-908fee97bd67.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3e638c75-0b98-4a64-926f-7dabdeb04092", + "id": "bundle--6c4aaad6-6bee-4be6-937a-dfeb7af1890c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json b/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json index 406c7ca06c..add0c973a6 100644 --- a/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json +++ b/ics-attack/relationship/relationship--08302021-aacf-428f-a0ce-e1034d925fb0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fb875435-d60b-46d7-acdc-70c4a3470d40", + "id": "bundle--0af4e65f-a382-4a86-80b1-4947ae4c6579", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json b/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json index c7489f7c5e..66de2f2142 100644 --- a/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json +++ b/ics-attack/relationship/relationship--088580e9-ccea-426e-9411-c1de60de650d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cacb8957-5a0f-47be-bb44-7472a774339f", + "id": "bundle--51d35ce2-1ef4-4f42-b7e9-049e181bfc61", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json b/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json index 3ca12aa9f0..97ca8aafaa 100644 --- a/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json +++ b/ics-attack/relationship/relationship--08a4f730-bc3f-4050-973f-1ef2847db4e7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3ad9639b-fe07-4b52-bc3d-e059281e8d6a", + "id": "bundle--b0e39726-c090-4477-ade5-34732366d371", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json b/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json index 318f40c848..65154251ce 100644 --- a/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json +++ b/ics-attack/relationship/relationship--09977105-562f-4f45-a151-27a11a18031e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b672cf04-f955-428c-8f48-b59972480d76", + "id": "bundle--e97ad481-a014-45dc-b661-2dea7917f7e6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json b/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json index f391328422..bcc392aa97 100644 --- a/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json +++ b/ics-attack/relationship/relationship--09fe4b04-b1d2-492c-9b10-59b94807ccf9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c0583ba2-9aff-4587-a1e7-161cb0ce8d25", + "id": "bundle--49c0f45f-6bbc-4b64-8696-4f003d70353a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json b/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json index 30001485aa..8767185fa9 100644 --- a/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json +++ b/ics-attack/relationship/relationship--0a5d2136-e1f5-4a54-be64-a558f918bf0d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--408b05ac-ebe4-4d1e-9b55-b3a52a254160", + "id": "bundle--26fb70da-4773-4fff-82fc-4c02d32c2648", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json b/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json index 58d75f50d3..7834bc0305 100644 --- a/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json +++ b/ics-attack/relationship/relationship--0b7f643e-8975-4998-acbb-7405fa944a68.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--32b2543b-a385-4d4b-a058-d0b973255e24", + "id": "bundle--23c1cfd1-25f7-41dc-857c-b6107b84841d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json b/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json index e2585b0b7d..ae70fad8c5 100644 --- a/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json +++ b/ics-attack/relationship/relationship--0beb0088-3bea-4612-b2d9-ff9988f829ae.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--57af8df6-561f-45d9-9368-cab88f83d89c", + "id": "bundle--d62011ad-4d5d-438a-a5c3-d39764df8b00", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json b/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json index 902376579c..6387ef3c31 100644 --- a/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json +++ b/ics-attack/relationship/relationship--0c1fe5fc-3bdc-4d0e-94a0-6564f2ce4444.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4f7a3e49-4958-4bd1-a5e6-f133ad61f1f4", + "id": "bundle--d578dde4-f440-4947-b7ee-9f214bd5097a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json b/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json index 8dabcc46d7..db0ef15bfd 100644 --- a/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json +++ b/ics-attack/relationship/relationship--0c284ce0-0be2-4164-b686-7c383b246aec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b2122bdb-a143-497f-ab21-4dbe20cbf7e8", + "id": "bundle--84dffcac-eb69-4993-b2ff-286d4404062a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json b/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json index 71b401a8f6..009e5e05b6 100644 --- a/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json +++ b/ics-attack/relationship/relationship--0c4aaf6c-4b72-401f-950b-6d65ceb1267a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--950eb65a-1cce-4c90-970f-7fbe72e428aa", + "id": "bundle--b43e1825-65b2-43fa-8256-a0c27717ea10", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json b/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json index 37a2cc9317..eca6930560 100644 --- a/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json +++ b/ics-attack/relationship/relationship--0c9ed09d-4ce3-4e65-845a-c21dcc5d956f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--70b1136b-7a1d-4dfc-9cc8-a45be84e7d48", + "id": "bundle--e94b4cd6-e068-4294-a475-7ba68bb1bb7d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json b/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json index 70b57b2526..e552754fd0 100644 --- a/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json +++ b/ics-attack/relationship/relationship--0d305450-d5ca-46fe-8583-36c983dd0a88.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b9883728-d450-4106-8908-249be6158772", + "id": "bundle--2e43471b-acb4-4d00-b893-bc4506d9200f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json b/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json index 8b0710509e..7e1f16c0b9 100644 --- a/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json +++ b/ics-attack/relationship/relationship--0d4f2f88-e176-42c7-8258-52b345045662.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e9d770e6-41b2-4f59-9bcd-d9e8944062d3", + "id": "bundle--6ccb1b09-cdd8-4e0e-9b87-70a034dc5377", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json b/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json index 40d127151f..2c85ef1d73 100644 --- a/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json +++ b/ics-attack/relationship/relationship--0d540b53-6a5d-4f56-9dee-47707443b149.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--18f7b69e-ac6d-4a97-b935-5fb356d03578", + "id": "bundle--ae53d165-6759-4e12-a057-be157492f716", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json b/ics-attack/relationship/relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json index efd0efd64f..41be8dcc93 100644 --- a/ics-attack/relationship/relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json +++ b/ics-attack/relationship/relationship--0dca1f7d-9965-467a-bea5-b8baa7c8b9fc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2b29d6fe-c2ae-4fe9-a377-6a922faa08e1", + "id": "bundle--fb45e84d-bac3-4027-a8b2-956d4184e3ec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json b/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json index b68ee1a4e2..12a7dfd2be 100644 --- a/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json +++ b/ics-attack/relationship/relationship--0df0cb6d-0067-48b2-a33e-495415713ab7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7f0ac7c5-736f-411a-b9dc-ad22c1a2dd95", + "id": "bundle--15f8e1de-cdfc-47d3-9262-ef6502675c0c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json b/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json index fd17b7a5dc..fec42ff5cf 100644 --- a/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json +++ b/ics-attack/relationship/relationship--0e275c19-7688-47f8-8cd5-85eaacec465b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7a034c65-cb82-4052-85a1-e1d4a6c039cf", + "id": "bundle--51146135-0665-4517-b1eb-032950dcc84f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json b/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json index af595d93fa..6990def65a 100644 --- a/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json +++ b/ics-attack/relationship/relationship--0e29f62d-4ffc-47ec-9623-72f874fbe905.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--83a06b41-3e82-4474-ac90-0128e08579a5", + "id": "bundle--3d570458-1094-4028-894c-6e9eb06fb2e5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json b/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json index d8708866ff..3a63067c74 100644 --- a/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json +++ b/ics-attack/relationship/relationship--0e4f272b-d744-4feb-9f3f-c24c3598538f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f921d58f-de03-4a1f-b3e8-90f17ca07f4b", + "id": "bundle--0728e1d5-207d-4079-a607-c5cce8584fb3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json b/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json index 69124269d6..94e0cd6557 100644 --- a/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json +++ b/ics-attack/relationship/relationship--0eb112f6-c1cb-4843-93f5-f668aa0e9bd8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9ebf4452-bb18-4e14-91e0-9ddfe2db2700", + "id": "bundle--f9c03c2c-b958-4a6c-a747-02cd67e53fc3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json b/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json index b4b33b3ea6..e11504f37c 100644 --- a/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json +++ b/ics-attack/relationship/relationship--0f18b876-b698-4f70-aa98-50e8b5a7eae2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ccb678e2-6dcd-48fe-9a8d-12e58998c62f", + "id": "bundle--ae9f7f5d-924c-4d16-a82f-c671ace79429", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json b/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json index 00d77482e7..d14862754d 100644 --- a/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json +++ b/ics-attack/relationship/relationship--0f8a6c14-1050-404a-bb6e-4fe107d5b6cd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5fa4e2ef-804b-4844-8d89-e1576d75bdfa", + "id": "bundle--6d4ab7e1-2eb6-4309-8bd7-48dbec9f7b75", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json b/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json index 5ad20381c9..09ab48b207 100644 --- a/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json +++ b/ics-attack/relationship/relationship--0ff88ef7-44fd-4307-b381-2e0bc76ce83b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9c9f25b1-aa1b-48d1-8631-dce2e03bb059", + "id": "bundle--9d1e293c-5b41-4ce4-930d-58bf21379593", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json b/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json index 55ea8739c2..0358b396d8 100644 --- a/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json +++ b/ics-attack/relationship/relationship--0ffdee1a-1e83-4506-aba2-38c55812abb3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--871cdcb9-b463-4d00-900d-68293bc41258", + "id": "bundle--a8258e13-f99f-4979-9140-d99bddeced77", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json b/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json index fbe1210098..21d71e8a1e 100644 --- a/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json +++ b/ics-attack/relationship/relationship--104b4f25-d0a9-41f6-94b3-fa85ee8b1523.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--43b6f7bb-7a03-410d-b159-774fad53c5ae", + "id": "bundle--d16e3e87-0d16-4d62-b743-fda7f99e1906", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json b/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json index 6d7bef81e5..4c029f6750 100644 --- a/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json +++ b/ics-attack/relationship/relationship--10626671-941d-4a82-a835-56059058ef87.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b1d833b1-6d5b-40bb-a0fd-b2e5239975db", + "id": "bundle--1d871f69-78d0-47cc-b14c-4418a054b77b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json b/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json index e3841e94b0..418a682089 100644 --- a/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json +++ b/ics-attack/relationship/relationship--107d9a23-991b-44f5-97f6-7f6983c7013a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--edbf697c-47cc-4e06-a5e2-277aa6c113d3", + "id": "bundle--09d1192f-ae62-4348-a106-388316a19d62", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5.json b/ics-attack/relationship/relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5.json index 99b0e88d61..abe8fa3528 100644 --- a/ics-attack/relationship/relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5.json +++ b/ics-attack/relationship/relationship--10e3816e-8ee2-4dcf-81b7-a22ec0b6fda5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4686339b-dff0-470d-90dd-cdb7aaebefdc", + "id": "bundle--21214484-3a2f-4f66-981f-454bbc676737", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json b/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json index 1a5d3e737a..8d64b1a0a1 100644 --- a/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json +++ b/ics-attack/relationship/relationship--10e87e4b-a231-42e3-a011-0031f8226936.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2cbcad8d-31a0-4b8e-bf55-08cafcd3e0ac", + "id": "bundle--10f29fd2-cba2-4033-95c6-a6f9bf3d06e6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json b/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json index 2af7e8292c..faa7199085 100644 --- a/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json +++ b/ics-attack/relationship/relationship--1110814e-81ff-4a23-9988-4b93e6f68a2b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--27081311-f18c-419f-ad96-87ba93cf93a1", + "id": "bundle--899f2e26-750b-48fe-bce7-ce072023a82d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json b/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json index 1a96c39d22..f847a68eba 100644 --- a/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json +++ b/ics-attack/relationship/relationship--111f437a-c67d-40e4-9515-7e9b22e65eff.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3ad45852-32d7-4cc7-b059-0b8493a3912f", + "id": "bundle--fcfb4211-df3e-4059-a6f4-501f1c13bb69", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json b/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json index 9337179b6a..acf4d4708b 100644 --- a/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json +++ b/ics-attack/relationship/relationship--11ab5b1a-b7b3-43bb-bc19-d65bf4ed89f3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fa13cab2-eddb-4d3b-ab05-f8a18cbcf5f8", + "id": "bundle--2d7f5ebd-eee3-4064-88a2-d49e3aef75df", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json b/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json index c3ea9093ee..5d05da7c15 100644 --- a/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json +++ b/ics-attack/relationship/relationship--11e4eb54-b0b3-4f67-a93f-28cc10df00ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--32da0fb6-23cc-4e21-9ba3-393a7d72870d", + "id": "bundle--af7972eb-044c-44b7-9165-ecd5b0c41280", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json b/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json index 9781b161bd..e30af0d6c3 100644 --- a/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json +++ b/ics-attack/relationship/relationship--1299dd2d-4f42-4f5f-876b-bf7dacd17c79.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3769bb1e-f2bc-48b6-9058-87f9a5c2a2bc", + "id": "bundle--6a66a5ea-e9e6-490f-b76f-ce4160c9a7bf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json b/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json index a06cc37575..9458937227 100644 --- a/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json +++ b/ics-attack/relationship/relationship--129a4d3f-fa4a-42c3-833e-8f15155b9693.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--450187a8-81a0-460b-845f-6715623b6bbf", + "id": "bundle--bd36b942-76f8-487b-96ce-b427e1a4ddae", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json b/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json index c089c224f5..016d9d345a 100644 --- a/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json +++ b/ics-attack/relationship/relationship--12a6c5bc-c685-4249-b8c6-e6d49aa2b9ed.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2a43fa1d-935c-477a-8c8e-ce6b13009d02", + "id": "bundle--178f7690-3577-448f-aa18-7ae71d56a972", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json b/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json index ddc96002c8..4d53790cf7 100644 --- a/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json +++ b/ics-attack/relationship/relationship--1377fdf9-5201-4204-b6d3-df2fb5f4d02f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--18c608b0-e4c5-4f39-961e-cff7474370a7", + "id": "bundle--bfa29f3f-2d8a-440b-8632-393a9c4b3ded", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json b/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json index 63b3aab818..1df367b207 100644 --- a/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json +++ b/ics-attack/relationship/relationship--13809e98-1d74-4c39-b882-9d523c76cbde.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6f5cf48f-5b1d-4b72-82a2-0cdf5bec7c66", + "id": "bundle--ce5d2a5b-a595-4dc3-92bd-00e5b5ef1575", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json b/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json index c2dc3d7cb3..6e9976f565 100644 --- a/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json +++ b/ics-attack/relationship/relationship--139bb9e7-e5fd-4366-b2e6-4f74a73ec984.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5666ea27-68b4-4ca2-92d1-dc74ec807dde", + "id": "bundle--3103c49d-835c-460b-a78c-82ae07acdf1e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json b/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json index 4f8ec5e8c7..0f3da87241 100644 --- a/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json +++ b/ics-attack/relationship/relationship--13fb2612-7c23-4b9d-a6e1-76f78062fc52.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3cb65002-12cb-4a77-ab7c-15e850e863fc", + "id": "bundle--7be10576-8774-43cd-b5bf-4fe1f85d6d9b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json b/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json index 30fd77894c..da02f2a5a0 100644 --- a/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json +++ b/ics-attack/relationship/relationship--147c2158-b2af-4d88-9d59-594c67a9200e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b67027a8-79bc-4021-b987-04c19f76cfe6", + "id": "bundle--d2386195-2a0e-4106-beb2-f53ab1b1b5e6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json b/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json index 8651b732c5..fc5129aba7 100644 --- a/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json +++ b/ics-attack/relationship/relationship--15188683-7ded-4578-9102-73459ecbe095.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4bf788d7-6b02-4e82-a6ac-b3b84ec0df66", + "id": "bundle--f131b41f-9ec3-4d6d-a1e1-ca02d0a2207a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json b/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json index 04331372ae..619fb98a8d 100644 --- a/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json +++ b/ics-attack/relationship/relationship--154de746-5ea2-43b4-97b2-221b2433cbde.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--753b635b-29fa-4463-809c-8baa52c206f0", + "id": "bundle--79b2ce4f-9f26-4d02-a450-bc9afc70189d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json b/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json index 25fd11fe67..e202a3f5b7 100644 --- a/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json +++ b/ics-attack/relationship/relationship--15a39e3b-124e-4e68-95b5-7b8020225c12.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3daebc35-09d0-4b4d-b029-230bdcb5d390", + "id": "bundle--80b57416-377a-4466-be5d-838355a8585d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--17525989-242e-4960-b59d-9ea62172263f.json b/ics-attack/relationship/relationship--17525989-242e-4960-b59d-9ea62172263f.json index a6fda587ec..5853defda0 100644 --- a/ics-attack/relationship/relationship--17525989-242e-4960-b59d-9ea62172263f.json +++ b/ics-attack/relationship/relationship--17525989-242e-4960-b59d-9ea62172263f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e7ea951f-12df-4eea-b3e1-8629d64ec41f", + "id": "bundle--62173b7e-605d-48b4-a100-2c9d1e48e290", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json b/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json index cbc742135d..85b5afcc04 100644 --- a/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json +++ b/ics-attack/relationship/relationship--17ae41a5-cb45-4935-bec1-ea0c8bfb2f34.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ad497245-7998-41b0-bfde-a2a42a6e0d17", + "id": "bundle--3be10381-2dc8-4cb0-a41a-999b172b0f0a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json b/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json index ba4480e9a1..583e6add4f 100644 --- a/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json +++ b/ics-attack/relationship/relationship--17fdec71-98e8-4314-a1be-037edede58bd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--10d80ee8-d139-402d-8e95-81aabb43fff3", + "id": "bundle--8ae16ca8-f8c6-4e25-908d-c0afa14a18b3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json b/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json index d2645ba707..1029b7610c 100644 --- a/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json +++ b/ics-attack/relationship/relationship--18ef2d69-d11a-4d31-a803-da989c4073f7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--95184c00-6d85-4eec-a91f-bbe2646d9513", + "id": "bundle--1920b162-14d5-40bc-ad3b-d3da4cd6aa62", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json b/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json index ac16fb9953..d0a4b7a761 100644 --- a/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json +++ b/ics-attack/relationship/relationship--193c3cd3-0b22-4839-a1fa-413aee61e882.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fba2479a-d1e1-48a0-89dd-ebe199d173b4", + "id": "bundle--4ad01713-2624-4c3e-90db-129ae58674c5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json b/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json index 073c58a92a..916e9091b4 100644 --- a/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json +++ b/ics-attack/relationship/relationship--19ab6776-42de-48af-975a-568d31a3bb66.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7bde5e5c-7cbd-4795-8430-c4f077cf00ce", + "id": "bundle--b90b7156-704f-431c-91e0-3b5238cd37bd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json b/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json index f9ebdfc813..2662945c96 100644 --- a/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json +++ b/ics-attack/relationship/relationship--19c0d2bc-8de9-47c3-a1ee-63abc07c4348.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d94eb680-6852-47a7-831f-26edb3602041", + "id": "bundle--1c8a62cd-7502-48bf-9b3f-5d2becb6094e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json b/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json index 5c91e2877c..97c151c453 100644 --- a/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json +++ b/ics-attack/relationship/relationship--1a40cec9-47c3-404e-b039-b7ae83ffaf68.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--67474380-4771-4fc8-91ff-be676e3fe78e", + "id": "bundle--7aadc119-e672-4e86-bd07-70ef652f5df4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json b/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json index 320459d33f..40690f4dd0 100644 --- a/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json +++ b/ics-attack/relationship/relationship--1aa02c37-973e-46bd-ab45-609463e514e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eb636c82-2b5e-4f57-96ec-bc733c135527", + "id": "bundle--61d5f90d-d76d-409c-859b-c2c36aafafbe", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json b/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json index 78a80e283e..ab4337e2a8 100644 --- a/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json +++ b/ics-attack/relationship/relationship--1acccbe8-64e1-49ad-87df-215d5c87f050.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--79de6af9-69c8-46b0-b56d-5b2d2951b053", + "id": "bundle--5ecd37e4-33e6-484a-96f3-e3af51b6c666", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0.json b/ics-attack/relationship/relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0.json index c23eae9a5b..300ce064a0 100644 --- a/ics-attack/relationship/relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0.json +++ b/ics-attack/relationship/relationship--1c12b1d6-d636-45c6-98f4-947ddb502cb0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0bf41e74-5578-4310-b65d-21ef5c2ae223", + "id": "bundle--ef0ba092-228b-4601-b1cd-8e232311c07d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json b/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json index 6a376c5a5e..da66fefed5 100644 --- a/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json +++ b/ics-attack/relationship/relationship--1c3d966a-5995-48ed-919d-25b972010fe9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c24883e6-bdd2-48f8-9bbb-f25efcde7378", + "id": "bundle--229454be-0e3f-445c-8731-f02d61975ad7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json b/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json index 27b83ce72b..aa2ae16c40 100644 --- a/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json +++ b/ics-attack/relationship/relationship--1c831708-28c2-47ae-a158-39f1f7b73406.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--022c7d21-d441-4929-a3fe-367f5d62f4e5", + "id": "bundle--c20eb83e-2a5f-4641-8633-f23faf6f7d1c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json b/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json index 300c9009e1..27638c8e0d 100644 --- a/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json +++ b/ics-attack/relationship/relationship--1d35c947-447f-4693-9ab0-32dff56e664e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--49c5c411-28d3-4cbb-a656-08729332eff0", + "id": "bundle--677b2d81-a726-4192-9b4c-1ba2871962d6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1d399f67-090e-444b-b75d-eed4b1780f08.json b/ics-attack/relationship/relationship--1d399f67-090e-444b-b75d-eed4b1780f08.json index 0ffc136870..55d511ba22 100644 --- a/ics-attack/relationship/relationship--1d399f67-090e-444b-b75d-eed4b1780f08.json +++ b/ics-attack/relationship/relationship--1d399f67-090e-444b-b75d-eed4b1780f08.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b46014e3-0fcc-4454-952e-f0361bcb438d", + "id": "bundle--95172a26-cf9c-402b-b6c6-9bbf7f3ffdc8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json b/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json index 39d7a53d06..64fb5ba2ce 100644 --- a/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json +++ b/ics-attack/relationship/relationship--1dc35f79-0ada-4342-bd13-10d10c1b0335.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--57c90dda-9235-4859-8e23-8149e4318f81", + "id": "bundle--b5d243b6-7e83-4b43-918c-5a0913be6ea1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1e6da55a-ab6c-4583-9e20-583f82096497.json b/ics-attack/relationship/relationship--1e6da55a-ab6c-4583-9e20-583f82096497.json index 777a62c74f..85a182608b 100644 --- a/ics-attack/relationship/relationship--1e6da55a-ab6c-4583-9e20-583f82096497.json +++ b/ics-attack/relationship/relationship--1e6da55a-ab6c-4583-9e20-583f82096497.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d2c3a8a3-cb4c-4a9e-b157-39a4b0ad0ac8", + "id": "bundle--75ccc951-7556-4f7f-aaa1-d9fdcb3dc5e3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042.json b/ics-attack/relationship/relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042.json index cc06f3a77c..efbf6de82b 100644 --- a/ics-attack/relationship/relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042.json +++ b/ics-attack/relationship/relationship--1ed4d007-6d30-4d5d-8df9-3800ed56e042.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e8ce1615-6d25-4d4a-867b-33b045a44684", + "id": "bundle--ba1dc7e9-e3d2-4c90-830e-b308f2b08920", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json b/ics-attack/relationship/relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json index 6c40653adf..b0e13d6830 100644 --- a/ics-attack/relationship/relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json +++ b/ics-attack/relationship/relationship--1f6b87f3-6749-4caa-98d3-265ebbe0ecbe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4983f740-a1ef-4e82-a3d3-ad8f2117e490", + "id": "bundle--24664fcf-b274-4030-a904-1cc63e76788a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json b/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json index c0aedc4aee..02a01e1165 100644 --- a/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json +++ b/ics-attack/relationship/relationship--1f785984-791e-4612-be32-9ee6903a9c0b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b44c70c6-2f05-41ea-a93c-bd96537f33f0", + "id": "bundle--4e4aeb60-7e5f-46df-8d98-5628a4444a7a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc.json b/ics-attack/relationship/relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc.json index c99768b9c8..97490ee297 100644 --- a/ics-attack/relationship/relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc.json +++ b/ics-attack/relationship/relationship--1f804c9f-3b65-47eb-89f3-83edd0422fdc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f2a4e06e-a953-4b58-abfe-acad7e63f88a", + "id": "bundle--d5eaf51c-c8c5-404a-817d-74262c7fb311", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json b/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json index 7219cbb6b3..f4eff80dfd 100644 --- a/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json +++ b/ics-attack/relationship/relationship--1f87378c-49fb-4da5-8ed3-3672633d3713.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--76227d3d-51e6-4129-a068-7bb92c6c995d", + "id": "bundle--0bb77033-e91b-4130-a472-fe4d3c74a145", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json b/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json index 3ae769f7d5..eb5a512686 100644 --- a/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json +++ b/ics-attack/relationship/relationship--1f8abf6f-0dd0-4449-b555-733fe7296177.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--31d2db42-8e9c-4e4c-a967-5a4a31f40da7", + "id": "bundle--bf1e8103-81e6-4b79-a796-f07d3b365218", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json b/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json index 3df59f2ec6..8e2cf5d4fc 100644 --- a/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json +++ b/ics-attack/relationship/relationship--1fc147bd-d6ab-4beb-908b-0fbe8e125b76.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5eeb738f-4e93-4d85-9cf1-49158fb43cc6", + "id": "bundle--7f74a40d-9b21-48e6-87d8-2cdc9ce2f274", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json b/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json index 00f902d65b..ac49bc4e48 100644 --- a/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json +++ b/ics-attack/relationship/relationship--1fd4cf4e-a26c-4fe5-a7fd-f49b8aea8437.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bec69def-388b-465f-93d8-837043417fd5", + "id": "bundle--7b4577f2-3ce1-4574-b36d-37ebe099172a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json b/ics-attack/relationship/relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json index 50a9ee720b..405676ee59 100644 --- a/ics-attack/relationship/relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json +++ b/ics-attack/relationship/relationship--1fe3e5fc-7dd6-4e14-b9da-edb1a2aae459.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ecd6c4ba-57c5-42fc-b547-43f4120e8263", + "id": "bundle--91303bac-076a-4f8e-ac2f-4d1f7e9a8fea", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2057ec71-a94f-49cc-b348-2eeb44899afd.json b/ics-attack/relationship/relationship--2057ec71-a94f-49cc-b348-2eeb44899afd.json index 2f084a0918..5929095aba 100644 --- a/ics-attack/relationship/relationship--2057ec71-a94f-49cc-b348-2eeb44899afd.json +++ b/ics-attack/relationship/relationship--2057ec71-a94f-49cc-b348-2eeb44899afd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4cb006e0-14c3-4025-a5fd-78787ed502fe", + "id": "bundle--b930badd-649e-4bc1-b719-d46262c502cc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json b/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json index 30eaad2a24..6f3c2f2c07 100644 --- a/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json +++ b/ics-attack/relationship/relationship--206cc4c8-797e-427b-86f1-4c81df391c6e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--48868c5a-8ed9-4c90-bca6-db5768136c8e", + "id": "bundle--8306bee1-48dd-4776-8a5f-6c0b324999cb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json b/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json index f10457879c..ac548b3c36 100644 --- a/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json +++ b/ics-attack/relationship/relationship--2089201c-c1c6-4d92-a737-a6499e26ee7f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cb1b43f5-c016-4319-ade1-bdb3ca612ce9", + "id": "bundle--8798461d-f3e0-4325-8e6a-b6d1a277b810", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json b/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json index 078087f964..5077c49081 100644 --- a/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json +++ b/ics-attack/relationship/relationship--20a0d820-59ef-42fc-9f56-7a93d1ce7a84.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8d7533bc-d86e-43bf-99f7-61b068fd55ea", + "id": "bundle--abc04b4b-f16b-466d-aa09-8845c234c72a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json b/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json index d81ea18c30..40d7945578 100644 --- a/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json +++ b/ics-attack/relationship/relationship--20f66fab-7a08-4707-ac79-92dac5acd11d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--de865ab3-1aeb-4b95-b32e-a60d298b40ce", + "id": "bundle--d93737de-8c47-4208-babb-323f623a2dec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json b/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json index ecb7a3ccc2..5b46386e99 100644 --- a/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json +++ b/ics-attack/relationship/relationship--21041206-da58-45c7-adb0-db07caebdcb6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d1b680be-bbb0-42e2-b751-bd2f141f20cd", + "id": "bundle--c5e772f3-e0d7-4ff2-8c86-57608a3df4b2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--21134484-2d59-46b7-b878-527121fff1e3.json b/ics-attack/relationship/relationship--21134484-2d59-46b7-b878-527121fff1e3.json index 68b60283b6..c4da8bbd8f 100644 --- a/ics-attack/relationship/relationship--21134484-2d59-46b7-b878-527121fff1e3.json +++ b/ics-attack/relationship/relationship--21134484-2d59-46b7-b878-527121fff1e3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--38a41f0d-d0b4-4af1-b433-08bbe300ef67", + "id": "bundle--0aaeee0a-65be-4f76-980f-ab5afe2d89df", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--214eb531-411c-4b90-9dbf-dc0183cbb919.json b/ics-attack/relationship/relationship--214eb531-411c-4b90-9dbf-dc0183cbb919.json index f1d377c359..94807cb59b 100644 --- a/ics-attack/relationship/relationship--214eb531-411c-4b90-9dbf-dc0183cbb919.json +++ b/ics-attack/relationship/relationship--214eb531-411c-4b90-9dbf-dc0183cbb919.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--42303862-e243-478c-8146-8bd954abf0ef", + "id": "bundle--b56dda51-03b2-4e49-b59e-aa0e16c60d11", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json b/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json index 6295b9e926..cf207dd8ef 100644 --- a/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json +++ b/ics-attack/relationship/relationship--21b6ec9c-8779-49db-bf19-90e81893a6e4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3df9c922-3b01-4e78-96cd-0d9d60bd45f2", + "id": "bundle--4cf9f304-1932-4902-82f0-00523031174c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json b/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json index 0e44aa5915..865e3f6606 100644 --- a/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json +++ b/ics-attack/relationship/relationship--220140ac-d927-4d86-9335-c04aa6ee3c61.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--88812ac8-f08c-42e4-990c-aae8ac5bc74c", + "id": "bundle--5ddda4f1-3e69-4a2f-9ff5-46514d6cd52f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json b/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json index b3718761b2..b2ebd49429 100644 --- a/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json +++ b/ics-attack/relationship/relationship--22448288-32d9-4d2c-be16-0784e119fff1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--827d9717-4823-44f8-bc0d-354614923297", + "id": "bundle--acd3e25d-bed8-49a9-9f7b-2d9818a35b5c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json b/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json index ce0e6c8eaf..377752944d 100644 --- a/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json +++ b/ics-attack/relationship/relationship--228b9a13-0545-4ecf-99ff-be02addaf7fe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0b765445-ca2e-46cb-81ff-affe6e159325", + "id": "bundle--7d659a29-24be-4583-8750-7b78d7a4c45e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json b/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json index d5f717ef0a..9ecc81d6ca 100644 --- a/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json +++ b/ics-attack/relationship/relationship--234da455-b795-4788-bc5d-22b4b58b2dc7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a629c12a-3225-4d07-a8bf-518e75521dfa", + "id": "bundle--82d687db-491d-47c0-ae8f-20199f4faa84", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json b/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json index 04c8417184..937f32d583 100644 --- a/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json +++ b/ics-attack/relationship/relationship--238f967a-0c29-4aa3-bbb5-3dc593473bbf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--67e675df-4399-4a12-aba9-644eb8b1c311", + "id": "bundle--8447f53e-4a13-44b7-94f7-84863bd076e2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json b/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json index be2ee3361a..ccb07116bf 100644 --- a/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json +++ b/ics-attack/relationship/relationship--242b5a0d-e4e8-4ceb-a975-cf8efd64e981.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ab586477-a5d8-41fe-a2de-a64ce02d34d8", + "id": "bundle--046ab2e9-4eb4-4888-a8f7-58ff758d1f93", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json b/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json index 3888cf93de..8d3a679f88 100644 --- a/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json +++ b/ics-attack/relationship/relationship--243ad7b2-546c-4bf2-a3c0-1438b13e197d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f97010c8-3a3a-48d0-9e97-f1a6c09863c5", + "id": "bundle--0b052419-fc69-4bc6-be79-37f050c5bf67", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json b/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json index 90567385f8..49effc8b8b 100644 --- a/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json +++ b/ics-attack/relationship/relationship--25e7ca82-2784-433a-90a9-a3483615a655.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eb55ba0e-9ffd-422f-9ede-dfdf6a88343e", + "id": "bundle--4391084a-6439-4b54-8eb2-2aab62575708", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--26254163-4f25-4d30-8456-ca093459ff32.json b/ics-attack/relationship/relationship--26254163-4f25-4d30-8456-ca093459ff32.json index ee1824ac32..0eadc206aa 100644 --- a/ics-attack/relationship/relationship--26254163-4f25-4d30-8456-ca093459ff32.json +++ b/ics-attack/relationship/relationship--26254163-4f25-4d30-8456-ca093459ff32.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6b81cc28-12c0-474d-80ce-d4e88a20f75e", + "id": "bundle--4b9a41b0-50c9-4f7c-9359-963a1b8b1f9c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d.json b/ics-attack/relationship/relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d.json index 0869e3ec21..d7dc5504b3 100644 --- a/ics-attack/relationship/relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d.json +++ b/ics-attack/relationship/relationship--2683e59a-dee3-485a-a355-ed2ee0a23d5d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f8406a89-a8fb-4da5-a148-e2644756facc", + "id": "bundle--ae28df41-996c-495e-adb1-d9d2487af9b0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json b/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json index 58f629cf08..f4bbcca1e7 100644 --- a/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json +++ b/ics-attack/relationship/relationship--26d68f5d-6ee5-4d98-b175-943366ccc038.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6856c243-d092-43f5-8cdf-45d62c806670", + "id": "bundle--c99bead2-4650-45fa-b737-a974e8797da2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json b/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json index abb2bf32f9..ae4b628db5 100644 --- a/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json +++ b/ics-attack/relationship/relationship--26e58427-a2bd-4e77-9939-16ef60a072e7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8ad95af5-513b-402a-8b23-c82723d49714", + "id": "bundle--c060dcaf-7eae-4f5b-813d-e9695a104012", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json b/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json index cc507f8a28..39d982c2da 100644 --- a/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json +++ b/ics-attack/relationship/relationship--26fdd07e-d194-4f8e-a9af-d5b2f1d0222e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b1537d7c-2586-4598-a6a0-c95a411f68e8", + "id": "bundle--080f743e-0067-408e-89ba-d818c7275e5d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json b/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json index f7f3829c82..ea82272916 100644 --- a/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json +++ b/ics-attack/relationship/relationship--276aa6a6-e700-470a-8f72-02537ba7be9d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3e0bfa7e-f833-4d88-b0b5-9b1200c3edfb", + "id": "bundle--b66a3865-6c64-4eea-9942-9dd4868616fd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--28395db7-feee-4711-b704-48e418e13ee1.json b/ics-attack/relationship/relationship--28395db7-feee-4711-b704-48e418e13ee1.json index f8907cb63a..f9530a35bf 100644 --- a/ics-attack/relationship/relationship--28395db7-feee-4711-b704-48e418e13ee1.json +++ b/ics-attack/relationship/relationship--28395db7-feee-4711-b704-48e418e13ee1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--06557ac5-92c1-447a-8de3-0a59e01d751a", + "id": "bundle--ed993c21-240f-4f60-95c0-5b1ed0590113", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json b/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json index b54944390c..ce39113f3f 100644 --- a/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json +++ b/ics-attack/relationship/relationship--2867f491-919b-463f-b689-bb3ceb7ae99f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dbc84193-80b3-4647-a36e-74f8d406e415", + "id": "bundle--15731a84-03f0-4e41-bb3a-a0847bee2828", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json b/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json index 851795beb3..9f633e755d 100644 --- a/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json +++ b/ics-attack/relationship/relationship--28afd84d-a53e-4b2f-9bee-133f7da6982a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0c02c5a6-604f-4c02-a05d-cc9865421d61", + "id": "bundle--cb7cf66a-53f3-4be4-ae14-ba669da792e3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2916cd9c-32d5-463a-a83b-448ef7720192.json b/ics-attack/relationship/relationship--2916cd9c-32d5-463a-a83b-448ef7720192.json index 30b42bdd4a..7bd2affa30 100644 --- a/ics-attack/relationship/relationship--2916cd9c-32d5-463a-a83b-448ef7720192.json +++ b/ics-attack/relationship/relationship--2916cd9c-32d5-463a-a83b-448ef7720192.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e6841598-d61a-4491-a03f-6b1748479f6a", + "id": "bundle--43b35fa2-3011-4e70-a6ec-0c3f86970cac", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json b/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json index c8cfee6688..74dfb74bcd 100644 --- a/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json +++ b/ics-attack/relationship/relationship--2971151c-0e8a-4567-84dc-01cf5dd35005.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9d97a74c-737e-476c-9192-c7d6251fa464", + "id": "bundle--e8e2334b-524c-42d6-aa07-bce84f7a3711", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--29b85313-645b-4fb1-b5c2-f580d111760b.json b/ics-attack/relationship/relationship--29b85313-645b-4fb1-b5c2-f580d111760b.json index 249ca55e38..dedbc5e463 100644 --- a/ics-attack/relationship/relationship--29b85313-645b-4fb1-b5c2-f580d111760b.json +++ b/ics-attack/relationship/relationship--29b85313-645b-4fb1-b5c2-f580d111760b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--025e3351-2245-410c-b7aa-22bf180e4ec7", + "id": "bundle--4a4b1e40-d98c-4881-af2e-27bca49b4f2c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json b/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json index 4fd0323f27..4cc505d65f 100644 --- a/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json +++ b/ics-attack/relationship/relationship--2b62e4c0-9267-47bd-8f4d-0394b13fb566.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6894933e-9f1e-4990-8be8-13dd427430b4", + "id": "bundle--03ac297a-4e9b-4fcf-b9b7-123a712e8bec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2c641542-2e18-4943-849a-7141b7da4fcd.json b/ics-attack/relationship/relationship--2c641542-2e18-4943-849a-7141b7da4fcd.json index 1a9b5ff23f..c5caba293c 100644 --- a/ics-attack/relationship/relationship--2c641542-2e18-4943-849a-7141b7da4fcd.json +++ b/ics-attack/relationship/relationship--2c641542-2e18-4943-849a-7141b7da4fcd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a77ad423-9da2-446c-8860-9f9158860c0d", + "id": "bundle--b8345ac3-e351-4526-ab33-aade49d072a5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a.json b/ics-attack/relationship/relationship--2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a.json index a417a5e017..cf58691a56 100644 --- a/ics-attack/relationship/relationship--2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a.json +++ b/ics-attack/relationship/relationship--2c6f9c9e-efa9-4a87-aadf-64b2aeeaa09a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c9a4fa6c-27a6-420d-a51e-b6f1e78d83db", + "id": "bundle--415e7949-35bd-4b61-9ba7-53fe6160f6f6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json b/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json index 1f1ccdd0f7..6eb5e9fb50 100644 --- a/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json +++ b/ics-attack/relationship/relationship--2c8dd182-e0a1-469d-aa65-7a1f734d9b46.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5959e87c-5d07-4c2f-9449-a1dd55c99d09", + "id": "bundle--1662c83e-5c43-4abb-874e-36f3c3aca4a8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json b/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json index 77d0746673..5a8565b05b 100644 --- a/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json +++ b/ics-attack/relationship/relationship--2cd79563-0f5a-44a1-9be4-6dc330855d64.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--edd59766-3c02-4809-b84a-18c4dac60a17", + "id": "bundle--50891950-382a-48f0-9ff9-29806a5582ea", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919.json b/ics-attack/relationship/relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919.json index fdb607862b..2ca9931353 100644 --- a/ics-attack/relationship/relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919.json +++ b/ics-attack/relationship/relationship--2d07e32d-e9cd-4b19-86ad-4573824d6919.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--da486b1e-2db5-4fcf-865e-06655357b8c8", + "id": "bundle--5e7c0d42-3c87-4f87-9423-236167cc5485", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json b/ics-attack/relationship/relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json index 519897ebe0..25779bc898 100644 --- a/ics-attack/relationship/relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json +++ b/ics-attack/relationship/relationship--2d65925e-f437-4557-bd8b-4c0d14ffd0b0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--faac6b2c-4422-400c-b6b8-15478465b964", + "id": "bundle--ed8d9abe-ce4b-4e40-8bba-dc71e7c9184e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json b/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json index 3d46d5ddde..6a496b62d7 100644 --- a/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json +++ b/ics-attack/relationship/relationship--2daeeaaa-5b4b-4bb7-a94d-78a5749027ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9d3d2570-53bd-41c6-aa0d-3a9f77801c45", + "id": "bundle--87d2942f-e34c-4816-a0ca-d7c882a52286", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2e0769d7-088e-45d5-a262-6dbc91a95073.json b/ics-attack/relationship/relationship--2e0769d7-088e-45d5-a262-6dbc91a95073.json index cc1179c69a..268e6a9fef 100644 --- a/ics-attack/relationship/relationship--2e0769d7-088e-45d5-a262-6dbc91a95073.json +++ b/ics-attack/relationship/relationship--2e0769d7-088e-45d5-a262-6dbc91a95073.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--30dec7e7-76ba-4f0b-9e96-cb73579d8735", + "id": "bundle--8b345f3f-3e9e-4991-855d-24c784b0ad4d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7.json b/ics-attack/relationship/relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7.json index c0936fe03f..8b1e34ce5c 100644 --- a/ics-attack/relationship/relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7.json +++ b/ics-attack/relationship/relationship--2e377016-bb23-481e-b72b-a2ace8c72eb7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--50f43141-4a81-4753-93db-292fa05fd6e5", + "id": "bundle--e12fd508-9f9f-4565-a6fb-aa17d7a5d8ae", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json b/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json index 9d0ae6c0d6..64de9f390f 100644 --- a/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json +++ b/ics-attack/relationship/relationship--2e5f338d-92c4-4647-8fef-7c901ff774f5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e5acb512-6e6f-46ae-8e5b-8fe238acd4c9", + "id": "bundle--f84fae41-067d-44b3-ae4f-d204bf148a8d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json b/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json index db43794671..780135af8a 100644 --- a/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json +++ b/ics-attack/relationship/relationship--2ecc567f-3aaa-4bd8-935f-4808d177a552.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--60201f4a-584c-4a9e-9bf1-097abe5b7228", + "id": "bundle--db6129cb-1af0-42e0-ba3c-cc9875db2566", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json b/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json index fd2aa9774d..c1ff464e86 100644 --- a/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json +++ b/ics-attack/relationship/relationship--2f64b5aa-7e4d-4a5e-9960-69a63ad25083.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2256d355-9175-4773-aa3f-591e60aa3bcd", + "id": "bundle--629a720b-fab2-4f85-98e8-9c64c8cf8d23", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json b/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json index 799762a655..8dd15db333 100644 --- a/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json +++ b/ics-attack/relationship/relationship--2f6b635b-1441-4ef0-9289-1ed6b9098d4a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2b72f922-8fae-4195-8fcc-acd101e830ea", + "id": "bundle--58c5ee66-bc23-4983-a8f2-ec97e807079e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json b/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json index a29d8c8cd4..18faf28e4d 100644 --- a/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json +++ b/ics-attack/relationship/relationship--2fbb7867-79c5-4d45-9876-98c4041dd72e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a4f55ce3-0d50-4f68-be83-3aa6d82d62bd", + "id": "bundle--23d518bd-172a-4d82-863c-c8e09f738998", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json b/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json index 57c2e839cd..7b7123a590 100644 --- a/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json +++ b/ics-attack/relationship/relationship--2fd13fc0-e3f0-4099-ab20-d19ba6bcd4e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ff93be3a-f122-442f-bee4-164789c36c1f", + "id": "bundle--3c7bbc6e-16aa-4481-b89a-1953368de4e9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json b/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json index 71e8409556..3d03b80834 100644 --- a/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json +++ b/ics-attack/relationship/relationship--2ff82993-5010-4450-89e7-341f449f3263.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--75aae6d4-11cc-4bce-af15-25a6b7a83646", + "id": "bundle--d105c6cf-c463-4084-887b-c5e2b79cbb91", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json b/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json index 5c19a29281..d1f41deacb 100644 --- a/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json +++ b/ics-attack/relationship/relationship--2fffbea8-c031-4de8-a451-447bbbe3e224.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--16943728-a1aa-4b3c-8985-59d52997e63e", + "id": "bundle--f8f784ca-8b6c-44c2-8bdb-0ac45b51ca51", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json b/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json index 6275cac41a..e4bc3b388f 100644 --- a/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json +++ b/ics-attack/relationship/relationship--309e4558-e591-4d03-9bb9-07d30acf011f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2b6375ea-6e34-4398-b107-fe6f07c56f76", + "id": "bundle--9d297f87-fbdf-45b0-b61a-1d4f9b0e34a2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--31203165-79d0-42e5-81f1-62150dea2c43.json b/ics-attack/relationship/relationship--31203165-79d0-42e5-81f1-62150dea2c43.json index 5b164768ee..c6870f3d86 100644 --- a/ics-attack/relationship/relationship--31203165-79d0-42e5-81f1-62150dea2c43.json +++ b/ics-attack/relationship/relationship--31203165-79d0-42e5-81f1-62150dea2c43.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--80b6a4bd-4f1c-41a7-a678-b3690b5c3e6a", + "id": "bundle--f19056f6-4d56-43a7-b68d-7f5ac1122dda", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3168a905-f398-403f-9345-de5893de1326.json b/ics-attack/relationship/relationship--3168a905-f398-403f-9345-de5893de1326.json index 355a2c3a65..a0ef30ce2b 100644 --- a/ics-attack/relationship/relationship--3168a905-f398-403f-9345-de5893de1326.json +++ b/ics-attack/relationship/relationship--3168a905-f398-403f-9345-de5893de1326.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--60db8cee-236f-46fe-9fc1-274bd22d9ac8", + "id": "bundle--83a95192-5e3f-460f-a998-f9ca4dbe28d5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json b/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json index 96910ac8d5..c86f63b6ca 100644 --- a/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json +++ b/ics-attack/relationship/relationship--31897c41-1d47-4a34-b531-21c3f74651a8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--72eabb6b-9431-497c-bee0-8f4eeca3f25b", + "id": "bundle--0fc38042-c85b-41c8-8c19-b2022a6236a9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json b/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json index 5f6481897e..ffbed4c392 100644 --- a/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json +++ b/ics-attack/relationship/relationship--31bf1721-78a2-4b6c-b325-5c44dc02ea33.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--96c2f1b5-924b-488c-a14a-5b939c3e0615", + "id": "bundle--d7df1545-9434-4d35-833f-4428557810a6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--321fc522-bc6b-4975-bee4-9098624d1e8c.json b/ics-attack/relationship/relationship--321fc522-bc6b-4975-bee4-9098624d1e8c.json index ade52d7998..e57e6fbb17 100644 --- a/ics-attack/relationship/relationship--321fc522-bc6b-4975-bee4-9098624d1e8c.json +++ b/ics-attack/relationship/relationship--321fc522-bc6b-4975-bee4-9098624d1e8c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7068abcb-7749-4269-a085-6f6633f2fd8c", + "id": "bundle--b39d8353-4add-44f2-9e7d-a0594050d4f7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json b/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json index 5d68f27b60..9e2cd5e99a 100644 --- a/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json +++ b/ics-attack/relationship/relationship--327916f7-fe5d-4858-adeb-f72f74c60c25.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--319dc0c5-f275-4b54-935e-bf570dcef079", + "id": "bundle--2bd423ea-bff5-4620-8532-b560231a3e5d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--32dbed4e-4dbe-4872-a013-c96111ed102e.json b/ics-attack/relationship/relationship--32dbed4e-4dbe-4872-a013-c96111ed102e.json index 71886b9269..4d7505198b 100644 --- a/ics-attack/relationship/relationship--32dbed4e-4dbe-4872-a013-c96111ed102e.json +++ b/ics-attack/relationship/relationship--32dbed4e-4dbe-4872-a013-c96111ed102e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7541ae4d-5313-4ac3-98db-d3a799bbba62", + "id": "bundle--3fe76f79-298f-4a8f-b30a-a245777a3155", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json b/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json index 8d76b4a528..bd50f246a3 100644 --- a/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json +++ b/ics-attack/relationship/relationship--33215dfa-53d0-4bd7-a15d-cec9315c7c4d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--671f96ab-ef9d-4534-ba2a-4ed56cb14cbd", + "id": "bundle--a222bf07-d4f9-4590-8102-df15a4f8b7ce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json b/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json index 9bb5b64b94..03d9e605b6 100644 --- a/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json +++ b/ics-attack/relationship/relationship--33486e89-f0f4-4507-9f13-48a8f22c8ac8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--db2d1cb0-5e7a-404a-a7e3-866978c93ea9", + "id": "bundle--1bc65d1c-5321-4777-b60b-a44c5cda5323", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3439d550-61d5-40b4-a514-341509d3f701.json b/ics-attack/relationship/relationship--3439d550-61d5-40b4-a514-341509d3f701.json index bbec108bce..8713115142 100644 --- a/ics-attack/relationship/relationship--3439d550-61d5-40b4-a514-341509d3f701.json +++ b/ics-attack/relationship/relationship--3439d550-61d5-40b4-a514-341509d3f701.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6bb2358d-7cad-4762-823c-f0ae6bfd4a7e", + "id": "bundle--8cb7038f-0791-4f40-b425-5e2531d2fab2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json b/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json index da3eadc01a..bbc77a65a7 100644 --- a/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json +++ b/ics-attack/relationship/relationship--3478c49c-594b-4224-b7f9-2b0b09c67288.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--985cf284-2f29-46bf-be44-1808556a853c", + "id": "bundle--5277c855-f418-4b2c-81ec-170e209149da", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json b/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json index 378397ac3a..fb2558c915 100644 --- a/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json +++ b/ics-attack/relationship/relationship--34ac1b1b-1103-4fc9-a62e-f1dd1451b28b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f4ad0422-6f71-4701-b518-d36dd745f15c", + "id": "bundle--9953ae82-eed1-4c8d-880d-e249e3e01b26", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json b/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json index 880e3b0801..bdb574a8a8 100644 --- a/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json +++ b/ics-attack/relationship/relationship--34d4101b-b4c9-4ea3-a84d-81e84e7f5033.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1eecb488-0b57-4b34-9091-4ba097c0449e", + "id": "bundle--e2e0cdc8-8db9-4579-a1be-2cab71efd28b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json b/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json index ce4d10eaee..1d2bcb9fe6 100644 --- a/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json +++ b/ics-attack/relationship/relationship--350814da-5c36-42f9-8e58-8f9534e6ce0a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c46c06fa-a530-4235-b29b-7106a7d4bd91", + "id": "bundle--5cf76844-94ab-4fc7-9587-948ab51fd0be", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json b/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json index 22546a30fa..b72081ca31 100644 --- a/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json +++ b/ics-attack/relationship/relationship--351e19c4-c16e-493a-9800-a433107aacf1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7266373f-d42d-4fbe-9d86-ade579a2bb22", + "id": "bundle--829746a2-e85c-4919-b5dd-983a2738f894", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json b/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json index 16a93ee009..aa6b8ab27d 100644 --- a/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json +++ b/ics-attack/relationship/relationship--35cf6922-d48f-42ea-b7f5-f0258892bd52.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8f1857fb-cd45-4636-b44b-5ecc88c16a62", + "id": "bundle--030584ed-43a3-4976-a14c-9c13010d3149", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json b/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json index 7992607a2f..2f1f14a68b 100644 --- a/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json +++ b/ics-attack/relationship/relationship--3618a010-b94b-4974-b1be-7630d5c853c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--55e3d070-a21b-4059-902e-cb3e81468e27", + "id": "bundle--0a459089-0888-425a-bfbb-fa72dad3b8ee", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json b/ics-attack/relationship/relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json index cc6b636620..90ec600f20 100644 --- a/ics-attack/relationship/relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json +++ b/ics-attack/relationship/relationship--3663f10d-4a2c-4d37-bf5f-337c9891c2f4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7977e33f-10c0-4f73-87e7-ce05148918e9", + "id": "bundle--8fc08c56-82a6-439c-91cf-91882104a249", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json b/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json index 1303a1af60..b8ddd7c2d4 100644 --- a/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json +++ b/ics-attack/relationship/relationship--366a4cd1-aa95-4985-9d80-b45a2551e298.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7664cdb2-017b-4437-a667-9bbba539e71a", + "id": "bundle--51e48e2e-c357-4119-b5c9-63b1b7e5a9dd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json b/ics-attack/relationship/relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json index 9fdeda037c..746a662adf 100644 --- a/ics-attack/relationship/relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json +++ b/ics-attack/relationship/relationship--375b7e67-8b3f-4102-9e3e-7e356b6c8bf4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--260276cf-514b-47a4-9f5b-d74372b2a662", + "id": "bundle--9e968fb0-fccc-413f-bc3a-1df1455e430a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--37abb3d5-24fc-4397-844e-07548d324729.json b/ics-attack/relationship/relationship--37abb3d5-24fc-4397-844e-07548d324729.json index d131bc95fc..41fff07d17 100644 --- a/ics-attack/relationship/relationship--37abb3d5-24fc-4397-844e-07548d324729.json +++ b/ics-attack/relationship/relationship--37abb3d5-24fc-4397-844e-07548d324729.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--65047d08-8452-4a31-8d0c-79609d035a79", + "id": "bundle--2a97ff4d-fe38-4605-87b9-83bd5a4dad26", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json b/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json index fc74bf1ea4..3cf0edd41f 100644 --- a/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json +++ b/ics-attack/relationship/relationship--383e242a-72d4-4b40-8905-888595c34919.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--86f9e118-f2e6-48ab-9cbd-79ab7dbbaccd", + "id": "bundle--8614be9a-f8aa-4aa1-b473-74fd073a2b49", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3858ec3b-5814-4515-9dda-f8009fbf4cd3.json b/ics-attack/relationship/relationship--3858ec3b-5814-4515-9dda-f8009fbf4cd3.json index 0a0395890a..e608698df4 100644 --- a/ics-attack/relationship/relationship--3858ec3b-5814-4515-9dda-f8009fbf4cd3.json +++ b/ics-attack/relationship/relationship--3858ec3b-5814-4515-9dda-f8009fbf4cd3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cd02c33e-2b37-4306-8af9-2f200bddeeff", + "id": "bundle--8986a903-765e-462b-b999-c6f268a04b05", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f.json b/ics-attack/relationship/relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f.json index 341ca952a4..9646a64a02 100644 --- a/ics-attack/relationship/relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f.json +++ b/ics-attack/relationship/relationship--38a3c86b-c9bb-4a65-87c9-55429c68684f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--87c40910-2fd9-4c6f-8f91-b73b04fd6662", + "id": "bundle--4045e340-c02a-4e55-bdf5-f9ea45a09ed6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--39963a04-9675-4fa4-87ea-1b34145cc569.json b/ics-attack/relationship/relationship--39963a04-9675-4fa4-87ea-1b34145cc569.json index 05405455c4..f6e1fdba38 100644 --- a/ics-attack/relationship/relationship--39963a04-9675-4fa4-87ea-1b34145cc569.json +++ b/ics-attack/relationship/relationship--39963a04-9675-4fa4-87ea-1b34145cc569.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--72dbdfcd-d1fe-49c5-bed2-681f03034b5a", + "id": "bundle--5c551a37-4f7e-4353-8659-9b113d6fc9bd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json b/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json index e996abdc67..29645799f3 100644 --- a/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json +++ b/ics-attack/relationship/relationship--3a6cd53d-0d4e-4cf8-8edf-f9ebde4faac4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--796c9015-1fa6-4a7c-aca9-d4aeb8273514", + "id": "bundle--094fe68f-b9f8-448f-a8b6-8dc1207199f0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json b/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json index f5058886db..c2dbec0e3c 100644 --- a/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json +++ b/ics-attack/relationship/relationship--3a7d1db3-9383-4171-8938-382e9b0375c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8ab05438-8993-4973-8ac0-3e213ee524db", + "id": "bundle--63948302-d9cf-4ecf-9824-06ba351f75c9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json b/ics-attack/relationship/relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json index da578fa56b..5d1ba17bc7 100644 --- a/ics-attack/relationship/relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json +++ b/ics-attack/relationship/relationship--3aa69e19-f55f-4531-a26e-eb67d6ea24ee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5786afa9-5b4a-4d1d-9275-eff299e24f47", + "id": "bundle--7fdd2716-130c-4304-a29a-70e1ee2261c6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json b/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json index 5dcbec6ce1..a7bce5c6b5 100644 --- a/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json +++ b/ics-attack/relationship/relationship--3ab912a4-70aa-45f8-b2ef-57113dde2cfa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--861310ce-0c3f-4aa3-8214-1eb016ff082b", + "id": "bundle--3cee9c29-e615-43a6-af3e-1d0ff00ca4ee", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3b199bf1-b45c-4d78-bdea-ee1c06fd3734.json b/ics-attack/relationship/relationship--3b199bf1-b45c-4d78-bdea-ee1c06fd3734.json index a6714b1989..b7cc1c6104 100644 --- a/ics-attack/relationship/relationship--3b199bf1-b45c-4d78-bdea-ee1c06fd3734.json +++ b/ics-attack/relationship/relationship--3b199bf1-b45c-4d78-bdea-ee1c06fd3734.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f785b880-d124-43a0-88b5-a3a85e8c705b", + "id": "bundle--27e39557-6598-488c-85f4-f73a8db172c2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json b/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json index 14094f4567..b27784ecad 100644 --- a/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json +++ b/ics-attack/relationship/relationship--3b6567a9-6213-4db4-a069-1a86b1098b63.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--961d80bf-dade-48af-813c-d348d385d736", + "id": "bundle--cf7eaf06-ee2c-4a0b-bd2f-319eadf60780", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json b/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json index ea4d5600cb..18211ff0f5 100644 --- a/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json +++ b/ics-attack/relationship/relationship--3be8045a-1f0d-4460-a76b-ae830e74c1e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4cdea95c-924f-459b-9377-faa2cef39c9a", + "id": "bundle--622e1894-43eb-4c8b-9989-d3066b11617a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json b/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json index 2f30d2745d..56c6037c42 100644 --- a/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json +++ b/ics-attack/relationship/relationship--3be9d4d1-17e1-4f3e-b22a-edad8cf0c343.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a145decd-4d1e-4e8d-a504-8076a83a0d43", + "id": "bundle--c214121d-53f8-4122-a621-29588d8b4623", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json b/ics-attack/relationship/relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json index c1f05ea796..75d71cf1eb 100644 --- a/ics-attack/relationship/relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json +++ b/ics-attack/relationship/relationship--3bff265f-7ab9-4dae-b7a3-a5d9bc586f35.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--67286eed-52cd-4dca-84a1-3dadf69fbba0", + "id": "bundle--3beaa305-cc2c-4113-93ca-b0c635c70a0b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3c341d13-938e-4535-ac75-10a79abc7017.json b/ics-attack/relationship/relationship--3c341d13-938e-4535-ac75-10a79abc7017.json index 12a808916d..f0c4834f76 100644 --- a/ics-attack/relationship/relationship--3c341d13-938e-4535-ac75-10a79abc7017.json +++ b/ics-attack/relationship/relationship--3c341d13-938e-4535-ac75-10a79abc7017.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8c9ae4ee-f7ed-4ede-8558-4aec2cfb35fa", + "id": "bundle--854bbc1a-7faf-40b8-9462-d10b01219754", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json b/ics-attack/relationship/relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json index 1b39cd3b8e..3bd549035c 100644 --- a/ics-attack/relationship/relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json +++ b/ics-attack/relationship/relationship--3c5bc8de-a7a4-4bda-a82f-8d149ec927f1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a6608672-b1dd-4775-a952-bdb0b8a988a0", + "id": "bundle--99a58cea-71a3-4218-8ecc-10e7ca3a27f8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json b/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json index a99dee9212..ddc0d5a74d 100644 --- a/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json +++ b/ics-attack/relationship/relationship--3d005ed8-77d3-4fed-9dd5-7e39ba8cb50a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3d46bb42-dda3-454a-81ed-63f6f7f17a6b", + "id": "bundle--5561f3bc-f6e5-4aeb-b5bf-693e02424a32", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json b/ics-attack/relationship/relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json index 193002dff5..5655f83a87 100644 --- a/ics-attack/relationship/relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json +++ b/ics-attack/relationship/relationship--3d20dad6-fb53-4d74-bc7e-54b9b88e1529.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bee70b91-2ffa-4b80-9ca7-93e650226fc3", + "id": "bundle--317a8017-e793-4038-8ba6-11514bf22d46", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json b/ics-attack/relationship/relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json index 6413bd69ba..c1f0de8a96 100644 --- a/ics-attack/relationship/relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json +++ b/ics-attack/relationship/relationship--3d4ea0e2-9f51-40f9-a22b-8265f696fd83.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--98340f8d-4cf4-41d8-b1db-3139abc89882", + "id": "bundle--78298b7d-4691-4687-b773-07add22b7b29", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json b/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json index cb36b42a38..2de2d0df31 100644 --- a/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json +++ b/ics-attack/relationship/relationship--3d676c1b-2650-4599-8a57-790c55f9977d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a65d1b7-2c13-4446-bb71-2cd21ec87813", + "id": "bundle--dbe79980-8bd8-4de8-851c-7115a852cb5f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json b/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json index a2f2d546b9..f1ee27e8a3 100644 --- a/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json +++ b/ics-attack/relationship/relationship--3da977ab-c863-4e6f-a5b7-68173160da00.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3e0d486e-360b-4b3b-ba40-63c2dfdfe0b1", + "id": "bundle--475beab2-9e21-4437-b7b3-af1f4f21e2e6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d.json b/ics-attack/relationship/relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d.json index 5571ffecb9..4d0c131050 100644 --- a/ics-attack/relationship/relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d.json +++ b/ics-attack/relationship/relationship--3dc3aec5-0056-46e8-8073-a7e32d3d929d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--989a7768-c3e2-4ef2-9484-f51ec34c4a49", + "id": "bundle--6da0679d-8c86-461d-80f5-c2a6bcc57456", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json b/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json index 5ec79fdd8e..17af1c3182 100644 --- a/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json +++ b/ics-attack/relationship/relationship--3dde2b07-7c30-4a18-a9df-f85db84f9b14.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4844c8af-9097-4e08-8dd5-dcd8cecd9df3", + "id": "bundle--86eea483-4c27-42f4-8f2b-17600ae598d6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41.json b/ics-attack/relationship/relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41.json index 36d1764eba..86c653df56 100644 --- a/ics-attack/relationship/relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41.json +++ b/ics-attack/relationship/relationship--3e956d93-e011-40de-ab1b-3f32fa73ae41.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--53d96cb7-a1cf-4673-abda-02e4b266d8bf", + "id": "bundle--9c24795a-37b8-49d3-a240-e54fa0eec683", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json b/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json index 1062029545..3eb4a8d3aa 100644 --- a/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json +++ b/ics-attack/relationship/relationship--3ed98d8c-de30-499e-9a62-eae0207519f4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8087642b-fe3a-47d5-a2af-c0cc3c2a5eda", + "id": "bundle--7c648aac-ed50-416f-954c-7cc29db8f65c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json b/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json index e8064bba61..3494854b93 100644 --- a/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json +++ b/ics-attack/relationship/relationship--3f335e8f-68da-4b06-9d96-f371ddaf23e6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7270a841-cbe7-47f4-899f-da99d083cd2b", + "id": "bundle--019c53af-403a-4c2c-815f-4db2cd135c45", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json b/ics-attack/relationship/relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json index e4e6e0a2d5..e3bec49aa7 100644 --- a/ics-attack/relationship/relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json +++ b/ics-attack/relationship/relationship--3f5f9f9d-9bb3-4461-b85b-501f6077e7b8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a76bf1e2-6de3-4baf-b16e-e65ac0abac8e", + "id": "bundle--14340eb3-0f9a-43f0-a9e2-d0fef2ec8046", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json b/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json index dc5a701994..6f9f2572b6 100644 --- a/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json +++ b/ics-attack/relationship/relationship--3f76d408-be8a-478e-8a5a-aab1d1f96572.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3bebda16-c25f-4e90-a1ed-d6833da82abc", + "id": "bundle--e4b501fd-2c70-4821-a02d-88bc7e6f1a22", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json b/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json index daa9ed1e49..6e3c655209 100644 --- a/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json +++ b/ics-attack/relationship/relationship--40479f3e-d4d2-45f8-893f-f8a4fcf1613c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--08f8efcf-25d6-4a51-8843-75aff0580a62", + "id": "bundle--8627e8b5-bdb3-4684-92c2-58d0fb27c75f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--40f63b01-dc59-475d-826a-74f38c6e81b9.json b/ics-attack/relationship/relationship--40f63b01-dc59-475d-826a-74f38c6e81b9.json index 2e72571c3e..ce833dbd51 100644 --- a/ics-attack/relationship/relationship--40f63b01-dc59-475d-826a-74f38c6e81b9.json +++ b/ics-attack/relationship/relationship--40f63b01-dc59-475d-826a-74f38c6e81b9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8b50f179-b7e3-4743-9138-cb6b26147ff2", + "id": "bundle--6c8a258f-512f-4dbb-a0e5-8e121ff5fb63", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4122cdb6-09a4-4b68-b0d1-5d880cf5a4ef.json b/ics-attack/relationship/relationship--4122cdb6-09a4-4b68-b0d1-5d880cf5a4ef.json index 7348875e6c..c41aa0e742 100644 --- a/ics-attack/relationship/relationship--4122cdb6-09a4-4b68-b0d1-5d880cf5a4ef.json +++ b/ics-attack/relationship/relationship--4122cdb6-09a4-4b68-b0d1-5d880cf5a4ef.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0a69eed4-1dfc-4932-9c76-254700def202", + "id": "bundle--c4f6e879-a7a9-4a7a-a683-66138306ce4f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json b/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json index 543d7b6ce4..ad3a28694f 100644 --- a/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json +++ b/ics-attack/relationship/relationship--41adaf0b-b7ae-4bdb-9a5b-567fd0911d7a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f9e5e335-82b5-4ca9-a3f4-b439c6beec97", + "id": "bundle--f371bc3d-1a97-4522-ae23-e0579c9dedd7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json b/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json index 9b3a7e49f0..e9c7296730 100644 --- a/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json +++ b/ics-attack/relationship/relationship--41b87fd8-6e4d-4e53-a282-c85292fdaa22.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--44b5b789-daf2-4504-ab1d-d00e0f826f06", + "id": "bundle--2d8342c8-a2e4-41a5-a2ec-7c752fdb23cf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d.json b/ics-attack/relationship/relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d.json index 880285ea70..6c7c6a2c27 100644 --- a/ics-attack/relationship/relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d.json +++ b/ics-attack/relationship/relationship--41ff63a3-ddb9-47fb-8d92-bed74ed0d41d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--851f9f63-99f6-48b4-a343-0c61b1a37d26", + "id": "bundle--c9a46759-1512-4d0d-8f10-3669b7856af2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json b/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json index e5787efd6b..7349f285b9 100644 --- a/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json +++ b/ics-attack/relationship/relationship--4211c12a-57cf-4ebb-910a-6af7aa09cf34.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--99f45850-d862-469c-a21a-1c7f84cc0ae1", + "id": "bundle--df324d60-a901-4973-b2ae-8d704c7f025e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--42508a8e-44d5-4af1-9e66-bace5fc94734.json b/ics-attack/relationship/relationship--42508a8e-44d5-4af1-9e66-bace5fc94734.json index f79f17b11f..ffefc6fbbf 100644 --- a/ics-attack/relationship/relationship--42508a8e-44d5-4af1-9e66-bace5fc94734.json +++ b/ics-attack/relationship/relationship--42508a8e-44d5-4af1-9e66-bace5fc94734.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2adaeddb-2f24-4460-886c-2b4d5b7fa255", + "id": "bundle--c9a64c34-4e5e-4ffc-84d0-836b8356b195", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json b/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json index 091df55986..cd41f9d439 100644 --- a/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json +++ b/ics-attack/relationship/relationship--4256a0c2-437d-4a4c-88ac-d08d3041b8c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5c4fafba-ebcd-4769-bffd-bb95e6184890", + "id": "bundle--86753110-b1a9-4ac6-bf17-6401541ebf24", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json b/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json index 27dc0f82fe..475a6308b2 100644 --- a/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json +++ b/ics-attack/relationship/relationship--42ab7d24-8286-4a7a-8cd7-02e54a80e13f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--74535925-4fd3-42c0-b1ef-9aeba4c64ebd", + "id": "bundle--fb2e0424-8c98-46ff-933d-a3ee2790097d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json b/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json index 4172974e7c..619fb6e61a 100644 --- a/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json +++ b/ics-attack/relationship/relationship--433539bf-cb17-4de1-9c0f-e579b041514f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--afc2552d-73bf-49bc-bdba-197a44510791", + "id": "bundle--facc778d-3f80-42f4-bace-7c48c9e43293", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json b/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json index 1499f00b7f..5b233957a6 100644 --- a/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json +++ b/ics-attack/relationship/relationship--4369da69-bb09-4cc8-8600-081a450f50e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--53f3eecf-dff1-48ad-8087-3515a34a5d2e", + "id": "bundle--81cab7ec-3cfb-45fe-a0f3-37cf45b02c4f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b.json b/ics-attack/relationship/relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b.json index a17911e4e7..7137f608c5 100644 --- a/ics-attack/relationship/relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b.json +++ b/ics-attack/relationship/relationship--43777394-ff59-4261-b1cf-b41a1f4f4d8b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fbb4e851-e414-4b07-a35e-8a8f4816142a", + "id": "bundle--88436978-d04f-412a-843d-7e165aca5529", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json b/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json index c37846dd5f..e953c8eeec 100644 --- a/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json +++ b/ics-attack/relationship/relationship--43bdf580-b98f-49cf-92d5-3dac50450c86.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--643db3cf-32be-4c4f-aee9-8c750676901d", + "id": "bundle--be8fab9f-862d-4c50-acea-011eec46bbb1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json b/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json index 961cadddd7..79ea7a046a 100644 --- a/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json +++ b/ics-attack/relationship/relationship--446c95ea-5178-4ae9-8f92-cb20dd50f7de.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b9679cc9-6af5-4f5a-ac3b-dadf28c90b00", + "id": "bundle--3618f20a-b3ab-4ec3-b53c-53e0cd391c63", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json b/ics-attack/relationship/relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json index 1094f1ed9a..df27a789d4 100644 --- a/ics-attack/relationship/relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json +++ b/ics-attack/relationship/relationship--44c6bc32-d2e5-42f5-8c2e-42f305cb589b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--df22d3f9-da0b-4ea0-9e02-f08a7c01c39c", + "id": "bundle--1c35774d-9ec2-4294-995b-1adbffc8161e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json b/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json index 0e5cb15057..9322302b39 100644 --- a/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json +++ b/ics-attack/relationship/relationship--44c857cf-7a4e-405a-87ca-7f6d79000589.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--31919bdd-34ca-4498-90cd-af44e7cbc3ad", + "id": "bundle--13e10837-db4e-41c0-a4ab-648f38feb5ea", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json b/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json index 3a7e0ce506..5dad2d674c 100644 --- a/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json +++ b/ics-attack/relationship/relationship--45ee1822-71e4-4d92-976d-306561b70555.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--13ca3bb4-32ee-4ea7-b76b-6d8f6acbed77", + "id": "bundle--53287020-f596-4339-8222-c7114c1b8e67", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json b/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json index 7e2b73f4ff..222ad77959 100644 --- a/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json +++ b/ics-attack/relationship/relationship--461e81a2-c7ad-499e-908d-05ef2f7bd9cd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0c734a2d-143e-431d-be4a-4617f9dfe915", + "id": "bundle--a9f66705-b9a2-44e2-92cd-daf28063a55e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4631bf49-da0b-4415-a226-112c99ff0f64.json b/ics-attack/relationship/relationship--4631bf49-da0b-4415-a226-112c99ff0f64.json index 5e40385d03..19968b19d8 100644 --- a/ics-attack/relationship/relationship--4631bf49-da0b-4415-a226-112c99ff0f64.json +++ b/ics-attack/relationship/relationship--4631bf49-da0b-4415-a226-112c99ff0f64.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--942fa202-c98c-46cf-846d-8472eeb607de", + "id": "bundle--5bb14152-59cf-4ddd-92ba-c46b1d7d7fc0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json b/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json index ff347eeaab..4f8b9dc034 100644 --- a/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json +++ b/ics-attack/relationship/relationship--46332a77-2fd6-4033-96cf-6163172775ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b7290292-2528-410c-8e3f-56d03d08eee4", + "id": "bundle--d3df5aa5-90ff-4f08-b82b-96f2012cf3b6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json b/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json index 92113e2d82..9be35c054f 100644 --- a/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json +++ b/ics-attack/relationship/relationship--46bc86e4-e20b-4778-80d2-8891039e6fb4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6eb9f7d6-3b89-4d5a-bc4d-5dc6cdcdf095", + "id": "bundle--33c7add2-b13d-4f29-9b5c-e471763853d3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--46edf5ba-ebd3-4976-9cdc-1276ba253c98.json b/ics-attack/relationship/relationship--46edf5ba-ebd3-4976-9cdc-1276ba253c98.json index 86df54bfe6..205641940b 100644 --- a/ics-attack/relationship/relationship--46edf5ba-ebd3-4976-9cdc-1276ba253c98.json +++ b/ics-attack/relationship/relationship--46edf5ba-ebd3-4976-9cdc-1276ba253c98.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--16927e0d-d861-482e-aac7-1fa854a6fa86", + "id": "bundle--f1d9ccdb-e3ce-4621-b52b-7eeaa7f46c93", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4.json b/ics-attack/relationship/relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4.json index fada4ec8b0..5a9412784e 100644 --- a/ics-attack/relationship/relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4.json +++ b/ics-attack/relationship/relationship--478cef79-cf4e-4b37-9562-b45cdeb088a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c26b882b-6151-488a-a157-9addda48b2fd", + "id": "bundle--ae883627-8205-46d5-a2e9-255cdd7778ad", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json b/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json index fbf1e20c2e..747414b771 100644 --- a/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json +++ b/ics-attack/relationship/relationship--47f15a06-8675-4698-833d-bd141ed9e755.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3ce331b7-5176-4c90-ae48-807bbfcd51bc", + "id": "bundle--5cd84b4f-805e-462b-b758-b6be72b7afa5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json b/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json index 896ef116ac..f4e8464320 100644 --- a/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json +++ b/ics-attack/relationship/relationship--48489baf-56c2-423e-964a-0a61688e4a19.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5a9eca4b-0783-4b84-9c66-e1fdcccf052b", + "id": "bundle--cde2dd27-cab2-41b0-91f9-b1ad6b4ed125", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json b/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json index a10f493859..d70f73abd9 100644 --- a/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json +++ b/ics-attack/relationship/relationship--491455dc-f7c8-4e12-811b-b8c5c041b4c3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--54e66a58-35a2-4f17-8f04-8d086e902889", + "id": "bundle--25ff4608-559a-42d9-893c-991f61a13a36", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json b/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json index 2fdf3283d8..67b96f4662 100644 --- a/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json +++ b/ics-attack/relationship/relationship--4966e63c-ca05-466d-91f9-41d799a54471.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--15aaec0d-481f-49d4-8a7f-52cc5256dc19", + "id": "bundle--2e106d62-f6d0-4331-818c-5f54f086a5fd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json b/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json index e2b9249add..6cc7ace6d0 100644 --- a/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json +++ b/ics-attack/relationship/relationship--49d38b21-5ce5-48d9-a356-639fc6c7a53d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e9518555-4673-4543-9875-04ef1ce6d2af", + "id": "bundle--9801a38d-e6a1-4166-9a17-a082d4af077a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2.json b/ics-attack/relationship/relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2.json index 3990bdedf1..16b5fec8ca 100644 --- a/ics-attack/relationship/relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2.json +++ b/ics-attack/relationship/relationship--49d941a6-4da2-4516-92d0-1bc64554b2f2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--66ffc73e-faad-4213-9025-251047147bf8", + "id": "bundle--459a0e6d-8af9-4d37-aea0-1215449b7948", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4b57e41c-246f-44b3-b259-1811d5275e10.json b/ics-attack/relationship/relationship--4b57e41c-246f-44b3-b259-1811d5275e10.json index 82c6b6dd1c..9b6437dd22 100644 --- a/ics-attack/relationship/relationship--4b57e41c-246f-44b3-b259-1811d5275e10.json +++ b/ics-attack/relationship/relationship--4b57e41c-246f-44b3-b259-1811d5275e10.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eb156c54-0a5d-47a6-aa3a-9313ae1caf36", + "id": "bundle--d41044ce-3788-4c91-b5fd-239f30f7215e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419.json b/ics-attack/relationship/relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419.json index 7cd14f5377..ee1b3b87e5 100644 --- a/ics-attack/relationship/relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419.json +++ b/ics-attack/relationship/relationship--4cce6bf1-1aa9-483d-a733-d6e52e091419.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f93099ed-a999-45b2-9602-e82d789ac60b", + "id": "bundle--ddad1694-ffb9-4d61-b8e1-96978e4fa447", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json b/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json index 01d2f79618..bd3b9479a9 100644 --- a/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json +++ b/ics-attack/relationship/relationship--4dd93fd2-6e6d-4c50-a091-6d6ea6903f1e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b76a83d1-6486-47a3-8690-7f425753c7d4", + "id": "bundle--f12fecbc-803d-41f4-9e16-7cb278ea0f22", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json b/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json index b75fff7df5..24fcae382f 100644 --- a/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json +++ b/ics-attack/relationship/relationship--502a0b7e-048a-468a-b888-e91fde47c6eb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0a2e0230-f955-44d2-a4c1-86eff829fb78", + "id": "bundle--dad717aa-2a16-4a07-a75a-96c0dc149c52", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json b/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json index b19035d108..a7ba0d3810 100644 --- a/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json +++ b/ics-attack/relationship/relationship--5041e17d-6349-4589-8c61-7b43964b5f9b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--09eb1769-1a44-4940-825f-9d4e08134f29", + "id": "bundle--66e95867-327c-4097-ac6b-18715ed7b472", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json b/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json index ac7b2f6a41..960b3d6642 100644 --- a/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json +++ b/ics-attack/relationship/relationship--50a2b289-7bce-405d-8515-c2b5424cce5c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--11dd1b8d-40d2-4ba9-a3cf-2b2c4ee3c1f6", + "id": "bundle--c9ff909c-d4e3-406d-99a0-4fe7c4300e0e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json b/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json index 6c7f26edc0..a0cfce1cd8 100644 --- a/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json +++ b/ics-attack/relationship/relationship--50b3247a-ea71-455e-b299-f00666c05146.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fe9d7889-aec1-46e9-8630-6bd95f309d1f", + "id": "bundle--a0ae53e6-635a-4e77-a758-8ff07e467238", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json b/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json index 65141fe91f..b3f14d2910 100644 --- a/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json +++ b/ics-attack/relationship/relationship--50c20664-75dc-451e-b026-67b1d309e4b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4fe1582c-95d3-449b-85a0-9a5a1fc79a9f", + "id": "bundle--a8256d6a-e6f3-4770-8b84-0d194a1ad8c1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json b/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json index 7302ac5dbb..d0fc9208eb 100644 --- a/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json +++ b/ics-attack/relationship/relationship--51eb15a3-48af-470f-94c0-10f25b366d72.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5167eb9d-4865-43f1-bef4-b64e68ebbf74", + "id": "bundle--98f5ce3e-5082-491e-9b43-5811c6cc0203", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json b/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json index 5d659b8ebe..da89cbc77a 100644 --- a/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json +++ b/ics-attack/relationship/relationship--51eca7b9-6330-48a8-badd-65ed3e9d3639.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fa3bc1c9-db03-4f16-8cc0-0581ab0abd83", + "id": "bundle--42ff0b0f-54ad-4fa0-b9f7-ef0a27818eaa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json b/ics-attack/relationship/relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json index f245fc3907..5389b68721 100644 --- a/ics-attack/relationship/relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json +++ b/ics-attack/relationship/relationship--51ed2f2f-d7e2-4699-b6bf-8da9d0361d59.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--50e83542-b90b-421c-b520-b868548b4701", + "id": "bundle--257ba8c4-b876-4580-be13-9bdef60405e7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json b/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json index ae473feb4f..c7e85ee0ac 100644 --- a/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json +++ b/ics-attack/relationship/relationship--51f9963c-c041-4bec-b482-5fda2fb5bca4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c9732faa-acaa-4fd6-9d2a-3f74a0eb5ba9", + "id": "bundle--204f8359-fea8-4789-8251-000925cd442e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json b/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json index 5b36fd1d62..bb865e388b 100644 --- a/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json +++ b/ics-attack/relationship/relationship--520aad6a-2483-45bc-a172-2417137f6ca0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e890ab38-85bb-4106-b9b2-c189fbce87ed", + "id": "bundle--0bb7e704-7d07-49e8-aed9-845bad57abad", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json b/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json index 265f49da61..b4c8c4833f 100644 --- a/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json +++ b/ics-attack/relationship/relationship--5212f36b-216f-4e32-8b64-3b4c94dfada5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bf7989df-a4d3-419c-be3f-45b293e5cbdf", + "id": "bundle--aad2f139-2b5d-4f2f-8647-b9b1a4c49190", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json b/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json index b30c0f7168..ad69252cb6 100644 --- a/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json +++ b/ics-attack/relationship/relationship--52855d5d-e835-470f-a675-751c2779c861.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a8c6dfae-87d5-4e14-9bba-9bf3bfa38b31", + "id": "bundle--be2338a7-2b72-4b91-a897-16e91c2b14b4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json b/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json index e6c71a245b..83d3416530 100644 --- a/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json +++ b/ics-attack/relationship/relationship--52c7176b-431d-44a6-8c03-7c15a8cf6ce1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4e14e999-f500-4456-89f2-c574b3650750", + "id": "bundle--a6d8d933-abea-408b-92ca-8d171d563795", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json b/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json index 2c87d88414..bc42b1bdb7 100644 --- a/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json +++ b/ics-attack/relationship/relationship--531e0589-0dad-444d-aca4-6198ba5d9fcd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--04159440-99f3-430e-946a-a843cfbea054", + "id": "bundle--fc0a6b94-3ac6-41e7-98d2-6cac89da93bf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json b/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json index 7fdfd02748..6c90af73d0 100644 --- a/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json +++ b/ics-attack/relationship/relationship--535c5160-17e0-44eb-9f4b-1a8e216b56a2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--705c670b-a0d1-4aea-95a5-54179fbd24a5", + "id": "bundle--15c005ca-6040-4b54-b9db-d69a3bbd07a5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json b/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json index 4ed2f14b0f..40199eb846 100644 --- a/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json +++ b/ics-attack/relationship/relationship--53a54e4a-2b38-4b0c-8f60-252a68767443.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f3bbe32b-1f93-4cb1-b976-fd3e38f2f637", + "id": "bundle--33c48894-2c68-46bf-8634-109af5d966b3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json b/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json index a9908997a5..101516c6b9 100644 --- a/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json +++ b/ics-attack/relationship/relationship--5424e327-396f-4b07-94a3-408ffc915686.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--349363db-740f-414e-921e-153dddbdebad", + "id": "bundle--53a41a55-2af0-4324-a38f-b3d4f71a82cb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f.json b/ics-attack/relationship/relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f.json index 8d56fdca4c..e614ba7591 100644 --- a/ics-attack/relationship/relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f.json +++ b/ics-attack/relationship/relationship--54e73627-95de-4e6e-abf0-d93e20a1fe8f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--827ad031-e8fb-477c-86ff-e53058311ae0", + "id": "bundle--38d7509d-0992-4eaf-8d5e-4ff8182e64e1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json b/ics-attack/relationship/relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json index 7f20bed2c9..9aca4de938 100644 --- a/ics-attack/relationship/relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json +++ b/ics-attack/relationship/relationship--54f6293a-1ccb-4dcb-b85c-9a2a57daddb9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c0abca1b-07db-443d-a262-ed926b22fb71", + "id": "bundle--b39f4d8f-b248-4387-b946-c87f3337b86c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--55f3dd59-08be-4e23-a680-b6db7850b399.json b/ics-attack/relationship/relationship--55f3dd59-08be-4e23-a680-b6db7850b399.json index e1e0d1fdad..1084064811 100644 --- a/ics-attack/relationship/relationship--55f3dd59-08be-4e23-a680-b6db7850b399.json +++ b/ics-attack/relationship/relationship--55f3dd59-08be-4e23-a680-b6db7850b399.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7bc94d5c-e08f-40d2-8751-853c97ced894", + "id": "bundle--eefc00cb-52d7-415f-931f-0c8378815bc9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--55fe102a-d32b-4a73-85b1-14a02d0e552f.json b/ics-attack/relationship/relationship--55fe102a-d32b-4a73-85b1-14a02d0e552f.json index 66425fd052..c44f5fde5d 100644 --- a/ics-attack/relationship/relationship--55fe102a-d32b-4a73-85b1-14a02d0e552f.json +++ b/ics-attack/relationship/relationship--55fe102a-d32b-4a73-85b1-14a02d0e552f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6e84a20c-cfbc-42bc-817d-99fd5431664d", + "id": "bundle--eb52098e-8546-475c-99fc-632fcd72cf01", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json b/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json index f3ef776b10..6daaaa223e 100644 --- a/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json +++ b/ics-attack/relationship/relationship--56672ea4-cbf0-4a3e-8aed-edcc7d33133b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d94effa8-bbac-4d52-a148-a4799a73a1b0", + "id": "bundle--bce200f9-3c6d-44c8-b6f5-2eeb90adf6da", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--567acebd-4ba2-4723-a74d-514992321ccc.json b/ics-attack/relationship/relationship--567acebd-4ba2-4723-a74d-514992321ccc.json index 8993098b34..f9b33d082e 100644 --- a/ics-attack/relationship/relationship--567acebd-4ba2-4723-a74d-514992321ccc.json +++ b/ics-attack/relationship/relationship--567acebd-4ba2-4723-a74d-514992321ccc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2f38329a-5b6a-4a64-8c4b-11a4376312ae", + "id": "bundle--35234a93-7444-4cca-9e70-944390515b4e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json b/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json index bd748554b3..cffc49ca3f 100644 --- a/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json +++ b/ics-attack/relationship/relationship--56dcc2d7-5243-4a5d-a556-8723642e98a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--01d452e6-beb6-43e7-b99c-39b6f0902daa", + "id": "bundle--1e8c4d0f-a70e-4361-861c-0b555b0b82a4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json b/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json index 21e3408ee7..de68b4a08c 100644 --- a/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json +++ b/ics-attack/relationship/relationship--5714c88f-ca54-46b6-b072-cd1d24714ae0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c5742ef7-8c30-4c52-b482-768e397a2c0c", + "id": "bundle--3f1e7b76-1c51-44e7-a84e-628af9cfe3e6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json b/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json index 042a63d800..93dc609a76 100644 --- a/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json +++ b/ics-attack/relationship/relationship--575f0e0b-d68d-432b-abb3-cbd3e641fc88.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--edfa306f-1bcf-4e1c-9d3d-32059dbb86b4", + "id": "bundle--f44e4708-8a30-49f8-9005-709413a3ed7f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json b/ics-attack/relationship/relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json index cc22886f57..98f0a21a1f 100644 --- a/ics-attack/relationship/relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json +++ b/ics-attack/relationship/relationship--5771ce27-7cc7-4144-8c11-c1a6d2ac3e2c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cd4e4efd-f500-4c9d-9689-b95c1e3bc42e", + "id": "bundle--cc1f03db-bfb5-405b-bc4f-ff2b7409239e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json b/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json index 8f38fc1ab4..9b320ef25c 100644 --- a/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json +++ b/ics-attack/relationship/relationship--578117b2-0f4b-4d75-a2dc-3ee45976e616.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b0b214e1-02a7-4cb7-847c-d70795b51aef", + "id": "bundle--d7167105-214a-4bfe-98ca-d7c982a8cff6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json b/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json index 26e9592d98..cec1f0a4ee 100644 --- a/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json +++ b/ics-attack/relationship/relationship--5804ae3d-0daf-47a5-b026-d42878f55803.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--965b565a-36af-434d-9090-6a0701d25138", + "id": "bundle--3cfbc153-935d-4be5-a87b-a3d3e853a070", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json b/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json index 35fde61424..0be524072a 100644 --- a/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json +++ b/ics-attack/relationship/relationship--58269882-7e8d-4d24-b7a3-dbef6196cb61.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--79af3e6c-d7dd-4250-a952-acecc8eed57c", + "id": "bundle--638fb76d-257a-42a7-8d96-1ddeaea18352", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json b/ics-attack/relationship/relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json index d77c0f5820..fdf690c36f 100644 --- a/ics-attack/relationship/relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json +++ b/ics-attack/relationship/relationship--5886d4a1-2d4c-40d5-a689-69c475ab6ee2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9ba68fa5-f026-442d-ba16-3d23719b1c18", + "id": "bundle--7123113a-3a23-4581-8a08-5bc9ce666e0e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json b/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json index 07b6fe6f4f..5c0782f6cb 100644 --- a/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json +++ b/ics-attack/relationship/relationship--58a0fd57-ea5f-46b0-84ac-c5b963fb7e94.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--03274025-39fd-4515-bcc5-a8a5487dbfac", + "id": "bundle--d307cf8e-02cd-40ab-b62d-e701dc66a6ef", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--58aa90a7-886b-4f37-ab16-a0beb0e64877.json b/ics-attack/relationship/relationship--58aa90a7-886b-4f37-ab16-a0beb0e64877.json index 6005921ecc..69218bf0c4 100644 --- a/ics-attack/relationship/relationship--58aa90a7-886b-4f37-ab16-a0beb0e64877.json +++ b/ics-attack/relationship/relationship--58aa90a7-886b-4f37-ab16-a0beb0e64877.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c472de7d-92b5-49bc-a399-f8b63150d627", + "id": "bundle--9dc5cc89-368a-4e15-a0dc-2c32d6c12137", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json b/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json index 4c365a3c7a..a1b8294bd1 100644 --- a/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json +++ b/ics-attack/relationship/relationship--58cb4cb5-4b0f-4ce0-b3f9-5deb9de31c52.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6c355f20-4a0d-4414-bbcc-90b59f1e3b7f", + "id": "bundle--aa96762e-e46c-45aa-bf32-85ebba7f8014", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json b/ics-attack/relationship/relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json index 5f97c8d302..d3dcfd3f98 100644 --- a/ics-attack/relationship/relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json +++ b/ics-attack/relationship/relationship--5901e8b3-7df0-43e0-bdc5-f4fd2792a572.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3000e84f-a1da-431e-91fd-8e1ae96782bf", + "id": "bundle--88ab8cfd-15ce-4e8d-9c79-6be932d7789d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json b/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json index 50f3507215..efefa0bbe6 100644 --- a/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json +++ b/ics-attack/relationship/relationship--590bdd67-31ef-4edd-b2ac-2bd1b98da19c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a1cefbf7-608c-48fa-86ce-7ce0606fcfa6", + "id": "bundle--612c0320-9293-4fee-95bd-3ff33fc2f036", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json b/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json index 15bbbe1b4c..a04a34c121 100644 --- a/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json +++ b/ics-attack/relationship/relationship--5914a482-dbb7-429d-96f3-77f0588ac12d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d6e711cc-5fee-413d-9600-6466517a3c9c", + "id": "bundle--04ef6ab7-0545-4401-9711-3ee3ef31fb7b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json b/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json index 18a667f3df..5ad1b7c745 100644 --- a/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json +++ b/ics-attack/relationship/relationship--591620d3-5549-49db-9080-43f86a68a590.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5b1a9a02-8650-48f8-af5b-8ca5f1f4d1ec", + "id": "bundle--fcc93c7b-c15c-486a-9b0c-a3da76f5f8e4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--59c65014-1fee-4c2e-9ece-9883159bbed2.json b/ics-attack/relationship/relationship--59c65014-1fee-4c2e-9ece-9883159bbed2.json index d30f501a8b..b8a4bc626a 100644 --- a/ics-attack/relationship/relationship--59c65014-1fee-4c2e-9ece-9883159bbed2.json +++ b/ics-attack/relationship/relationship--59c65014-1fee-4c2e-9ece-9883159bbed2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fe281290-0fe8-48ad-9b97-fb1c29c90d62", + "id": "bundle--8db802bb-71ff-4416-8dca-2776b9a5b0d3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e.json b/ics-attack/relationship/relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e.json index 9d8e5237bb..fa698a0e59 100644 --- a/ics-attack/relationship/relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e.json +++ b/ics-attack/relationship/relationship--5a16cecc-4017-4ce8-97db-01cb66a1528e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6ee3a8a3-272c-4c53-96ef-b70e44c755c7", + "id": "bundle--f5a862fd-6655-4204-a13d-dae3690ac9ae", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json b/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json index f55d55f996..2475b545b8 100644 --- a/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json +++ b/ics-attack/relationship/relationship--5ae1cf3a-2603-4bf9-ace3-5b1ee5d8d757.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--49915cba-58cb-4dc4-a3d1-cf60ee0c1044", + "id": "bundle--a826ceb8-1230-4297-8c93-6d8877365518", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json b/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json index 5666644e3e..87a7eb7f46 100644 --- a/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json +++ b/ics-attack/relationship/relationship--5bb313a8-8407-4ec1-a4b0-683ded7f3302.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc014124-5816-4116-ad3e-f8c5b7a59532", + "id": "bundle--06b810af-63b7-4134-8826-81b64ef6cbb4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json b/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json index 951ba1e157..e38ceec4f1 100644 --- a/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json +++ b/ics-attack/relationship/relationship--5be1f2b1-75fd-4e7e-901b-495cee4ab5ad.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--78f09a9a-78ac-4db3-a21b-2dda5882c9e0", + "id": "bundle--20b5a0d3-a56d-41cf-bbd5-d4fb450f4046", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json b/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json index 2e3456f34a..ad9528ba44 100644 --- a/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json +++ b/ics-attack/relationship/relationship--5bf8473c-3c60-4a8a-8514-c2b50ab8a92d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bea013b4-cbd4-495d-a0cd-fdcaca012275", + "id": "bundle--02483898-bc4f-4ba0-a1d3-eaf9a88b44ee", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json b/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json index a5b6a1c43b..8ab2abbc15 100644 --- a/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json +++ b/ics-attack/relationship/relationship--5c0bdf4c-233f-42cd-8900-2a5cc8c9387c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--144dd4fc-647b-46dc-a652-8d202d4fd799", + "id": "bundle--e2e3842d-d78a-418f-bbfb-089a68b93854", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5c695f49-6c76-4818-88b6-4db2bf029e43.json b/ics-attack/relationship/relationship--5c695f49-6c76-4818-88b6-4db2bf029e43.json index 6d45213f60..1f9eb01a61 100644 --- a/ics-attack/relationship/relationship--5c695f49-6c76-4818-88b6-4db2bf029e43.json +++ b/ics-attack/relationship/relationship--5c695f49-6c76-4818-88b6-4db2bf029e43.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--458d7c1c-8c15-4ebf-8a90-535b2fd3ba5e", + "id": "bundle--fd0c5fcc-0c9e-44eb-a244-82a4160e4660", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json b/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json index 0a9e83abc9..49b7c34180 100644 --- a/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json +++ b/ics-attack/relationship/relationship--5ca1d677-b41f-4f1e-b86b-f5637a418829.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2f64efc6-06e1-47ba-9c8d-733f2be0dd35", + "id": "bundle--51c7f1ea-ac6a-4ab5-a18d-ff7d3ea71300", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json b/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json index f3440603ab..d94e6e2984 100644 --- a/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json +++ b/ics-attack/relationship/relationship--5d0a7979-0420-4fd1-b5ad-cb5565cbdf9d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--20cbbbcf-9be8-4d39-92fe-38ee98723fe2", + "id": "bundle--c0e18f17-48f8-49d6-bf95-5a5179788e68", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json b/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json index 86ba02041d..25049f49a3 100644 --- a/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json +++ b/ics-attack/relationship/relationship--5d33de22-35b0-47fa-bc63-f984522340b7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d564ab88-4118-4583-a7d9-26fc2a884641", + "id": "bundle--a636d9b0-1d97-4c0e-9a24-b7fe542e4054", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json b/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json index 7de0f6cea5..f278040a04 100644 --- a/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json +++ b/ics-attack/relationship/relationship--5d4f6aff-650c-45fe-a9d8-2080d3ea02d7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bcbac5d6-0dc3-4fa4-8ac0-316e122fc7d6", + "id": "bundle--afac0ba0-6e69-45c6-b096-378b6dfd18b0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json b/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json index d4ba4fb996..175a18eb79 100644 --- a/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json +++ b/ics-attack/relationship/relationship--5de6bf53-0a02-439b-a8d0-248fa9640a36.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c58fafcc-de23-4c62-8e9b-f962371e1dbe", + "id": "bundle--aaba9551-4637-408e-bb38-50f149c118ae", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json b/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json index c1f4ed44ef..6a94e916c6 100644 --- a/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json +++ b/ics-attack/relationship/relationship--5dfa5bad-8b0b-4884-bf01-04ea89e3ccf7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f9bd9f64-7462-495b-abe9-8fda44d4efc7", + "id": "bundle--ed6fe088-45f7-4f67-aa26-b1547da116da", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json b/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json index 44d7d27359..d04c03b3bf 100644 --- a/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json +++ b/ics-attack/relationship/relationship--5e099568-fb5c-4f58-af7e-4e1b7a9d1128.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--34e439ed-1655-46af-8c47-5e2792639a56", + "id": "bundle--4ef827f8-3571-46cb-8324-47f6ef39bc74", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json b/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json index 5a58602212..141f9ec526 100644 --- a/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json +++ b/ics-attack/relationship/relationship--5f03ee5d-534c-454c-aae3-b41130b00286.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--71cd2bda-36db-4d84-a9cb-5e558da736c0", + "id": "bundle--275cb254-fd60-4b27-a68a-a6175efcde83", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json b/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json index 8146632cf2..d69f853f7a 100644 --- a/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json +++ b/ics-attack/relationship/relationship--604a9bf0-81a3-425b-9005-779c4f0f749d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4e406e16-8154-4ce8-be8e-ffd67078d3d1", + "id": "bundle--303adc68-fe84-451e-b2dd-1fc46b19d69c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6157408d-1eb3-4445-8d8a-14619458954f.json b/ics-attack/relationship/relationship--6157408d-1eb3-4445-8d8a-14619458954f.json index fd3ebd52cc..2d8be1368d 100644 --- a/ics-attack/relationship/relationship--6157408d-1eb3-4445-8d8a-14619458954f.json +++ b/ics-attack/relationship/relationship--6157408d-1eb3-4445-8d8a-14619458954f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d5b32d6b-7e37-47d5-8bf4-36265eea9144", + "id": "bundle--28ea098a-cbd8-44b6-a709-4362da414723", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json b/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json index bd6864e840..aa82754214 100644 --- a/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json +++ b/ics-attack/relationship/relationship--61668e93-6d9d-418d-9fbd-2d88c3a66544.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b4c2d2d5-ac2d-4bf9-8b54-3293112938bc", + "id": "bundle--9504a0e6-6fd1-409b-8454-5b12458f8ff8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json b/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json index f104343fbe..5c13706f5d 100644 --- a/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json +++ b/ics-attack/relationship/relationship--6258c355-677c-452d-b1fc-27767232437b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--05c542a5-1532-4141-9637-c2ee391783bc", + "id": "bundle--83b9168a-9996-44c1-9e76-13f63b72ea4c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json b/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json index 86cd48baa6..f6f3d2aa8b 100644 --- a/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json +++ b/ics-attack/relationship/relationship--62e818b8-38e6-42ff-9424-9a327332eb2a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--54663d55-03a1-43bb-a59e-955781a1d6f1", + "id": "bundle--1af5c022-1467-4c69-85af-5d4d8e8943a9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json b/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json index 576d267496..bebc69f3eb 100644 --- a/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json +++ b/ics-attack/relationship/relationship--632ca9a0-a9f3-4b27-96e1-9fcb8bab11cb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0ae0ea18-76b7-46fb-8583-5c63db996e66", + "id": "bundle--7586eab2-ac70-45be-b572-7f5972e64eb9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json b/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json index f476de6d97..7bdb216ad7 100644 --- a/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json +++ b/ics-attack/relationship/relationship--63323b12-86db-4b91-a701-90daf3f98f7c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b4adcf2d-c9c2-4636-8fd9-8b8679b91049", + "id": "bundle--2cfb1762-ec49-4bfc-9a4b-3aabb2d1ed3b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json b/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json index 2b9f4e0c1e..5808e00288 100644 --- a/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json +++ b/ics-attack/relationship/relationship--63453d2f-30f6-40ab-b32c-506d940ecd20.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--93f16797-eb9d-4c40-b627-021e808da6b4", + "id": "bundle--e457c7e2-82d9-4f50-9173-338014568f54", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2.json b/ics-attack/relationship/relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2.json index 497d4eeea7..72ebd8a3a9 100644 --- a/ics-attack/relationship/relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2.json +++ b/ics-attack/relationship/relationship--636baf5a-1a1c-476b-bc54-fb27b27b58a2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--00c17f08-eddf-445a-8f7d-c652fe01ce6e", + "id": "bundle--ef8cc32b-1af4-4da2-8ccd-ebbe5aeddf40", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json b/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json index eebe08db5a..36a8937393 100644 --- a/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json +++ b/ics-attack/relationship/relationship--63ca148e-12c9-4090-b51e-a8fb7a847a2a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1cc0fd97-01dc-4a5b-8f11-c6d392a131c5", + "id": "bundle--f0ab8fc1-31c7-4bf6-bfa1-f2356daf3b9f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--641813ea-66a9-4949-848f-db83420aac39.json b/ics-attack/relationship/relationship--641813ea-66a9-4949-848f-db83420aac39.json index 4a1768db64..39cf3f8d6c 100644 --- a/ics-attack/relationship/relationship--641813ea-66a9-4949-848f-db83420aac39.json +++ b/ics-attack/relationship/relationship--641813ea-66a9-4949-848f-db83420aac39.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3a35602d-0f1f-41fc-a3c1-0d3cb8a1a7e4", + "id": "bundle--65720da2-51f0-431d-92be-2b44c31d795c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json b/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json index 07ce416e5e..8de0761257 100644 --- a/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json +++ b/ics-attack/relationship/relationship--648c6649-5861-4b43-a7e5-a9665bafb576.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--606a284c-7df7-48ea-a0aa-50c433d8b21a", + "id": "bundle--7e03b70c-e401-4298-b6cd-eabdee0a67c6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json b/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json index 81aba8d937..f464e9c07b 100644 --- a/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json +++ b/ics-attack/relationship/relationship--64db6a39-64d2-4999-97d7-91c28c32f42e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--65cbff2b-a350-4a9f-8a8d-7b5ac82d0bf7", + "id": "bundle--a93003aa-2b41-41e9-8d82-9e07c0f6e41f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json b/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json index 102a9d498f..73b24b588f 100644 --- a/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json +++ b/ics-attack/relationship/relationship--652a68a2-a26b-4e8c-86dd-fd83187ed043.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9c8c41b9-079f-43d9-8806-979257d8ba7b", + "id": "bundle--d1365656-97f3-4f88-aae8-083abb9f1a70", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba.json b/ics-attack/relationship/relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba.json index a3d1a64812..ea62338169 100644 --- a/ics-attack/relationship/relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba.json +++ b/ics-attack/relationship/relationship--655e2f91-5d43-4c47-b7e0-8248b351f3ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9e310ee2-c7fc-4d51-85ec-dde367d59e26", + "id": "bundle--c9722464-422c-42c4-95d1-778462a33115", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json b/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json index 560c84313f..c4dcc6f820 100644 --- a/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json +++ b/ics-attack/relationship/relationship--65a45501-10de-46a2-89bf-03bbf17aba33.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e853fefa-2b43-4c8f-a285-be68e2f71f28", + "id": "bundle--08e51b2a-79cc-4b90-af94-df49fb943171", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json b/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json index 8862374e2b..5a0eb33dd1 100644 --- a/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json +++ b/ics-attack/relationship/relationship--65adbdda-7069-40ed-9825-b79ec87e4916.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--178ef5b6-4266-4064-9062-6380035f6a16", + "id": "bundle--93a7147c-a773-4e83-8d86-c9890bdc90cc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json b/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json index bb6eddf64d..7ca70a581b 100644 --- a/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json +++ b/ics-attack/relationship/relationship--6603a100-d655-4e6b-8d38-73c11b89dde4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dc0bf920-fe87-442a-a59d-d14b0795e3ea", + "id": "bundle--61063510-651a-4b8b-984b-73d019621b3e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json b/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json index 02aee02e03..52b6760d36 100644 --- a/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json +++ b/ics-attack/relationship/relationship--6637d8e6-6578-4d15-a993-d63ced4c4464.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f540e593-ac11-47c0-b343-ffcc04703389", + "id": "bundle--e75e7356-6da0-48fc-940a-52ff824b4dfd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json b/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json index ad2667f180..eb2329c835 100644 --- a/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json +++ b/ics-attack/relationship/relationship--6681bc38-0b55-4714-b690-c609956b40bf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1be3b097-6460-4cd6-aa13-bbdf8ec6bb9c", + "id": "bundle--373167e8-6ac0-4105-82c7-5ed809e6b3db", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json b/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json index b03d874634..283dc1fd27 100644 --- a/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json +++ b/ics-attack/relationship/relationship--66af47d7-c430-4ac9-8020-fd79b7059037.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--460fffe7-e5a7-43d4-bc6d-f66cb91b3812", + "id": "bundle--9e27ef21-add2-4925-9f24-a8c7b3a1cf52", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--66d637a0-4874-4b12-bd3a-b408acb06d26.json b/ics-attack/relationship/relationship--66d637a0-4874-4b12-bd3a-b408acb06d26.json index bd202b2cb9..d7a9dfbb56 100644 --- a/ics-attack/relationship/relationship--66d637a0-4874-4b12-bd3a-b408acb06d26.json +++ b/ics-attack/relationship/relationship--66d637a0-4874-4b12-bd3a-b408acb06d26.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--34f60e62-a04e-42b5-8edc-9d04fd6e45a9", + "id": "bundle--484f28e4-fe74-4749-9258-c6d459ce188a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json b/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json index b4341bf600..1bdb37d903 100644 --- a/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json +++ b/ics-attack/relationship/relationship--66f79019-d52c-46a6-b605-c2335d1d3d20.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--79ae37a0-81b0-40cd-98d7-c1aacb28e9a8", + "id": "bundle--2d741eb9-743f-4353-80fa-882e99e7489b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json b/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json index 08cced6439..fc8b79edef 100644 --- a/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json +++ b/ics-attack/relationship/relationship--671043a9-337f-411a-9ca9-3112e897ab09.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a16b7c8f-e789-4b55-898c-4f1f985c90a7", + "id": "bundle--7aa3dc6b-0ed0-4bdd-97ac-c44b4185aa8e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab.json b/ics-attack/relationship/relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab.json index ca928ce744..6b353dde6a 100644 --- a/ics-attack/relationship/relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab.json +++ b/ics-attack/relationship/relationship--679d216f-9bf7-428a-8d5b-72a84d6d45ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5d302d74-3085-4e4a-a6e3-9ab3c6d0e61c", + "id": "bundle--1598d534-6fe5-4e52-bac6-1c91816b8222", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json b/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json index d16a306ad8..d4e7deb128 100644 --- a/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json +++ b/ics-attack/relationship/relationship--679e7b8d-57d7-4c1d-8f42-1496606ea666.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ad4e9fee-974b-4b35-8d78-ed60bedd127b", + "id": "bundle--6dbbf303-49fc-400f-bb26-de1ed7e3142c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json b/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json index 724783513d..b8cd0c0746 100644 --- a/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json +++ b/ics-attack/relationship/relationship--6833d534-9cbb-4b9f-85b6-93d3d2d6faca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--751cfb1e-ac1f-48be-aa24-9ac60e79e02f", + "id": "bundle--1446873b-88ac-4750-9861-d04c3ea5d87d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json b/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json index 27d5424807..e84000f654 100644 --- a/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json +++ b/ics-attack/relationship/relationship--686cbd74-ef49-4e77-9599-21777d3a4738.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8380e830-6688-4d2f-bf1d-dbc1bc447fa6", + "id": "bundle--27af1aee-3e15-4169-bc56-f86dd5c1eebb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json b/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json index 24980de8d3..366c695106 100644 --- a/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json +++ b/ics-attack/relationship/relationship--6895e54e-3968-41a9-9013-a082cd46fa44.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cec7d662-1d35-46d4-8d5b-b0ebd8c83d35", + "id": "bundle--368d9a18-6e18-4ed8-9ef2-ec0c9d8c17c1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json b/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json index 4502cacf9b..78dc9a5047 100644 --- a/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json +++ b/ics-attack/relationship/relationship--68d30c45-766f-48b6-9405-0c969243332b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9ed3bb0d-5eb0-4499-a8e1-ed0eb7124673", + "id": "bundle--e12cb96f-2a6e-4d4c-bc25-0c5521de52ea", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6902da63-3b59-46f3-99e0-6008dd47ab70.json b/ics-attack/relationship/relationship--6902da63-3b59-46f3-99e0-6008dd47ab70.json index 8814462f18..12569dc149 100644 --- a/ics-attack/relationship/relationship--6902da63-3b59-46f3-99e0-6008dd47ab70.json +++ b/ics-attack/relationship/relationship--6902da63-3b59-46f3-99e0-6008dd47ab70.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--977fb713-b4ee-448e-bcf1-654ed06edf56", + "id": "bundle--9a188894-a2e8-4d56-87b5-03d1de5d1df5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b.json b/ics-attack/relationship/relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b.json index 6f3028373a..8ce67fc3e0 100644 --- a/ics-attack/relationship/relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b.json +++ b/ics-attack/relationship/relationship--69146c10-d3d0-4f69-8164-9c21a1a4e10b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9868669a-87c4-4254-8d89-8bd3d5c87c9d", + "id": "bundle--9b7cf1e6-00e1-42d7-9814-c7eb1731d7c9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json b/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json index 4959a139cf..f774589c6a 100644 --- a/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json +++ b/ics-attack/relationship/relationship--692324b4-064a-430c-8ffc-7f7acd537778.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--064f9c19-a7e9-41e8-bd39-7dcb768eca27", + "id": "bundle--bc297427-a1e9-4ebf-a0c0-473b7254e1ad", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json b/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json index 6fd71aa606..7300da31d3 100644 --- a/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json +++ b/ics-attack/relationship/relationship--69576d3c-d0e8-459e-9f2e-0b9c560b2e04.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5198ac08-7359-4fa0-8227-e0352c00782a", + "id": "bundle--d3ee29ea-2c03-43c4-90fd-2e2c7e86387c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json b/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json index 6b3bbc1934..ff5d5cadb1 100644 --- a/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json +++ b/ics-attack/relationship/relationship--698d7c50-daab-4087-a7b4-b2bc8dfd81a7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--487bdc1c-1c77-48bf-95c3-ffea76cff179", + "id": "bundle--35503375-921c-4ffd-a9e5-cbeedf47022d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef.json b/ics-attack/relationship/relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef.json index 748d1426af..d4c1ee1d10 100644 --- a/ics-attack/relationship/relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef.json +++ b/ics-attack/relationship/relationship--6aa080d0-6e25-46e5-91d8-4af11f01ceef.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7e28f844-6648-4f18-8a82-ad52bf110ddf", + "id": "bundle--ac845592-d494-4465-ae1e-f12cede4d008", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json b/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json index 14c1fdefae..e13695f78b 100644 --- a/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json +++ b/ics-attack/relationship/relationship--6ad39b3a-a962-457f-852c-be7fc615e22f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2d188b60-f876-42f9-89f6-0dc1d07817bb", + "id": "bundle--e66d550d-dd9c-4583-8c1d-8a807fdc0f44", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json b/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json index 8eb18d62cb..f82bb55315 100644 --- a/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json +++ b/ics-attack/relationship/relationship--6b5d2643-b399-43aa-8ab1-7557a0446b07.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2031a496-5a65-4ecc-a4a9-9c27b7f1ce5c", + "id": "bundle--e04eef03-a6b6-4e77-ad3c-d0cdc6824db7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json b/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json index fe49d487bf..93fb10d388 100644 --- a/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json +++ b/ics-attack/relationship/relationship--6b5fd6d8-ef70-4896-b1a4-7b6c29c3a0d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e0e44e2e-129b-46d9-9009-572cb997bd87", + "id": "bundle--10dc6611-df72-464f-b58d-c5b7b8b60817", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8.json b/ics-attack/relationship/relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8.json index 9434d3c9c1..07da599276 100644 --- a/ics-attack/relationship/relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8.json +++ b/ics-attack/relationship/relationship--6b987f2a-3d07-4791-9c1c-e4f6818521e8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9248c483-b828-48dc-8b55-8e4ee3cfffaf", + "id": "bundle--f4df8523-0187-4cde-8ab6-5c03c3a5a2d8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json b/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json index 025f7ca5b4..a95aba1ceb 100644 --- a/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json +++ b/ics-attack/relationship/relationship--6baa9172-04e4-416d-a009-668cda23fd5d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8b06d72b-d050-45c1-a6c5-c2b969ec2ed1", + "id": "bundle--ae8c9b03-6aae-4274-80e8-a22ad025896d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json b/ics-attack/relationship/relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json index 2391b3f1fa..54bb4a66ee 100644 --- a/ics-attack/relationship/relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json +++ b/ics-attack/relationship/relationship--6be102a8-5d9c-494e-a8ce-7b0a1c86a863.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6194bf9d-9db7-4f72-9339-5121840cb4f8", + "id": "bundle--03a9fca4-16f6-44b9-8a9b-826bc61f2d68", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json b/ics-attack/relationship/relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json index 86a1bf1a9a..d91a545f08 100644 --- a/ics-attack/relationship/relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json +++ b/ics-attack/relationship/relationship--6be3917c-aad7-4a3f-bea2-23e4ba4310ee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cc114c31-dc63-491b-9ab7-cbc754c0de4e", + "id": "bundle--4b840c15-80be-48ce-9a57-a28ebd201bdf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json b/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json index f230214523..ba74ef98ae 100644 --- a/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json +++ b/ics-attack/relationship/relationship--6be4cef2-3d54-4cd8-97df-8a8b37c03605.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8485b40d-a85f-4f1b-b407-8b4f5b49870e", + "id": "bundle--ab864642-1815-440a-9a8b-82d6870dbcb3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6bf14e79-3287-4b9e-b222-9d527530df1e.json b/ics-attack/relationship/relationship--6bf14e79-3287-4b9e-b222-9d527530df1e.json index 997902e03b..1aa367a998 100644 --- a/ics-attack/relationship/relationship--6bf14e79-3287-4b9e-b222-9d527530df1e.json +++ b/ics-attack/relationship/relationship--6bf14e79-3287-4b9e-b222-9d527530df1e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--925c9ce9-4b9a-4587-9479-dc3030c6af15", + "id": "bundle--07a7c85d-bcdf-45fd-8a9b-fc77b23c8b38", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json b/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json index b0d1ecafd8..49b595a7d1 100644 --- a/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json +++ b/ics-attack/relationship/relationship--6c15ec9f-2b48-419c-adc1-f989833f6187.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c3f9288e-cbc4-44bb-965a-7eb9c7f461ce", + "id": "bundle--ae75ed8c-44d9-40e0-914f-7617ea410dc3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json b/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json index b029aaed83..a0b1d7e516 100644 --- a/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json +++ b/ics-attack/relationship/relationship--6d1906b4-e815-4688-86f1-ce61d403f8c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a4ef1cc-5dc9-45cb-891b-08f1b5adf0ff", + "id": "bundle--f578eb40-1fb5-406e-9054-7d018f0d8fbe", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json b/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json index 9adf35e69c..06d9f4d849 100644 --- a/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json +++ b/ics-attack/relationship/relationship--6d822f86-5793-403a-b176-5d533f6b81b3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4b663db4-21a9-4fd7-a70b-f70cbc1aea92", + "id": "bundle--2f17664c-0dd1-47aa-a2fe-5adbb9ce43cd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json b/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json index 8a6a73d940..dc9dd12d49 100644 --- a/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json +++ b/ics-attack/relationship/relationship--6e3c2c04-0838-4863-80a7-d73ef5ac6a64.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0630f4ea-62ff-4fd3-add0-2fe39b93183a", + "id": "bundle--044a0c49-1ae4-4814-867f-f2f0896dcd36", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6eaf727c-fec3-4e63-8852-eee27c44d596.json b/ics-attack/relationship/relationship--6eaf727c-fec3-4e63-8852-eee27c44d596.json index 7bc19d83ad..353069874b 100644 --- a/ics-attack/relationship/relationship--6eaf727c-fec3-4e63-8852-eee27c44d596.json +++ b/ics-attack/relationship/relationship--6eaf727c-fec3-4e63-8852-eee27c44d596.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--488a0661-ba4a-45c1-aa98-bc4d262b42c0", + "id": "bundle--df153c84-f957-42a7-bfe6-122d53361446", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json b/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json index d2356c3985..27105cbf23 100644 --- a/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json +++ b/ics-attack/relationship/relationship--6ed07095-c23a-4676-807f-a544deaeb274.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--27af8fa8-fe8f-4eee-8979-24f2764b4e1c", + "id": "bundle--eeb5cab6-3ce6-407d-8263-3b1dfdd7f49e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json b/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json index 7561cf6722..faf476fd10 100644 --- a/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json +++ b/ics-attack/relationship/relationship--6f0384e6-73c8-4fc7-bc0c-0a8c2bfa473d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3d925329-6450-4c8d-b378-0c59ae3a54e2", + "id": "bundle--b1b66d2b-4586-47a2-b311-f1e8a3aa81ee", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json b/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json index 67cface003..396db40509 100644 --- a/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json +++ b/ics-attack/relationship/relationship--6f2c2043-6487-467a-bb49-e8cd2509ae9f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b372f41b-55b2-475f-ae60-2c33d25b06a2", + "id": "bundle--eba6a337-1b70-44a4-85bc-03b9e34ffce3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json b/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json index fe93580154..615cfe0f04 100644 --- a/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json +++ b/ics-attack/relationship/relationship--6fa3aee4-2a29-4c0f-9e61-1f7df5eccc00.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--515dd3cb-70bb-4df6-8938-addcd3e3990d", + "id": "bundle--96b48574-ca91-4935-b916-67d314a7ee3c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--70113c21-85f2-4232-8755-233f93864277.json b/ics-attack/relationship/relationship--70113c21-85f2-4232-8755-233f93864277.json index 00712a2fac..efc5a3016e 100644 --- a/ics-attack/relationship/relationship--70113c21-85f2-4232-8755-233f93864277.json +++ b/ics-attack/relationship/relationship--70113c21-85f2-4232-8755-233f93864277.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1ae7d84c-0c65-4165-bc11-56dbfcc27ab5", + "id": "bundle--752708f4-440c-4655-81a0-ee1829d393f6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json b/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json index 5660c83166..89ad6ee2a1 100644 --- a/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json +++ b/ics-attack/relationship/relationship--7041d8e5-3b74-402a-86b3-fd59def80632.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4c00b847-cbc4-4888-b1e9-ca95194892fb", + "id": "bundle--044e0731-17bb-4fc4-a00a-e993d91a755a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json b/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json index 9a0fa958da..2513930264 100644 --- a/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json +++ b/ics-attack/relationship/relationship--709c4e40-c5c6-405b-bc3d-0adfea40ccd4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9bf31ada-3164-4a76-ad8f-06b5459fa001", + "id": "bundle--317879c1-300a-407c-a50f-ef2819afff57", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--70a9010c-6943-4274-b854-50901c3e5a0e.json b/ics-attack/relationship/relationship--70a9010c-6943-4274-b854-50901c3e5a0e.json index 66de3299d2..6fc6fae196 100644 --- a/ics-attack/relationship/relationship--70a9010c-6943-4274-b854-50901c3e5a0e.json +++ b/ics-attack/relationship/relationship--70a9010c-6943-4274-b854-50901c3e5a0e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9cd79c74-0df6-4e0a-a5c5-1b57b5239afc", + "id": "bundle--c0c728f2-4af9-45de-bd2a-0d1ddd28cc83", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json b/ics-attack/relationship/relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json index 0f83f20c59..48ca12fbdb 100644 --- a/ics-attack/relationship/relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json +++ b/ics-attack/relationship/relationship--711f17c2-c9f6-4d8d-bf79-117fcdc592c0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--22295719-7625-4fff-9ee3-595b4092811a", + "id": "bundle--d2545d11-cda6-4f64-8f03-e409572d73d8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json b/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json index e0550576d6..9a6fd2b0b6 100644 --- a/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json +++ b/ics-attack/relationship/relationship--71422483-33e4-4131-a4ec-40322d91d8a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--feda1256-55df-461f-9d30-5183bf8b2228", + "id": "bundle--d27c6e6b-370b-43bc-9f29-e127229f84e4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--71c81024-ea36-4853-940a-cd9d4cbcabed.json b/ics-attack/relationship/relationship--71c81024-ea36-4853-940a-cd9d4cbcabed.json index bbcbc8fe9d..e86845ab5f 100644 --- a/ics-attack/relationship/relationship--71c81024-ea36-4853-940a-cd9d4cbcabed.json +++ b/ics-attack/relationship/relationship--71c81024-ea36-4853-940a-cd9d4cbcabed.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0f2aaae5-d172-4637-a620-dfdbf95adea5", + "id": "bundle--320060c2-8ee8-4e25-907f-8ab28b1f9ac8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json b/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json index 91b130b3e7..dad32b7250 100644 --- a/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json +++ b/ics-attack/relationship/relationship--71c9db9c-6f0c-4e33-a20a-dcd5b791a49a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7bc89d73-6177-4810-8e9a-fbc59961123f", + "id": "bundle--68fe7048-9c00-4879-bd60-ede19f57aca7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json b/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json index 398b0ff83e..43b683b1b5 100644 --- a/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json +++ b/ics-attack/relationship/relationship--71e9230d-eec8-4ce1-bc96-9288bacc8b13.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d22aa3fb-77ca-4b2b-b8fd-8e7d8e198556", + "id": "bundle--5d027422-0895-4f4d-9377-e808c4062254", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json b/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json index c3fed633d8..947a4c2223 100644 --- a/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json +++ b/ics-attack/relationship/relationship--7258c355-677c-452d-b1fc-27767232437b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--23de347e-91b8-4521-bd01-9c8208dd91ef", + "id": "bundle--bfb625ab-d339-4ca7-acec-a2b1ef152e75", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--72bfda0b-31e9-4958-8d40-6efe816d9989.json b/ics-attack/relationship/relationship--72bfda0b-31e9-4958-8d40-6efe816d9989.json index a9a9beab32..3372510ac7 100644 --- a/ics-attack/relationship/relationship--72bfda0b-31e9-4958-8d40-6efe816d9989.json +++ b/ics-attack/relationship/relationship--72bfda0b-31e9-4958-8d40-6efe816d9989.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6e7c6a45-9cde-4437-a26e-7f30b4b07920", + "id": "bundle--9acdc7d9-80ae-421a-b165-40bf56bf039d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json b/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json index 4a883b19e5..82ad35fd33 100644 --- a/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json +++ b/ics-attack/relationship/relationship--739e7b8d-57d7-4c1d-8f42-1496606ea666.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cdcf06c7-dc88-4519-824d-102dc5ce1b53", + "id": "bundle--7fae68fa-a44f-4a30-9db9-9b473ca7f2f5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--73a48431-3597-4a72-acb8-c1e5019073e2.json b/ics-attack/relationship/relationship--73a48431-3597-4a72-acb8-c1e5019073e2.json index e26048879c..f40820efc6 100644 --- a/ics-attack/relationship/relationship--73a48431-3597-4a72-acb8-c1e5019073e2.json +++ b/ics-attack/relationship/relationship--73a48431-3597-4a72-acb8-c1e5019073e2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1843a036-a381-4b95-bb45-222dd7ecf60e", + "id": "bundle--8fdc22ca-f6d7-4541-8874-a8e10a8b51e8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json b/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json index d2cc94c9d3..4476427319 100644 --- a/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json +++ b/ics-attack/relationship/relationship--7411b05d-209a-4907-83ce-00ab1538fbac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9c53b10d-73a6-48b8-89bc-8ad5e642a626", + "id": "bundle--3aec72c8-72ab-46ff-b10d-030bad355f30", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json b/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json index b5b5bc123f..b6778ab653 100644 --- a/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json +++ b/ics-attack/relationship/relationship--74b66248-2cb6-46ea-b52c-c7d60c170f3f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d6cab4e4-6238-4257-9028-933909de74e0", + "id": "bundle--b2397a7c-b457-4c76-9938-5edfa3226e5e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json b/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json index b821e602e5..0fb173f6f2 100644 --- a/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json +++ b/ics-attack/relationship/relationship--74ec9ce5-3155-488c-ae56-570c47a1d207.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2de61b73-cc53-43b3-98ad-89a59a34eae7", + "id": "bundle--e6ed388f-b772-443a-9309-56ba2a7e40b3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json b/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json index 4ce66a2fa3..c14ba3234c 100644 --- a/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json +++ b/ics-attack/relationship/relationship--75366cbf-e45f-4cfd-9e76-5af4dfe10766.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--55aaefb5-8ef3-4350-aa5a-426b8403b1c9", + "id": "bundle--372aeb29-3dfb-4b83-9f95-ccd4663f5357", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json b/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json index bf2f253627..69c111f1c4 100644 --- a/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json +++ b/ics-attack/relationship/relationship--754521fc-4306-4daa-831b-6b6fb45847e2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dea478e1-bd1d-4118-a283-45c3891fb792", + "id": "bundle--a63808c0-c701-4ed2-a09a-c476cd11bc2e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json b/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json index a986a2cc0c..9e19b343e8 100644 --- a/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json +++ b/ics-attack/relationship/relationship--758d5818-f919-4a6b-9dc2-a212595a11bd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e04d0eaa-4824-49ae-b7b2-21dc02a3e9b2", + "id": "bundle--ef890421-653c-4365-bae4-9654e2998f74", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--75a60046-c4d7-498a-b256-9a93b5992dcc.json b/ics-attack/relationship/relationship--75a60046-c4d7-498a-b256-9a93b5992dcc.json index 96f70b0a5d..f07cb2bb57 100644 --- a/ics-attack/relationship/relationship--75a60046-c4d7-498a-b256-9a93b5992dcc.json +++ b/ics-attack/relationship/relationship--75a60046-c4d7-498a-b256-9a93b5992dcc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--93d303cb-877c-4a4c-bafd-5dd64ec8394a", + "id": "bundle--79975a69-5419-4e0d-90aa-3cc85816f2e7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--76654cf3-5cfe-4bf4-b134-806fd75b1ddb.json b/ics-attack/relationship/relationship--76654cf3-5cfe-4bf4-b134-806fd75b1ddb.json index e9321bcfd9..b43b2d451e 100644 --- a/ics-attack/relationship/relationship--76654cf3-5cfe-4bf4-b134-806fd75b1ddb.json +++ b/ics-attack/relationship/relationship--76654cf3-5cfe-4bf4-b134-806fd75b1ddb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1cec509f-5fd0-4f6b-b90a-e8877fa44e5b", + "id": "bundle--c03eb144-3518-4427-82e3-6eb5133ea0ad", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e.json b/ics-attack/relationship/relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e.json index 22ab9aa3f6..de7e7cdfcd 100644 --- a/ics-attack/relationship/relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e.json +++ b/ics-attack/relationship/relationship--76b8bbce-1c65-4337-a4d7-320c594dc29e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1b5be386-16ee-4b76-8ec3-ba9c630a42f8", + "id": "bundle--49315f7e-b7e2-4251-a955-f5a6691b5d6d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--77821dbb-367e-455f-bcae-b87412e88f1b.json b/ics-attack/relationship/relationship--77821dbb-367e-455f-bcae-b87412e88f1b.json index bd380e3c60..9e3caeb95e 100644 --- a/ics-attack/relationship/relationship--77821dbb-367e-455f-bcae-b87412e88f1b.json +++ b/ics-attack/relationship/relationship--77821dbb-367e-455f-bcae-b87412e88f1b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8dfaa7c5-801b-4bf2-b891-8deb67803d9e", + "id": "bundle--d06de753-447c-4bb0-a524-1b8ecf45b3aa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--78972893-5d8c-480f-a05d-481adc0c8bb0.json b/ics-attack/relationship/relationship--78972893-5d8c-480f-a05d-481adc0c8bb0.json index d439ce4440..8ed913db5d 100644 --- a/ics-attack/relationship/relationship--78972893-5d8c-480f-a05d-481adc0c8bb0.json +++ b/ics-attack/relationship/relationship--78972893-5d8c-480f-a05d-481adc0c8bb0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dced2cfd-e1fd-4713-8660-a350e9b6b8c2", + "id": "bundle--2aa2e2e0-0f66-400f-9f84-99af509b7b10", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7912946d-1605-465a-a55c-36bb104235ab.json b/ics-attack/relationship/relationship--7912946d-1605-465a-a55c-36bb104235ab.json index f027a2a6a1..ab3a09a0e9 100644 --- a/ics-attack/relationship/relationship--7912946d-1605-465a-a55c-36bb104235ab.json +++ b/ics-attack/relationship/relationship--7912946d-1605-465a-a55c-36bb104235ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--98beb671-89f5-4dfd-8c2d-3801a609ec25", + "id": "bundle--96801403-0f7e-4a67-9a90-c986b253c57b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json b/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json index 34e1ddc8b1..906b248307 100644 --- a/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json +++ b/ics-attack/relationship/relationship--792324b4-064a-430c-8ffc-7f7acd537778.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4e11c472-e05a-4e99-9e4b-f524e598d296", + "id": "bundle--1cc037ff-bf50-4c10-bd34-acf78c99bda9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json b/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json index 6452502b90..5adff161c3 100644 --- a/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json +++ b/ics-attack/relationship/relationship--79324bdd-cdab-4d0a-af60-af1047c1d117.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--76d89d91-22a7-4493-9ac0-c0a70a55503b", + "id": "bundle--1c02d857-0e4f-461c-b411-b284b73b60d4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json b/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json index 1e89159b0c..0b90aabe28 100644 --- a/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json +++ b/ics-attack/relationship/relationship--798919d3-df8b-463f-b2be-4c1aa8089384.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--43af6803-790a-4805-9067-afeed3215450", + "id": "bundle--b0807b59-ec4c-47a8-bd8c-a21553f9499e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json b/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json index d4d5d6cc21..fbff219949 100644 --- a/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json +++ b/ics-attack/relationship/relationship--79d05cb2-ded0-4847-b52e-af7af421f303.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--35735633-51cf-4245-82b6-fe25e4d3cae2", + "id": "bundle--169a49b1-8e70-4cf8-b662-84fdcf6c657e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json b/ics-attack/relationship/relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json index 09578a1d4b..0bea60d50e 100644 --- a/ics-attack/relationship/relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json +++ b/ics-attack/relationship/relationship--79fccaf1-3592-4af0-8a47-1d325b9fd5a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ee653d24-4d9f-40b3-87de-beca0e3abeae", + "id": "bundle--7fde092a-6ed0-4de5-94dd-aa15bf108b9f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json b/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json index 6e276ccd89..5ad7903aaa 100644 --- a/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json +++ b/ics-attack/relationship/relationship--7a55fc66-0d5c-4ef6-af28-d4a4bb84381d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d61ab75c-f7ad-474a-b7b4-a043d9d777c4", + "id": "bundle--523a5f15-0058-4856-aaab-f05896d8bba6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json b/ics-attack/relationship/relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json index c2d07289b9..ec6f8ec9e4 100644 --- a/ics-attack/relationship/relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json +++ b/ics-attack/relationship/relationship--7a79ff35-319a-4e7d-b8c7-72f0bb0f8978.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9e787d6c-e144-4fc7-9922-452f2463f683", + "id": "bundle--0227194f-7cda-4b6c-9fd6-8544d4e61e4e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json b/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json index 77170bdf5e..25e26746ea 100644 --- a/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json +++ b/ics-attack/relationship/relationship--7aa93b40-80da-4bb6-8a7c-88e5f5e44669.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cce3799d-fd65-45d8-ae78-9ea80ef8bdaf", + "id": "bundle--70286038-eafd-498b-92fa-95e50a769e7a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json b/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json index b56efe3369..a757373bed 100644 --- a/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json +++ b/ics-attack/relationship/relationship--7bfaf0ff-6d88-460f-aa32-3fb0267b4f20.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--667f5c70-745f-48ad-a38a-a24380259e7d", + "id": "bundle--4438e06e-4d16-49e6-9339-f6a0e7c143cd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json b/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json index a13c3ef2ce..6742b566ae 100644 --- a/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json +++ b/ics-attack/relationship/relationship--7c1eee62-3307-4e25-8a20-919ccd56ec1c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--191033a3-063e-4194-8041-48971922a43c", + "id": "bundle--87cca846-61f4-43cf-be11-681a4f2f0525", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json b/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json index 977e130c2f..3396f189fc 100644 --- a/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json +++ b/ics-attack/relationship/relationship--7c2edd6c-5189-4ba9-af3d-bdaff4a699ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1bf66ef9-46c9-4d98-8ac0-57c57eb9ebe2", + "id": "bundle--ca37d213-982e-43c8-843f-7747eb69cf0e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json b/ics-attack/relationship/relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json index c213f72316..95d401639e 100644 --- a/ics-attack/relationship/relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json +++ b/ics-attack/relationship/relationship--7c2f82ff-bde7-4ab8-b6ab-35d7f7f498dd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--73d9df0b-4d57-449c-9530-16dc18aee63e", + "id": "bundle--7e9cfbb0-b86a-4202-9b53-13ebec89ed9a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c329018-b591-42c4-8806-4d02ccd47476.json b/ics-attack/relationship/relationship--7c329018-b591-42c4-8806-4d02ccd47476.json index f0f5bff8dc..59ac689e05 100644 --- a/ics-attack/relationship/relationship--7c329018-b591-42c4-8806-4d02ccd47476.json +++ b/ics-attack/relationship/relationship--7c329018-b591-42c4-8806-4d02ccd47476.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--12651e89-aec1-4059-ab42-5bebe0d88319", + "id": "bundle--cf75cd80-177a-451a-819f-368ac0e2d225", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json b/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json index 1369ee7cf7..f6049750f2 100644 --- a/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json +++ b/ics-attack/relationship/relationship--7c3b65e8-e8b7-4c3b-b27b-e216986d8976.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--55787731-c244-403c-bff5-953265ce3de1", + "id": "bundle--0087b5c8-8bd1-4ce8-ad16-26f76cfdc292", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95.json b/ics-attack/relationship/relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95.json index d3fac1a2a0..553e5f2988 100644 --- a/ics-attack/relationship/relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95.json +++ b/ics-attack/relationship/relationship--7c85bff0-8f70-479e-9365-fef1e3fe2b95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a9b4b161-2fb8-4d31-b4f8-d30d53d20303", + "id": "bundle--b7df412a-be51-44e3-b0fa-bc5aaa556304", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json b/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json index 682b8ad511..bb6d5b228c 100644 --- a/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json +++ b/ics-attack/relationship/relationship--7c893581-c847-495a-aa93-9d98c516e1ae.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f593131a-e192-462f-a55e-019f65133b96", + "id": "bundle--2fc49a79-8668-4887-a252-f28bf86dfe57", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json b/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json index 8dcd1a7ad8..6c5b9d52da 100644 --- a/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json +++ b/ics-attack/relationship/relationship--7d0ec383-4c5d-474d-9262-3f3c0d6c05b1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cb4c4286-6531-4f0c-b938-e70c2c43baad", + "id": "bundle--0ba2f79d-d375-4bdf-998b-a363b7357076", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d2db896-3051-483c-bc53-ca21832ee085.json b/ics-attack/relationship/relationship--7d2db896-3051-483c-bc53-ca21832ee085.json index 999e833f07..d94b99dd80 100644 --- a/ics-attack/relationship/relationship--7d2db896-3051-483c-bc53-ca21832ee085.json +++ b/ics-attack/relationship/relationship--7d2db896-3051-483c-bc53-ca21832ee085.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b0fae320-42ed-4d6f-af63-7c699ab76eed", + "id": "bundle--f35f727e-48fc-4f9d-ae88-774ab8701151", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json b/ics-attack/relationship/relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json index 5632a61b5a..27811ff542 100644 --- a/ics-attack/relationship/relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json +++ b/ics-attack/relationship/relationship--7d3ef0e3-560c-4e46-a0b4-dd1efc29e835.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--50a98096-be92-4961-9a6f-ce8a5e1a2e51", + "id": "bundle--0afa3a12-4943-444b-bfe8-d7b42d6042ca", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json b/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json index 1f1c64c1af..c34f2f81b3 100644 --- a/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json +++ b/ics-attack/relationship/relationship--7d5759cd-890e-4ec5-b92b-aba225d52960.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fd762a40-5bc5-467c-b6bc-fc1de64d865a", + "id": "bundle--578df703-ec22-44da-916e-a26c4751c114", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json b/ics-attack/relationship/relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json index c1bbbd6bac..29874f632d 100644 --- a/ics-attack/relationship/relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json +++ b/ics-attack/relationship/relationship--7d66eae7-0dd4-4d21-ab07-8f7e350a7105.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bfa3a6c8-4763-492a-846e-7d14f59fcad2", + "id": "bundle--89850c2b-9204-4111-b8f6-e5aaa270d80b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json b/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json index 906fb581de..21f6458f9f 100644 --- a/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json +++ b/ics-attack/relationship/relationship--7d6c4a00-acde-40af-bf91-a4ef009cf135.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7bfae8aa-eb31-436e-bdcf-4c4372e54ab7", + "id": "bundle--bd42c334-5723-49fc-905e-062f7c511a19", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json b/ics-attack/relationship/relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json index ab7c4196ef..b601a0ab94 100644 --- a/ics-attack/relationship/relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json +++ b/ics-attack/relationship/relationship--7dad75e6-f569-4bb9-ad75-5eda55dff0b1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7f846c8d-c95c-4de2-ad9c-4a46f4316978", + "id": "bundle--4899b042-b65d-428a-a6ca-688dc4012d46", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json b/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json index ba2f5c8fc9..fa113f9017 100644 --- a/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json +++ b/ics-attack/relationship/relationship--7db9687b-7099-4cb6-a040-bc32fc549a81.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0abe1e8f-3b3b-4c90-84d4-2ebd67eb13f5", + "id": "bundle--e66d5b3d-f130-4ffc-a8f5-ab910d9b4c35", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json b/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json index 9252ac34e2..f911c10a5a 100644 --- a/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json +++ b/ics-attack/relationship/relationship--7dedeb73-ef90-4282-a635-cc37326773af.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1442bb52-63c9-401f-9d2f-8e07d8152620", + "id": "bundle--4a6f07a4-4941-40cd-bd82-e165ea21333d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7e87ce08-a428-4e55-876e-80d2760121a5.json b/ics-attack/relationship/relationship--7e87ce08-a428-4e55-876e-80d2760121a5.json index 3f1fd9182d..36dd9dde18 100644 --- a/ics-attack/relationship/relationship--7e87ce08-a428-4e55-876e-80d2760121a5.json +++ b/ics-attack/relationship/relationship--7e87ce08-a428-4e55-876e-80d2760121a5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--764662bb-f844-42ae-be1b-0fcc9538ffd2", + "id": "bundle--70e31677-a300-430e-99bf-3325b96643c2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec.json b/ics-attack/relationship/relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec.json index ef5c7c7349..ba5dd0046e 100644 --- a/ics-attack/relationship/relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec.json +++ b/ics-attack/relationship/relationship--7f1e688d-65f7-4737-a4ba-ee482710f8ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--56140962-00ed-4613-bd0e-ba9ee0852d40", + "id": "bundle--c90d5b2c-4ce3-45e9-8318-0a33693e594b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json b/ics-attack/relationship/relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json index eb5ba2c542..49064a5191 100644 --- a/ics-attack/relationship/relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json +++ b/ics-attack/relationship/relationship--7f3ab726-ca49-4d47-b2b5-6246c6e4fdd3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6cdea2fd-7849-4191-a65d-d2d21ed9aa8a", + "id": "bundle--6b32c057-5f7c-4f11-b410-c02cfac529a7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json b/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json index dc0abccd85..d73e5b11fd 100644 --- a/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json +++ b/ics-attack/relationship/relationship--7fc9fbfc-ab9f-4189-bc1f-d473e9ef36b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0bf9e4ca-cac6-43a3-bc89-d86827763c94", + "id": "bundle--b7abc8f4-0fd1-4fd5-b734-5cfaefddf678", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json b/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json index 8de1d219af..722f0c2fb1 100644 --- a/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json +++ b/ics-attack/relationship/relationship--7fdaa9be-aecf-459f-b028-7c35dc8b6451.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9b7968f8-4e33-48c2-ab60-7bec8ed93242", + "id": "bundle--dafbb98a-f6dd-4477-99aa-34c9b5a1ebbe", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json b/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json index 512f22e3ea..a4501a5096 100644 --- a/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json +++ b/ics-attack/relationship/relationship--7ff12adb-bc9a-42e5-9cbf-613b200c36dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6ec79d87-85ec-4266-902e-f2c9a045b288", + "id": "bundle--18be7757-44a7-49b5-a2d2-bd780f34e817", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json b/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json index 15fca8ada2..597198b0f6 100644 --- a/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json +++ b/ics-attack/relationship/relationship--808174b7-3ab0-45b5-963e-5c10dd749e3c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bdd579ad-3fb7-479a-a169-721abb2f7c7e", + "id": "bundle--95e9eab3-aaa0-4c50-8c98-95062efc452d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json b/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json index 1a181d7664..0dd47160bc 100644 --- a/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json +++ b/ics-attack/relationship/relationship--808c57e7-72ef-4860-b9ea-8ea072e2385a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--008f24a3-1288-4f7e-b45f-11fb9c1b6c6b", + "id": "bundle--138129a8-d02a-4a80-9230-fafadf0beedf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json b/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json index 1ecaf2d237..2441e5ac6c 100644 --- a/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json +++ b/ics-attack/relationship/relationship--80a69b56-337d-446a-8167-8b9f63083c4f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--31237259-3b44-4f94-af68-5419f50a89cc", + "id": "bundle--da877417-b89e-4516-b554-e5ce63fe14f2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--81117328-e2bb-431c-a1ca-6ba7e6816637.json b/ics-attack/relationship/relationship--81117328-e2bb-431c-a1ca-6ba7e6816637.json index 45f7d9d124..f4fa21c6dd 100644 --- a/ics-attack/relationship/relationship--81117328-e2bb-431c-a1ca-6ba7e6816637.json +++ b/ics-attack/relationship/relationship--81117328-e2bb-431c-a1ca-6ba7e6816637.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--def0bef3-df56-4815-aca4-0c2ee5d544dc", + "id": "bundle--17634f57-b274-4410-a43b-6108f5aeffe9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--81add433-49d8-43ec-85d5-f48fe80e56e7.json b/ics-attack/relationship/relationship--81add433-49d8-43ec-85d5-f48fe80e56e7.json index b2d75d7af3..3f6039f5fa 100644 --- a/ics-attack/relationship/relationship--81add433-49d8-43ec-85d5-f48fe80e56e7.json +++ b/ics-attack/relationship/relationship--81add433-49d8-43ec-85d5-f48fe80e56e7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7599f13a-2c4c-4dca-9734-ddbbbef56a2c", + "id": "bundle--cf054fcf-f3ae-4f8f-8cea-8f373c8371a1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json b/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json index 5e0f778eac..99d59115c7 100644 --- a/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json +++ b/ics-attack/relationship/relationship--81ca994a-b350-424d-8f39-a0b64aa76260.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d6c754f5-f210-4d57-b110-e50bf809bb7f", + "id": "bundle--1a71a983-d98b-45bd-b616-1f35c65b5104", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json b/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json index d9936b2eab..d779fa00f1 100644 --- a/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json +++ b/ics-attack/relationship/relationship--82b20c35-88c6-49aa-8241-a59512b17b74.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--33a7234a-afbe-46b5-9d27-342cbb2d99d3", + "id": "bundle--f9d86ed8-a3f6-4cae-a22c-f921cb778b39", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409.json b/ics-attack/relationship/relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409.json index c9f10dffea..e52af754e2 100644 --- a/ics-attack/relationship/relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409.json +++ b/ics-attack/relationship/relationship--8334b3ab-f17f-460e-b627-ad85fc9c2409.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--69fab378-4c29-4851-9586-91b52cf072fb", + "id": "bundle--fb082d24-527d-467d-90bc-a5a53d520643", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json b/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json index a5e37af2f8..98d8ddc083 100644 --- a/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json +++ b/ics-attack/relationship/relationship--83c29179-4805-403a-acf5-5151c4d2e556.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--408d9552-9f71-4d46-9f05-00b2127b424d", + "id": "bundle--7fb66cd8-42d4-4fe9-8004-29e6a7dc8dff", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json b/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json index 3e8889067f..7e48ed57d7 100644 --- a/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json +++ b/ics-attack/relationship/relationship--83c8c216-7ff7-4bd3-9db4-573469628d95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6de01559-9618-47cb-93d8-3363915eade6", + "id": "bundle--3db098f2-e686-45e0-9680-01753bc16701", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json b/ics-attack/relationship/relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json index 54a0e1b845..67ac7388d0 100644 --- a/ics-attack/relationship/relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json +++ b/ics-attack/relationship/relationship--83e5ebce-8d5d-43ca-a47f-ecb50ae8993a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ebcaeea5-d0cd-4dd3-9183-9a95169b37f1", + "id": "bundle--1d859354-da8b-4658-b857-d8d87c0b1327", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json b/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json index 9c2d46b571..4639f4b369 100644 --- a/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json +++ b/ics-attack/relationship/relationship--841ec349-0f4c-43fa-89b8-ef3656497fc9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b273eb56-82a8-4ab2-95c6-1114bbd9c83b", + "id": "bundle--47f04c05-05a2-4298-b7a5-d961cd098680", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json b/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json index 62b721a394..d0cb32968d 100644 --- a/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json +++ b/ics-attack/relationship/relationship--842a2b85-4e77-4eb6-99e1-c4a231aadf48.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0ed9855d-1b36-43b9-bf86-ec1e94aa5a79", + "id": "bundle--966805cb-7b8c-44fa-b8f1-1b845c211d56", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d.json b/ics-attack/relationship/relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d.json index 13e05931d9..7c90be4da2 100644 --- a/ics-attack/relationship/relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d.json +++ b/ics-attack/relationship/relationship--84e535be-960a-450a-91f9-4dc8c5e3f69d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a48978fc-ea21-425a-afc1-c0e875d4c4b0", + "id": "bundle--e939152f-2b33-4c61-99b7-b8516dbbf30a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--86076ad1-8037-4dd0-88e7-9c40ec00af4a.json b/ics-attack/relationship/relationship--86076ad1-8037-4dd0-88e7-9c40ec00af4a.json index 9f3201bd7b..9a1f4ea3b3 100644 --- a/ics-attack/relationship/relationship--86076ad1-8037-4dd0-88e7-9c40ec00af4a.json +++ b/ics-attack/relationship/relationship--86076ad1-8037-4dd0-88e7-9c40ec00af4a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7c063b51-220f-4506-9c51-ee8242cfbb99", + "id": "bundle--e80d4832-1f0e-44e7-b10d-f5ca0cfe8254", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json b/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json index 95eb42bb8b..adbd0e9e47 100644 --- a/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json +++ b/ics-attack/relationship/relationship--868db512-b897-4a54-ae56-ac78f6c93a14.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c813ffbd-f27d-4308-9706-2307de5203f7", + "id": "bundle--0f15aad1-bcc3-4c76-a190-d551271f5447", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72.json b/ics-attack/relationship/relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72.json index 66ca7ae226..bed88121bc 100644 --- a/ics-attack/relationship/relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72.json +++ b/ics-attack/relationship/relationship--86b868be-3e59-4497-9aa9-a2cd951a8f72.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--45f73a85-3c25-4a46-bca9-40d563d71484", + "id": "bundle--1d212acc-793b-4a93-aefe-b91eb6ede27a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--86c94552-de59-453d-ac06-28a6a64db930.json b/ics-attack/relationship/relationship--86c94552-de59-453d-ac06-28a6a64db930.json index f410a0d835..4cff9e75bc 100644 --- a/ics-attack/relationship/relationship--86c94552-de59-453d-ac06-28a6a64db930.json +++ b/ics-attack/relationship/relationship--86c94552-de59-453d-ac06-28a6a64db930.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cc92b1b4-2f9b-406a-9725-d68a3a4d1eb5", + "id": "bundle--9bd854e7-2e32-40ea-837e-41a8a18523b4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json b/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json index 909c1f0154..52b89c0ae9 100644 --- a/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json +++ b/ics-attack/relationship/relationship--86d45e92-80ba-4f97-b3a3-03ad3469658b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--88b6a5b6-fe1d-41b1-81e7-eb86c9d6b1d5", + "id": "bundle--bba4fecc-1c73-4aee-9dfa-a76f9a5fa5c1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97.json b/ics-attack/relationship/relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97.json index 1cb7b9cc8c..dacd225048 100644 --- a/ics-attack/relationship/relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97.json +++ b/ics-attack/relationship/relationship--86ede365-4539-4475-b90b-9b3bfd2dbe97.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ef60ae46-2394-415a-867d-d9d66a4929d6", + "id": "bundle--b0e2f0eb-ea78-417d-8e77-8e313ed8603b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json b/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json index 9f8d873f6c..f7876eb613 100644 --- a/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json +++ b/ics-attack/relationship/relationship--86f1655a-db46-4d49-9051-6653da83eb13.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc1956ab-56f1-4447-a890-d297854d9306", + "id": "bundle--a34976b8-91d4-42a0-a4c4-137c253bb67a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json b/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json index a3e708fcf0..cd3fc731dd 100644 --- a/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json +++ b/ics-attack/relationship/relationship--874752f4-59a2-46e9-ae28-befe0142b223.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a764ad55-eeca-40d3-9a2d-d2a26a33b684", + "id": "bundle--f5f0637b-412a-4655-89e7-cb915331b491", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json b/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json index d2098266a9..fb4fb91182 100644 --- a/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json +++ b/ics-attack/relationship/relationship--87c8ab74-576d-4962-b641-0762d374d1e8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e156529e-3afa-4d49-abaa-d3a7fa8da8e6", + "id": "bundle--1ae15e51-ed5a-4120-a5e1-3f294b3ba1c0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--87eb5825-c918-444f-8da5-67da9eea9906.json b/ics-attack/relationship/relationship--87eb5825-c918-444f-8da5-67da9eea9906.json index 6dcc2a3588..42095854f7 100644 --- a/ics-attack/relationship/relationship--87eb5825-c918-444f-8da5-67da9eea9906.json +++ b/ics-attack/relationship/relationship--87eb5825-c918-444f-8da5-67da9eea9906.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3058614a-8d5e-4465-ba7d-0e28ed4375e6", + "id": "bundle--ee0e572a-85ca-4434-be04-b27593a1f261", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab.json b/ics-attack/relationship/relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab.json index c47ba0559f..f41245e81b 100644 --- a/ics-attack/relationship/relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab.json +++ b/ics-attack/relationship/relationship--880161a4-d6c9-4e5b-a78d-39319cfa43ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--484777fa-c9d7-4d4c-ac92-5627096eb273", + "id": "bundle--e3c5b330-1f29-49e3-a56c-f41a11e5a483", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce.json b/ics-attack/relationship/relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce.json index 834f1317b4..7979c65c6b 100644 --- a/ics-attack/relationship/relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce.json +++ b/ics-attack/relationship/relationship--881ef4ba-a480-44de-8ab6-be2cdc87dcce.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5a9b4e92-c59f-432f-846a-b1d3ac6574a7", + "id": "bundle--b05af4e4-359c-4844-8d61-bc71dd43d0b4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--892c0bff-17b6-447b-a213-6a3189a1df82.json b/ics-attack/relationship/relationship--892c0bff-17b6-447b-a213-6a3189a1df82.json index f6a42132b0..757fa456da 100644 --- a/ics-attack/relationship/relationship--892c0bff-17b6-447b-a213-6a3189a1df82.json +++ b/ics-attack/relationship/relationship--892c0bff-17b6-447b-a213-6a3189a1df82.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--671fb82d-ac07-47b3-8ad0-2d2df217b7eb", + "id": "bundle--06b0909e-4570-429c-bc95-a57dc26f288b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44.json b/ics-attack/relationship/relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44.json index 4f612a2b49..62644f0bbb 100644 --- a/ics-attack/relationship/relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44.json +++ b/ics-attack/relationship/relationship--8985cd3c-1429-4681-ad2e-9b3e46588a44.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b3a96fc7-f03c-434a-9e8c-9f70594bbbc7", + "id": "bundle--7069f793-88d1-4793-9b07-04d5e1acc5ce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json b/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json index 73e9859ede..069c6199e0 100644 --- a/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json +++ b/ics-attack/relationship/relationship--8a06c15b-b7e5-4374-9265-8d9020e126cd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b4f7e2f1-b145-4f5f-8618-c77da8775b52", + "id": "bundle--61c1d1ad-a0fa-4cc9-bb4d-a827be3beb3f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json b/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json index db651928c1..aa2a7ad9ac 100644 --- a/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json +++ b/ics-attack/relationship/relationship--8a604466-8437-4fe6-b6db-ec8fb05d702a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5522c48e-2932-4a42-b1c3-c45d4f033535", + "id": "bundle--fa75af01-e6b6-4411-a975-c7fa35b15577", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c.json b/ics-attack/relationship/relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c.json index 7cbcff427d..1aac6ab414 100644 --- a/ics-attack/relationship/relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c.json +++ b/ics-attack/relationship/relationship--8af89a9b-3e95-45f4-a51d-223b1c82db9c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e344bc92-5bad-4792-8dc5-6df544e860be", + "id": "bundle--4c7b2511-c849-45f2-92c9-f2150d85538b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json b/ics-attack/relationship/relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json index 9f8118a2dd..3b54bd7331 100644 --- a/ics-attack/relationship/relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json +++ b/ics-attack/relationship/relationship--8b136d10-1fd7-4cd4-a3a7-b648b23adc92.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--305360f9-bf9b-41f3-9e51-d3567a6edaf8", + "id": "bundle--31b64890-084b-4c11-91e2-8e79df3f82a2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json b/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json index 5cd46351fc..09b91ca230 100644 --- a/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json +++ b/ics-attack/relationship/relationship--8b17ad46-b0cc-4766-9cae-eba32260d468.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--44a4fd80-5a77-42c9-922d-449cd32c27ee", + "id": "bundle--08ed6904-56dc-42cf-ad22-31b25f4b8a01", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json b/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json index 1be30e1ec0..48c4c55e4d 100644 --- a/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json +++ b/ics-attack/relationship/relationship--8b2d82aa-75fc-4d6d-bb4b-9f600bd211fd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5a9b24b4-4702-4711-a3c5-e23ff8502797", + "id": "bundle--23a6fb3e-e4b6-402b-8edf-9cb5041bf632", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8b491011-322d-4e0b-8f79-449e1b2ee185.json b/ics-attack/relationship/relationship--8b491011-322d-4e0b-8f79-449e1b2ee185.json index a2c14f92f8..c031eaf982 100644 --- a/ics-attack/relationship/relationship--8b491011-322d-4e0b-8f79-449e1b2ee185.json +++ b/ics-attack/relationship/relationship--8b491011-322d-4e0b-8f79-449e1b2ee185.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--01679eea-82be-40e9-931b-f93dcb30cd93", + "id": "bundle--5b7fdcee-237c-4376-bf7e-c219728c9fa6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915.json b/ics-attack/relationship/relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915.json index d573aa0d45..62635f704a 100644 --- a/ics-attack/relationship/relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915.json +++ b/ics-attack/relationship/relationship--8baa4d55-c235-44da-b6fe-8866cf7f9915.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--27a15e89-f713-4903-87b9-b4a52ba5e8c3", + "id": "bundle--3b07b5c6-08c7-4e2a-b69a-b955bc901ed5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca.json b/ics-attack/relationship/relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca.json index dfc1655691..53cf7e65b0 100644 --- a/ics-attack/relationship/relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca.json +++ b/ics-attack/relationship/relationship--8c1b22bd-7e31-427f-a9c5-085a606212ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--253adaa6-cb2f-45a5-9f82-7b3d8ce6289b", + "id": "bundle--6fe68b3b-67e0-4d46-abdc-78a617e91256", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json b/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json index ae52095beb..ede0ba714e 100644 --- a/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json +++ b/ics-attack/relationship/relationship--8ca2fe75-9bb3-4af5-8fee-accd33d6d2ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--967f8bb5-eeac-4434-bdba-1cba48d8cacb", + "id": "bundle--00dca635-8c74-45d5-bb3c-d3af7e72a85b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8da928a0-1c87-471f-aad7-5a1fdd438357.json b/ics-attack/relationship/relationship--8da928a0-1c87-471f-aad7-5a1fdd438357.json index d1e12d422c..19af3e31f3 100644 --- a/ics-attack/relationship/relationship--8da928a0-1c87-471f-aad7-5a1fdd438357.json +++ b/ics-attack/relationship/relationship--8da928a0-1c87-471f-aad7-5a1fdd438357.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f28f3d82-46ea-45e3-b3e7-6003f858b065", + "id": "bundle--15bf4eb5-2fae-4338-9d33-f3951951c646", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json b/ics-attack/relationship/relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json index e39865ecf9..3621c811aa 100644 --- a/ics-attack/relationship/relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json +++ b/ics-attack/relationship/relationship--8dab113a-a713-499b-ba1e-9c2cbeffb3c8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--765ad260-d39e-4dbc-81ee-6074fdbfca7b", + "id": "bundle--b4952c13-cb63-493f-889c-a1e0fcd1a1c5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json b/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json index abf4b53459..c695529fa1 100644 --- a/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json +++ b/ics-attack/relationship/relationship--8ecf5eac-7767-411b-b54a-b374ea51b9e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1ba7a7bc-fb4a-4eae-b049-f7de34c5a1e5", + "id": "bundle--37e1dea6-06e2-4414-afae-86a1a84de6f3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json b/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json index 346df81043..db00f01886 100644 --- a/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json +++ b/ics-attack/relationship/relationship--8f76d408-be8a-478e-8a5a-aab1d1f96572.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4e30337b-0657-4538-b88c-11bd7ada62ea", + "id": "bundle--2716bb9b-8482-473b-92a0-f04aba4b0856", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json b/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json index 14704843e6..0260e6ad21 100644 --- a/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json +++ b/ics-attack/relationship/relationship--8f90363e-2825-4178-807f-9268a28760fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0df7c75d-a4fd-44a7-8509-1c4b9628ab04", + "id": "bundle--bd0fc923-1751-4870-b4f7-a11b13f64d21", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json b/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json index 878d63fe5a..0d5b581efc 100644 --- a/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json +++ b/ics-attack/relationship/relationship--8fa6fe89-e704-4be4-a15b-50e188084aa3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fffee586-b92b-44b7-9685-68390973b15c", + "id": "bundle--a9e5db15-c556-4b9c-a880-65e455a0d4b1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json b/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json index fbcf4047f9..34d23082a0 100644 --- a/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json +++ b/ics-attack/relationship/relationship--8fcecf74-36df-41ab-9476-539c9ac0b339.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ad412604-614c-4126-9623-e87a907bcd3a", + "id": "bundle--36106874-f8c3-48e4-92b5-8cf3825eb87b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json b/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json index 20fe05b808..0f1eda51d1 100644 --- a/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json +++ b/ics-attack/relationship/relationship--90d9c8e3-0250-4096-8d98-7ca1d324d654.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f0c28785-b1ad-4eda-baf4-81a0002c70dd", + "id": "bundle--77629eb0-578f-4e4c-89d7-f9c86b32e4a8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json b/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json index 7194910b60..a7ed6b0d62 100644 --- a/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json +++ b/ics-attack/relationship/relationship--91f29477-2ff6-4dbf-bf68-c8825a938851.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--17440961-b00f-490c-b7ac-8fb0f88abfa0", + "id": "bundle--1eca7f2f-a36a-4013-88bd-73b33888657f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce.json b/ics-attack/relationship/relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce.json index 9c60075128..2955f17764 100644 --- a/ics-attack/relationship/relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce.json +++ b/ics-attack/relationship/relationship--92634d06-42e5-407f-bcb7-cafb1ddeafce.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7259ebdc-b520-42b2-919d-90e31a833d1f", + "id": "bundle--e5431a72-ddd0-4d5e-b3f9-138132d9b8a4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json b/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json index 13ffd7df8f..964d676bf8 100644 --- a/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json +++ b/ics-attack/relationship/relationship--92d1fd4f-6cc7-4db5-82f8-f8caa5ff59f0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c1dd6e63-c4ec-4e4e-9d91-c5a0385f964c", + "id": "bundle--8614cd4c-ff53-40aa-9797-f693a457e8d5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--92ea1c2a-3835-43de-bb56-24e937a6f322.json b/ics-attack/relationship/relationship--92ea1c2a-3835-43de-bb56-24e937a6f322.json index 9ccd7d06ff..f06f62a13c 100644 --- a/ics-attack/relationship/relationship--92ea1c2a-3835-43de-bb56-24e937a6f322.json +++ b/ics-attack/relationship/relationship--92ea1c2a-3835-43de-bb56-24e937a6f322.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dd5892cb-6150-4de4-962b-100e98d1db8a", + "id": "bundle--16e7d597-542e-46a7-b8ef-04405cce1a85", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json b/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json index b15c0e3c3f..52d8d88bae 100644 --- a/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json +++ b/ics-attack/relationship/relationship--93e24e03-6425-4ee8-99bb-c3a662c6cdce.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2479cb11-9461-491f-a2e7-b3795d888e34", + "id": "bundle--1eccd873-c828-4e05-8975-2ea714844e70", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--949b498c-ca3f-4704-90bd-a22a4d34067f.json b/ics-attack/relationship/relationship--949b498c-ca3f-4704-90bd-a22a4d34067f.json index 48e45f20ed..63bcec9b94 100644 --- a/ics-attack/relationship/relationship--949b498c-ca3f-4704-90bd-a22a4d34067f.json +++ b/ics-attack/relationship/relationship--949b498c-ca3f-4704-90bd-a22a4d34067f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5250045b-0b3b-4f0a-a97a-8f03dd1f7491", + "id": "bundle--eb7aca42-960f-4653-9f27-49b140606705", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json b/ics-attack/relationship/relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json index 49a2d94823..57efcc67ca 100644 --- a/ics-attack/relationship/relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json +++ b/ics-attack/relationship/relationship--94c903f4-a6c1-40c4-9e9b-0896a5d43b7e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--27b2afbe-070a-4c54-8de9-6ccf29ede677", + "id": "bundle--5100ca3a-da95-4d13-ae01-456b36a9db54", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json b/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json index 098ee3adf6..e0aefdc9b8 100644 --- a/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json +++ b/ics-attack/relationship/relationship--9515f24c-1c33-4197-b9c9-b9992bc696ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f1312336-21fe-4a55-a19d-3f9d65e3e938", + "id": "bundle--025cfade-5798-4224-a761-ff3f210dead6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625.json b/ics-attack/relationship/relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625.json index 1eeeb54dfb..8bc3a21bb5 100644 --- a/ics-attack/relationship/relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625.json +++ b/ics-attack/relationship/relationship--95b12e1a-7f21-4fa0-9b2a-c96c7c270625.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6f904d95-91a2-4739-9ef0-49b899a7422d", + "id": "bundle--66e8287b-ecd3-441a-b0c5-79ce4be9c451", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json b/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json index 59700d562b..047cf29a07 100644 --- a/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json +++ b/ics-attack/relationship/relationship--966b59c0-8641-432c-84f7-b2a712004d74.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2d7b447a-e621-4d48-90ed-9da75fbd98cd", + "id": "bundle--09d87df4-ae9b-447a-bf56-259ee1dcc653", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json b/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json index 06ce092cb0..840748dd96 100644 --- a/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json +++ b/ics-attack/relationship/relationship--968830b7-ee80-4a6e-96a4-9fc70470e4a9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2ee0e492-56ab-4902-b97a-af421211f05c", + "id": "bundle--87ad2058-a651-4cc7-9201-8d53a07a853a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json b/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json index 3be1b98cfa..dd4e9e09c4 100644 --- a/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json +++ b/ics-attack/relationship/relationship--973f5884-a076-413e-ac96-f0bd01375fb6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--000d1120-a77f-4fb8-8473-a63394c9b6c3", + "id": "bundle--7d18a93c-b829-482f-bac1-424e47ff6ca0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--97538255-b049-4d15-91c4-6b227cbea476.json b/ics-attack/relationship/relationship--97538255-b049-4d15-91c4-6b227cbea476.json index 6d84895c69..1f196207a3 100644 --- a/ics-attack/relationship/relationship--97538255-b049-4d15-91c4-6b227cbea476.json +++ b/ics-attack/relationship/relationship--97538255-b049-4d15-91c4-6b227cbea476.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bd3fa1f8-4c82-4df7-9b8e-b68779f1a89b", + "id": "bundle--8b26807b-f94f-4e37-8d44-410d5260e7a4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--97641754-f215-4b8f-b0cd-0d3142053c76.json b/ics-attack/relationship/relationship--97641754-f215-4b8f-b0cd-0d3142053c76.json index adb2a1762f..dd73feaf77 100644 --- a/ics-attack/relationship/relationship--97641754-f215-4b8f-b0cd-0d3142053c76.json +++ b/ics-attack/relationship/relationship--97641754-f215-4b8f-b0cd-0d3142053c76.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e12a28d4-c998-46c8-9ca1-9150ab901f22", + "id": "bundle--6f52a74c-d537-4f92-a18e-626ce8db6fba", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json b/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json index 2bc6cc6bf8..e44f563722 100644 --- a/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json +++ b/ics-attack/relationship/relationship--97c5b388-518a-46ec-b2b0-41bfa6a83204.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9baa2e22-690e-46cd-b1b7-3f7c403a86fc", + "id": "bundle--a71819df-4d2e-45db-b0cb-b8d43a1dbc0c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab.json b/ics-attack/relationship/relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab.json index 054aaca71a..be9c1a29c5 100644 --- a/ics-attack/relationship/relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab.json +++ b/ics-attack/relationship/relationship--97df42a5-e6d3-4fb7-a158-c161d14624ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--03feeb3f-0f2c-4705-9945-9f6db2493225", + "id": "bundle--494457e3-592c-4cf9-a892-a66610a7d28a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json b/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json index f438654ad9..486f12c398 100644 --- a/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json +++ b/ics-attack/relationship/relationship--984992e3-0407-406a-b8dd-c114d8b2d9a2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2f9983a0-b4e1-48aa-aeb3-ac6a8e7dd334", + "id": "bundle--80f932fa-7677-4356-8c96-e9f4a20ae4c8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--98b229f8-6020-4fbb-b104-54fd478c14d9.json b/ics-attack/relationship/relationship--98b229f8-6020-4fbb-b104-54fd478c14d9.json index d463b0aa9a..5535d3f7cd 100644 --- a/ics-attack/relationship/relationship--98b229f8-6020-4fbb-b104-54fd478c14d9.json +++ b/ics-attack/relationship/relationship--98b229f8-6020-4fbb-b104-54fd478c14d9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d92a6622-3bed-4c19-bda1-307dbc61d718", + "id": "bundle--d81520d6-ad0b-417d-b679-15a33dee04a9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--98d447f4-397b-43e7-9740-c2e5ea6b1714.json b/ics-attack/relationship/relationship--98d447f4-397b-43e7-9740-c2e5ea6b1714.json index 618c5802fe..d922c1d1df 100644 --- a/ics-attack/relationship/relationship--98d447f4-397b-43e7-9740-c2e5ea6b1714.json +++ b/ics-attack/relationship/relationship--98d447f4-397b-43e7-9740-c2e5ea6b1714.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ca5bf113-f6f6-446f-890a-62abd5ffcb7a", + "id": "bundle--a634f0d8-153c-4f7b-a19a-c439f0727299", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json b/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json index f36879458d..f27d7b23a5 100644 --- a/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json +++ b/ics-attack/relationship/relationship--98f1d575-a975-42ae-8b00-2c9e22d560d5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--536bd904-8932-4c31-9c3e-1a45593dcc20", + "id": "bundle--ec1d49fa-29c2-4526-96ea-7b1c270629b8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json b/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json index 80740bc448..3b5a31cdb7 100644 --- a/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json +++ b/ics-attack/relationship/relationship--9902691c-aaf2-48a1-b1ca-cd6f652ae1c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc14f965-b948-4331-9173-9d3abf36a69b", + "id": "bundle--658a8977-1e71-4873-aa8d-f21200cb80e7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json b/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json index 33c1ec4645..cf3bb5e20b 100644 --- a/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json +++ b/ics-attack/relationship/relationship--990f944f-190d-456d-b194-f5ecb17a0868.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--55d2f46d-07fc-4fa4-acff-3359d7da03c3", + "id": "bundle--862f3448-ebf0-42b1-9c9e-023570717fdf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--99c0c90e-8526-41d6-80ca-b037598c6326.json b/ics-attack/relationship/relationship--99c0c90e-8526-41d6-80ca-b037598c6326.json index 7d9c35034c..ecf56ea6f8 100644 --- a/ics-attack/relationship/relationship--99c0c90e-8526-41d6-80ca-b037598c6326.json +++ b/ics-attack/relationship/relationship--99c0c90e-8526-41d6-80ca-b037598c6326.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d195369d-5393-4851-99b2-7136424c9c2a", + "id": "bundle--6f8de66a-993f-4900-81a0-f666dccd86d6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json b/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json index ab08d49d12..db8153d135 100644 --- a/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json +++ b/ics-attack/relationship/relationship--99ec0a8e-4a4f-427c-89db-163e4b206021.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c3389e9d-692b-4677-9b05-77b1de92b252", + "id": "bundle--e7b02c1b-63cf-4758-8740-8fc6b89c7ca6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json b/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json index 61d8bff0af..bffc28719b 100644 --- a/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json +++ b/ics-attack/relationship/relationship--9a44b2a8-9f4c-43df-9174-1cba6e165886.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--028a4063-064b-4d15-a3ae-011aa458c53c", + "id": "bundle--4748e5fa-b88c-4a66-be01-f3233f7d8233", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json b/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json index 219702c453..a0675734dd 100644 --- a/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json +++ b/ics-attack/relationship/relationship--9a607f89-85b8-4fba-8eb7-7e4900ea693f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--da17c047-38d9-4308-8607-975b3d3070ac", + "id": "bundle--d8d51edf-0343-4c72-9f34-018d04ef287d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9ad74496-e164-4068-a0f5-379f507ba864.json b/ics-attack/relationship/relationship--9ad74496-e164-4068-a0f5-379f507ba864.json index 0ce655aad4..2aefa96396 100644 --- a/ics-attack/relationship/relationship--9ad74496-e164-4068-a0f5-379f507ba864.json +++ b/ics-attack/relationship/relationship--9ad74496-e164-4068-a0f5-379f507ba864.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a893feef-6a3d-4800-8d1d-6e211ee48ab5", + "id": "bundle--7cdc1c02-bcfa-4d68-8845-adf262148359", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json b/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json index 93efab45d6..ce469e7813 100644 --- a/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json +++ b/ics-attack/relationship/relationship--9b412b1f-2dd0-4e7f-8364-f625181ba1db.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e2da1d6d-10e0-4331-8b49-910c5c8e7570", + "id": "bundle--2a699267-1fd1-4566-8d55-346d73ff1db3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json b/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json index 65d45297ae..586b4a07eb 100644 --- a/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json +++ b/ics-attack/relationship/relationship--9b825e77-2b18-4bc8-8e1d-5f645d570dca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--50eae04f-95f3-41e7-a748-ea837bc20e0f", + "id": "bundle--d99831ff-96e1-4e8a-a22f-98f1d29ec38d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json b/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json index 2312c2f819..8e8ca6d986 100644 --- a/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json +++ b/ics-attack/relationship/relationship--9cca3120-c95e-4f5e-bc4b-0521ab5cc512.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fa8d8860-5710-4eb5-89f3-7ae1e3436e00", + "id": "bundle--38009201-0ce7-4eb5-bad8-46a18289eeff", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9cf83701-a347-47b4-a67b-280df95b275d.json b/ics-attack/relationship/relationship--9cf83701-a347-47b4-a67b-280df95b275d.json index 602e10f345..e4d1150f79 100644 --- a/ics-attack/relationship/relationship--9cf83701-a347-47b4-a67b-280df95b275d.json +++ b/ics-attack/relationship/relationship--9cf83701-a347-47b4-a67b-280df95b275d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--32888ef1-a168-42e2-acc6-256ffde835ca", + "id": "bundle--9a118203-12ec-4be9-af5f-fbe68b10b7da", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f.json b/ics-attack/relationship/relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f.json index 9933cb65f0..f26ba9d1e6 100644 --- a/ics-attack/relationship/relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f.json +++ b/ics-attack/relationship/relationship--9d4be020-4ab0-4f10-9a20-ae8a2886038f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e93e21ab-a36c-4045-b834-dc3eef0a4ad4", + "id": "bundle--ca0f3540-8d0a-4048-9814-92e5d6458842", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d.json b/ics-attack/relationship/relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d.json index 57f310cbe5..f32a250d33 100644 --- a/ics-attack/relationship/relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d.json +++ b/ics-attack/relationship/relationship--9d5b9b9c-058f-4782-80aa-9d501442a03d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eaa4d6fc-7424-4915-b70b-bb9bccb8f9a3", + "id": "bundle--1733b46f-7e85-4bc5-9679-887c23ffce6f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json b/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json index 4d739ccbcc..2b61d57479 100644 --- a/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json +++ b/ics-attack/relationship/relationship--9d6f9bba-dd79-4cb6-a0f3-1284e58a6236.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8a67faff-6ca8-4c7e-9aba-e8abb586a2f1", + "id": "bundle--6a7307fa-bd3d-42f4-a818-1c790253e66e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9d75333b-2542-4899-923f-55dc1e077a51.json b/ics-attack/relationship/relationship--9d75333b-2542-4899-923f-55dc1e077a51.json index 7876649a38..a764d984ed 100644 --- a/ics-attack/relationship/relationship--9d75333b-2542-4899-923f-55dc1e077a51.json +++ b/ics-attack/relationship/relationship--9d75333b-2542-4899-923f-55dc1e077a51.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d97e8e09-ae86-4a22-99a1-f534ca4427c5", + "id": "bundle--5d0f4f2a-d0de-410e-99b3-8d51ecf669a7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json b/ics-attack/relationship/relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json index 15ca9a8a0b..4459135ec8 100644 --- a/ics-attack/relationship/relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json +++ b/ics-attack/relationship/relationship--9d9cd365-8cfe-403f-8ecb-3c23650c13c3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1dd9278b-09bf-4b32-85a4-038d30d7a54b", + "id": "bundle--5c62a425-20f8-4bd6-bcc1-9b38dfd3b410", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json b/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json index 46eadfb76e..b7b2642a76 100644 --- a/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json +++ b/ics-attack/relationship/relationship--9db1ecfe-72eb-42da-a09e-746663a53854.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--34ad91e5-cab0-414c-ae0c-145dcbda705f", + "id": "bundle--f8b73c9f-0dff-4214-9404-ccde85a9c873", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9e0810a5-ad02-487f-b0a8-bf07decca493.json b/ics-attack/relationship/relationship--9e0810a5-ad02-487f-b0a8-bf07decca493.json index 7720926333..e431f9d519 100644 --- a/ics-attack/relationship/relationship--9e0810a5-ad02-487f-b0a8-bf07decca493.json +++ b/ics-attack/relationship/relationship--9e0810a5-ad02-487f-b0a8-bf07decca493.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b9c3135f-5531-4fe5-afaa-504bcd1619f0", + "id": "bundle--b262e22a-4d4c-4fe3-b8f2-546730272979", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa.json b/ics-attack/relationship/relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa.json index 20a9d49105..35e6326393 100644 --- a/ics-attack/relationship/relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa.json +++ b/ics-attack/relationship/relationship--9e8990f9-475b-43fe-91fb-25cc0634f0aa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--414fdc10-01de-44c5-9598-854f3a25c21e", + "id": "bundle--0ec6c20d-9966-4560-b300-240a2aafce1c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json b/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json index 6e1d5fc1d2..5b33dbfa43 100644 --- a/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json +++ b/ics-attack/relationship/relationship--9f07c92a-78a0-438a-8cb2-01e2bddaeb42.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7dfe61ce-7c85-482f-a55d-2872177b424b", + "id": "bundle--7dc58e9c-8e02-426b-9cc4-48d67b5d79e8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5.json b/ics-attack/relationship/relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5.json index 3b95c41452..0b1eb2fc6e 100644 --- a/ics-attack/relationship/relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5.json +++ b/ics-attack/relationship/relationship--9f25cdae-7d0f-49cd-acaf-481f71195ae5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0b090507-81cf-458a-85da-03795391ee34", + "id": "bundle--48379022-047a-4a43-80d8-bca0e90db984", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9fa31b58-d4f3-43e4-b5b2-cafcd0c6a99d.json b/ics-attack/relationship/relationship--9fa31b58-d4f3-43e4-b5b2-cafcd0c6a99d.json index 2e353465cc..b16b9eae71 100644 --- a/ics-attack/relationship/relationship--9fa31b58-d4f3-43e4-b5b2-cafcd0c6a99d.json +++ b/ics-attack/relationship/relationship--9fa31b58-d4f3-43e4-b5b2-cafcd0c6a99d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9a569b93-3817-429f-93f2-a6fc909f0939", + "id": "bundle--0532cb9f-da85-45e1-9249-93b1ec162371", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json b/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json index e67ee0e4e9..793fde32bb 100644 --- a/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json +++ b/ics-attack/relationship/relationship--9fb2a9b2-3b25-4f77-9f7a-e832b2e5071a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0906b1c8-0a95-48d5-9d41-fab6a7463502", + "id": "bundle--7c9f9172-ef55-48d9-8c82-f251ba56196e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json b/ics-attack/relationship/relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json index 183abc5bb7..5884f67c88 100644 --- a/ics-attack/relationship/relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json +++ b/ics-attack/relationship/relationship--9ffc1ecb-09de-4841-a1f6-ebd1f3be7cea.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--65d5d025-2c43-43db-83cb-0431f8497539", + "id": "bundle--3c181b42-f22d-42ae-9375-968e1d286282", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json b/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json index aed26dc156..12f5ba7ccd 100644 --- a/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json +++ b/ics-attack/relationship/relationship--a04169ed-c16b-466b-80ef-22a11067f475.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--359639e7-b38c-4a53-94e2-36b898c2060f", + "id": "bundle--fc71d332-8054-494b-a1c0-e2ebb42e7901", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json b/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json index 5aee37d77a..d98868c3d8 100644 --- a/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json +++ b/ics-attack/relationship/relationship--a08d85dd-a8b3-4848-94aa-941c43b6d8f2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f2c04386-fa1a-45c3-ab5e-a8b75ca8416c", + "id": "bundle--5ac9ea1b-a98e-4af4-a6a5-a906ccfe1921", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json b/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json index d63d4acc19..fcc51060dc 100644 --- a/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json +++ b/ics-attack/relationship/relationship--a1383f2a-2ee2-47df-a661-8904a7535e0c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9be3999f-67f3-4377-a068-b9d4efbe3795", + "id": "bundle--5d4a71ab-873a-452f-a8e6-0ae55ba56b5d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a1454196-0d86-49f2-8dcb-61145a16b21e.json b/ics-attack/relationship/relationship--a1454196-0d86-49f2-8dcb-61145a16b21e.json index 4279f93368..2712b8296a 100644 --- a/ics-attack/relationship/relationship--a1454196-0d86-49f2-8dcb-61145a16b21e.json +++ b/ics-attack/relationship/relationship--a1454196-0d86-49f2-8dcb-61145a16b21e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aa401773-e1d3-4d6f-a5d1-95024bf7d2d1", + "id": "bundle--013a35f7-0e83-49e4-8891-f7dff1cd793b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json b/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json index 50f5f569c5..99fdf5c73b 100644 --- a/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json +++ b/ics-attack/relationship/relationship--a1cbbdb5-30ad-4139-9784-e5a134f8d405.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--087f68bd-e43b-4d96-9f32-2d833c4b16a4", + "id": "bundle--8983ece2-ca1e-40cc-bc25-b08a50c1fdaa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a2142552-6b8d-4751-a3d4-1471420c02fc.json b/ics-attack/relationship/relationship--a2142552-6b8d-4751-a3d4-1471420c02fc.json index d30cddd225..ad17be010a 100644 --- a/ics-attack/relationship/relationship--a2142552-6b8d-4751-a3d4-1471420c02fc.json +++ b/ics-attack/relationship/relationship--a2142552-6b8d-4751-a3d4-1471420c02fc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--42e78dc1-bb2b-4438-9ab1-038a370190f2", + "id": "bundle--de481b89-04c9-4926-9a72-b41f67f4de31", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json b/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json index 342465a728..1a7738840f 100644 --- a/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json +++ b/ics-attack/relationship/relationship--a22fabd2-836e-4141-9219-c76cc10138ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0bd6eb42-be91-4d7d-aaf7-f593732be769", + "id": "bundle--3d4f6b62-dde4-4833-983c-1834d6992e90", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json b/ics-attack/relationship/relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json index 3c90b09c70..4db4074be1 100644 --- a/ics-attack/relationship/relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json +++ b/ics-attack/relationship/relationship--a28ecd81-a7dd-404c-9d7b-ce670b0fc83b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c1d68369-ffb0-43c0-ad74-ca8f8e556430", + "id": "bundle--e900a07d-7bcb-41e1-a86c-e1d9cb73a0d5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json b/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json index 8104a199fd..a973f65fd5 100644 --- a/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json +++ b/ics-attack/relationship/relationship--a47cd7b9-2b73-480c-a8ab-2dfa908e02ea.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a014a240-5f50-4568-bd31-f21f8f461686", + "id": "bundle--ab5b9e35-50e2-49ed-9f0c-f4a35dde5861", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json b/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json index 2294cc2444..bea44a547a 100644 --- a/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json +++ b/ics-attack/relationship/relationship--a4c81fe6-1ad9-4bba-a415-a3c099eaa2be.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9d7bd116-ff69-4ccf-a242-3a99408aab40", + "id": "bundle--b3c8d5dc-64a3-48f0-88e1-08e2c4fff0d7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json b/ics-attack/relationship/relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json index ec01a7235a..7257347ad2 100644 --- a/ics-attack/relationship/relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json +++ b/ics-attack/relationship/relationship--a618d7e4-23f0-4b8c-9f09-78d04ea7fc55.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--16f266a8-02aa-465a-a3a5-e314e674320e", + "id": "bundle--7419fe46-46af-4b7e-8e97-2fd41e827929", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json b/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json index 844d9b7b90..b65fb94309 100644 --- a/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json +++ b/ics-attack/relationship/relationship--a6519c11-e9d4-4b6f-8d92-8efaa2144c28.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8e94179f-f0aa-487c-944f-230527793fe1", + "id": "bundle--6158acaf-4592-4cbc-960a-e6df3d3dfc5d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json b/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json index d90b11e032..2af2fe254f 100644 --- a/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json +++ b/ics-attack/relationship/relationship--a6d8b66d-fc10-404f-b0ae-e8c66506b818.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0e12aaaf-92b7-4055-a9ac-e79f26e5266e", + "id": "bundle--a5497249-e3f0-48e5-9496-b0e86f7d0559", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a731ad54-0c3c-47bb-9559-d99950782beb.json b/ics-attack/relationship/relationship--a731ad54-0c3c-47bb-9559-d99950782beb.json index 7884e52c14..dc172ffb8f 100644 --- a/ics-attack/relationship/relationship--a731ad54-0c3c-47bb-9559-d99950782beb.json +++ b/ics-attack/relationship/relationship--a731ad54-0c3c-47bb-9559-d99950782beb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4ac4bc33-3b2f-4616-9766-8aec1017f1e5", + "id": "bundle--e9e74db4-13f4-4fd6-b243-01264cfc565f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json b/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json index 4a2eaf859e..e46a4ca943 100644 --- a/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json +++ b/ics-attack/relationship/relationship--a74c14e2-eb8a-47bb-b64d-20aad9154297.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0dfdb3d5-21a8-4ce1-b87f-e468a4a7194c", + "id": "bundle--f1fb088d-7cda-4548-8cdc-897acb460a61", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json b/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json index 4e7cab19b6..9f77fc4829 100644 --- a/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json +++ b/ics-attack/relationship/relationship--a75ddacf-e87e-4a99-83f2-618486473163.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8848af46-4151-442e-897f-cbbf158ebc22", + "id": "bundle--c4cc570d-e316-42f2-9169-92355e43a2da", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json b/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json index 5cf90cf04a..a7afc9d743 100644 --- a/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json +++ b/ics-attack/relationship/relationship--a78e727c-8e42-448c-beb4-463804e18be0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2d800782-606a-48ae-b824-78e3a9fd4d86", + "id": "bundle--cf403414-5688-4ae0-b56c-41da33b60dfc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393.json b/ics-attack/relationship/relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393.json index 4ca876fd05..ab2fd82094 100644 --- a/ics-attack/relationship/relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393.json +++ b/ics-attack/relationship/relationship--a7a4b080-e4a6-4c46-b2c7-84119df76393.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc3c42b2-152a-4a0f-a7f2-77d04573e00c", + "id": "bundle--a8c2f144-22e8-485e-977a-0f933ccc9899", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6.json b/ics-attack/relationship/relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6.json index 1a4db6a73c..1af8d7e261 100644 --- a/ics-attack/relationship/relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6.json +++ b/ics-attack/relationship/relationship--a7ca9443-f833-4636-9c30-fcaddd3516c6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c2b31252-6a3b-44d3-805c-28f8fef76639", + "id": "bundle--2b76be40-0e89-4d5f-9b36-d2ad506a37d7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json b/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json index 61ae715a37..04d15ebfdc 100644 --- a/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json +++ b/ics-attack/relationship/relationship--a7caa7f2-cfb9-4fc9-ae8d-49349b6c260f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7b4029aa-d618-490a-88f5-da419eb83671", + "id": "bundle--4e6d03d4-2021-499d-97f9-7ae8fbcb88ac", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a.json b/ics-attack/relationship/relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a.json index 4d467a8acd..576f1c8bc2 100644 --- a/ics-attack/relationship/relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a.json +++ b/ics-attack/relationship/relationship--a7fb3abd-c800-408e-8329-2a4f6256ea4a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4c064709-95d8-4f55-b030-808db38fbf2a", + "id": "bundle--96f582cf-a528-4cca-bb08-31318fd5467e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json b/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json index 2bcb3f36d9..3dec75145d 100644 --- a/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json +++ b/ics-attack/relationship/relationship--a7fbe555-a61b-4b93-bfb2-8e0dd0d6323e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--189a7def-f516-4c16-99c0-3616c5a8cd0c", + "id": "bundle--37759cb4-ac9c-402b-8693-a66180025908", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61.json b/ics-attack/relationship/relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61.json index fe024a1043..4801916835 100644 --- a/ics-attack/relationship/relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61.json +++ b/ics-attack/relationship/relationship--a82e9f8a-f81e-407a-b284-e0ae5f055c61.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ea35b371-161f-4261-9f59-206c81f5db1a", + "id": "bundle--ee076b34-eb33-46c7-8696-7ae915703451", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json b/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json index 29e1458fbb..74fa8c323d 100644 --- a/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json +++ b/ics-attack/relationship/relationship--a846dbe5-9ef3-4fb6-93d5-f764671a75c8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--88b4bafa-446c-45ba-9065-605c27f7acf3", + "id": "bundle--8ac32c70-64ac-4e9b-a5e4-6e9d7659cb0f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json b/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json index 32c591e741..abecebba23 100644 --- a/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json +++ b/ics-attack/relationship/relationship--a847aa03-ea56-47d1-8f4e-f9e0dd9707a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--57858e69-cd59-45c9-bb80-d197cb0681a2", + "id": "bundle--12d47e96-22cd-406e-839d-75d7cd3237c9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json b/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json index 5a0d6906d1..fbfac2167e 100644 --- a/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json +++ b/ics-attack/relationship/relationship--a86cee0a-dc49-4c95-b5dc-37405337490b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--63714e98-d855-4d70-9b05-0932ac66aee4", + "id": "bundle--48de24a2-ea5f-4fe9-a0f3-45549b99b81d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json b/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json index d7211813b2..9b39260ee3 100644 --- a/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json +++ b/ics-attack/relationship/relationship--a91002fe-21b2-4417-9c23-af712a7a035c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f6e41f70-71e6-4934-ad12-7b85c2d615ee", + "id": "bundle--7123102e-343e-4789-a970-83b08f23f768", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json b/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json index a001638d5b..7ec83a079a 100644 --- a/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json +++ b/ics-attack/relationship/relationship--a946c9b1-5b89-44c9-b617-3412ffda34b9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a5ff9e22-810b-477d-9dee-631aaa541f20", + "id": "bundle--019ab97d-30c7-4e7e-ac3d-899a9c38d3ac", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--aa205915-7571-47ee-8bc6-5aa1ace86690.json b/ics-attack/relationship/relationship--aa205915-7571-47ee-8bc6-5aa1ace86690.json index 667e43bb15..7f27ea963f 100644 --- a/ics-attack/relationship/relationship--aa205915-7571-47ee-8bc6-5aa1ace86690.json +++ b/ics-attack/relationship/relationship--aa205915-7571-47ee-8bc6-5aa1ace86690.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--84d1e5df-adf0-4361-a4c6-731498f63069", + "id": "bundle--4d578089-3a9e-477e-bf11-10b89d244a71", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91.json b/ics-attack/relationship/relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91.json index 473236c1c3..b4ad59816f 100644 --- a/ics-attack/relationship/relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91.json +++ b/ics-attack/relationship/relationship--aa726ced-f2ac-4113-8d05-8687b7d7ff91.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8085f3b5-0a1e-4d5f-a865-8b3142334779", + "id": "bundle--4490912e-e3e1-4e06-b977-41b462483d51", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json b/ics-attack/relationship/relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json index baf46b4f5b..162ddd0444 100644 --- a/ics-attack/relationship/relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json +++ b/ics-attack/relationship/relationship--aae5d42f-6bfc-44b6-8ff3-4b7abb4526ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--446b6ebd-ebc1-4b30-88ca-825acd26a468", + "id": "bundle--cc972163-afe2-4d95-ad5d-1ef9a9260466", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--aaffd26a-728d-42a0-9d1f-423231c55f3e.json b/ics-attack/relationship/relationship--aaffd26a-728d-42a0-9d1f-423231c55f3e.json index e3c812d0b3..0f0521c941 100644 --- a/ics-attack/relationship/relationship--aaffd26a-728d-42a0-9d1f-423231c55f3e.json +++ b/ics-attack/relationship/relationship--aaffd26a-728d-42a0-9d1f-423231c55f3e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--960c35ff-25f7-4682-a768-1fe837cf58e6", + "id": "bundle--d3091ea9-9141-4454-8b55-a10aa316f7b8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ab0b5170-577b-491e-8508-b9a34dc393c1.json b/ics-attack/relationship/relationship--ab0b5170-577b-491e-8508-b9a34dc393c1.json index 8c5d335d3e..2017cac039 100644 --- a/ics-attack/relationship/relationship--ab0b5170-577b-491e-8508-b9a34dc393c1.json +++ b/ics-attack/relationship/relationship--ab0b5170-577b-491e-8508-b9a34dc393c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--98ad8fa0-1660-459d-beb5-ce4ea2dd38a3", + "id": "bundle--0f1f8e75-c5ed-441a-9d54-83f63085bdce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json b/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json index 58df5fd470..de7ea5f00c 100644 --- a/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json +++ b/ics-attack/relationship/relationship--ab306654-2abb-4983-8d30-df4058adb06c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--10c13606-30fd-492d-95d4-d2a9df4eb62f", + "id": "bundle--d41dd84b-4e0e-4ce6-b050-a59afe4f0425", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json b/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json index efe214fe9b..1b1aa0df6a 100644 --- a/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json +++ b/ics-attack/relationship/relationship--ab60fe4a-5860-410a-8bca-2cdbea95e5f8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2f1e0b72-700f-46fd-bce1-2ec5907764af", + "id": "bundle--5fecbc39-a34c-4182-8cc5-ce8b4132aed6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json b/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json index 82c21ee267..e6543a7733 100644 --- a/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json +++ b/ics-attack/relationship/relationship--ab8e129c-5411-4784-9194-068fa915da23.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8e4921f0-3438-4101-9d4e-ff02ef6cde0f", + "id": "bundle--3019d19c-a361-4c56-83fe-10c52ac44064", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json b/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json index 9cb905ef9d..b8374e3497 100644 --- a/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json +++ b/ics-attack/relationship/relationship--ad7770c3-fe24-4285-9ce2-1616a1061472.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--660233b6-a45b-4f21-85c9-1d475c1b2635", + "id": "bundle--96fdfdc5-7dc7-443c-b6a8-830d16d52370", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c.json b/ics-attack/relationship/relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c.json index 6a9bfd04c7..db4d77d5b6 100644 --- a/ics-attack/relationship/relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c.json +++ b/ics-attack/relationship/relationship--ad77a940-150c-4d73-bf5a-1df2d9436f9c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3389df63-ebd3-42ed-8003-809b6ae71a9e", + "id": "bundle--f531e186-4859-4997-baab-455b8963b098", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json b/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json index 02b737ed11..509f52edae 100644 --- a/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json +++ b/ics-attack/relationship/relationship--ad7fd147-066e-4ed5-aa9d-7b2f1771150d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--37824b01-2b0c-487f-81a3-625b8309daee", + "id": "bundle--f24797a8-0f27-4578-aba8-9989f5b32983", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json b/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json index edc5e4369b..adafa00628 100644 --- a/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json +++ b/ics-attack/relationship/relationship--ade12d27-13bb-4ebf-be08-7039cf699682.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8b14daac-18fa-40f0-88c2-6dd815fe3c5f", + "id": "bundle--30156650-223b-4a83-b513-e8bd547de280", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json b/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json index df9a92b198..82b7012467 100644 --- a/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json +++ b/ics-attack/relationship/relationship--ae10e97a-90ac-498b-8601-01081dc4af8b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--723fe50c-f228-4285-8406-ba87794fbf28", + "id": "bundle--60b44aa2-55a8-4147-94c1-6591b49f3437", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json b/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json index 3e741f3ad3..23ef71a39b 100644 --- a/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json +++ b/ics-attack/relationship/relationship--ae7487f1-a2d0-443d-b418-cd726c5ac15f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--22df4c0b-91f6-4fa0-ae35-5e66abe3d0d1", + "id": "bundle--6c9ed775-c90c-4faf-85b6-38ffcc16fa0c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json b/ics-attack/relationship/relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json index 929197554c..0d2d8431d7 100644 --- a/ics-attack/relationship/relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json +++ b/ics-attack/relationship/relationship--af24e067-966d-41f8-b1ea-5a6e11ff1a2a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b1d7cf36-dd47-4c71-a936-214ecc597e59", + "id": "bundle--510e9ef2-98af-4beb-a348-aa94294509ba", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json b/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json index f3fd502dac..2a818a500d 100644 --- a/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json +++ b/ics-attack/relationship/relationship--afb0b60e-e604-4b96-abb9-57fdce4e5108.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--91fbd8ce-ce72-4c31-ae6e-60910d10505d", + "id": "bundle--8e26c313-948e-4b9c-8659-0565692f9400", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json b/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json index 8d053e15d5..1de7405640 100644 --- a/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json +++ b/ics-attack/relationship/relationship--afd63145-6033-49e4-ad43-d0b35fa5ed88.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e2c42261-b293-4d7e-8747-9502217a1559", + "id": "bundle--155bea86-f0c1-49d0-9a8b-795ed260a154", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7.json b/ics-attack/relationship/relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7.json index cfea8ad943..65ee5c91a1 100644 --- a/ics-attack/relationship/relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7.json +++ b/ics-attack/relationship/relationship--b064068a-9e17-4ac8-9a92-a1338d7196c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--86729de1-5a15-4a87-9600-ccbc3b7d096d", + "id": "bundle--46f2debd-6550-4786-902f-763933b5dbee", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391.json b/ics-attack/relationship/relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391.json index 2484b60671..70e2c7f931 100644 --- a/ics-attack/relationship/relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391.json +++ b/ics-attack/relationship/relationship--b0f137d8-3c56-4f6c-9d59-1ec231d61391.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a94567e3-5174-4103-8630-96c8f9e27952", + "id": "bundle--0d467f51-2cb6-405d-87ff-7a5a7ef144d9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json b/ics-attack/relationship/relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json index eeedff930e..730a1f4fd7 100644 --- a/ics-attack/relationship/relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json +++ b/ics-attack/relationship/relationship--b0fe8a56-cb76-4d79-9ba9-9358ef08aa08.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0786d4a8-dbb1-4219-aa49-50ac164402dc", + "id": "bundle--9c773ab6-55be-42f0-a59a-e386028d59d6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a.json b/ics-attack/relationship/relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a.json index fadbcdb5a8..bfdb69102e 100644 --- a/ics-attack/relationship/relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a.json +++ b/ics-attack/relationship/relationship--b116fcca-e872-4735-b7e2-4e4c8e34621a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c4fc2298-5097-448f-8276-faceb7eeb003", + "id": "bundle--b15f1ece-5b9e-4fb0-b911-82a65d28b234", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json b/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json index 9bd96bb203..41e72c9cdf 100644 --- a/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json +++ b/ics-attack/relationship/relationship--b13417ea-d8da-497f-818f-d2d90562039a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bed5c1ad-eb9b-4e30-b423-2df878d8c6c5", + "id": "bundle--e8690527-2e46-44f3-b94e-26e68066ac87", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json b/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json index b1d86c6e72..3535371dcb 100644 --- a/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json +++ b/ics-attack/relationship/relationship--b1768154-221c-48be-ab2b-549ec1eddafb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8d98a661-46a4-4b71-af4c-3dbd3bd876d2", + "id": "bundle--d38790a6-f947-4d27-8378-c761b1f52517", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec.json b/ics-attack/relationship/relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec.json index 1cfd925d0e..2c578ebb40 100644 --- a/ics-attack/relationship/relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec.json +++ b/ics-attack/relationship/relationship--b182692b-5eb3-4edc-b455-1f92d64b98ec.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2096aebf-9184-4b76-a3d2-14a9746eec2e", + "id": "bundle--b8eda4b1-9f10-4f94-bb13-a401183470fd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json b/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json index 3de69e8444..6b02832f3d 100644 --- a/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json +++ b/ics-attack/relationship/relationship--b1d993d5-9e7e-4043-a651-07c7b5ad5a6b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ba2651a0-fe88-460a-b36a-c758d24d080a", + "id": "bundle--148ed7dd-ea50-4be1-bc5c-65b38b7225ec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json b/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json index 8fdb57498a..aec2fc8d2f 100644 --- a/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json +++ b/ics-attack/relationship/relationship--b252a076-6d4e-49f5-95ac-16264ef05b1d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1602e649-14aa-4cec-ad01-062a32eb1ac4", + "id": "bundle--a126f4ad-f93b-49a9-88b0-d314f83142dd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f.json b/ics-attack/relationship/relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f.json index 7f39998d13..7150f5d70c 100644 --- a/ics-attack/relationship/relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f.json +++ b/ics-attack/relationship/relationship--b2d4989c-e2d1-40c4-b1d8-07834a71f26f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--77dfdcdf-39ed-4cd6-b4fe-659f7fb49571", + "id": "bundle--835d1b4a-70cb-4137-aa6c-fbdac04057e9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json b/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json index 32ec136a17..b4c854ef0d 100644 --- a/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json +++ b/ics-attack/relationship/relationship--b2defaaf-625d-416e-8a9d-8be6d89bacdc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--27f8456a-07c5-47d6-9229-e003460a395d", + "id": "bundle--ff8e3a99-c252-4246-8ea8-1eee291015fe", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json b/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json index 5330a203c2..4604cfd2ac 100644 --- a/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json +++ b/ics-attack/relationship/relationship--b2e10e48-8bd9-472a-9c6f-1d38650e8df1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7019ea8e-111b-4da3-bf11-6bd594d0cf7d", + "id": "bundle--db06ba31-4d3c-4a34-9b0f-974098bada26", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json b/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json index dd6ca5ae4d..006538f6b7 100644 --- a/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json +++ b/ics-attack/relationship/relationship--b343e131-e448-46c6-815b-b86e4bd6d638.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2dba25f6-6553-4fa9-b88e-7086e0ad7af5", + "id": "bundle--059b0087-7670-47d3-88f3-09ca8c4fcb2c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json b/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json index 379e52378d..39fa3bd4c5 100644 --- a/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json +++ b/ics-attack/relationship/relationship--b346eec8-de90-407c-b665-387086bb4553.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--930a6865-4fb6-48ff-b39e-dae3afd261ec", + "id": "bundle--d43a0c92-57cd-4aad-bbc2-d105d11f2fb4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json b/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json index 975c3769d4..cc586fdd83 100644 --- a/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json +++ b/ics-attack/relationship/relationship--b349ef5f-4a05-4eef-afe4-1543b8c832fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f1a59e11-ff74-4eda-b2d4-44feae14da1a", + "id": "bundle--ee6b8216-942b-4449-a19d-c03830442798", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json b/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json index 23a5461803..36b331ca92 100644 --- a/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json +++ b/ics-attack/relationship/relationship--b363cbbb-679c-47e0-8ad0-af98ebf51e60.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a3bb62a4-2fb8-44b7-a1b6-7f10c7bdcd55", + "id": "bundle--15a4459c-9a13-4bd6-bd22-b07fb11e9407", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json b/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json index fa4f16a4d9..a914ac27e0 100644 --- a/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json +++ b/ics-attack/relationship/relationship--b3862aa6-7bd0-46a4-83b6-bb687bb7caa6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--578b3787-8087-4d7a-a3eb-38ccd75c94cc", + "id": "bundle--34c8271b-d1a8-4c89-acb3-9858a72550d1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json b/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json index 7a73463786..33acbaad1d 100644 --- a/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json +++ b/ics-attack/relationship/relationship--b3b24837-83ed-46c5-ba80-66a832c7072e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3ed9e825-2cd0-4d07-9926-143d35bb56a9", + "id": "bundle--9505893a-a3e2-4895-a883-02af300e43ab", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json b/ics-attack/relationship/relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json index 1208ace299..05e2c96f65 100644 --- a/ics-attack/relationship/relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json +++ b/ics-attack/relationship/relationship--b401f65c-5324-4fc0-8fce-0aa2ebf1f919.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b76b9f8e-1357-41e2-b0fd-9ecead18d283", + "id": "bundle--1d19f6cd-955e-403b-92de-7beeb16e4b25", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json b/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json index fd13a0dd8f..62c6f94d1d 100644 --- a/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json +++ b/ics-attack/relationship/relationship--b452a076-6d4e-49f5-95ac-16264ef05b1d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d2981549-3013-4d40-923e-62fc1e3c8acd", + "id": "bundle--a15ec730-29b0-4bea-a7b2-42366873af6e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json b/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json index 72d18a1c43..ad1d29f27f 100644 --- a/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json +++ b/ics-attack/relationship/relationship--b47dbc50-fd8f-4e5b-bb3d-e93b68bf5497.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d99d0511-bae3-4c27-adb1-41bcfa62b19e", + "id": "bundle--975a64df-8714-4038-a139-bc68327e4b99", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b48be9f9-de0e-4548-ade3-09d47af52798.json b/ics-attack/relationship/relationship--b48be9f9-de0e-4548-ade3-09d47af52798.json index 67bf1f5f62..8827a65cb8 100644 --- a/ics-attack/relationship/relationship--b48be9f9-de0e-4548-ade3-09d47af52798.json +++ b/ics-attack/relationship/relationship--b48be9f9-de0e-4548-ade3-09d47af52798.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a5834a61-d534-43d0-86cf-9de04665b72d", + "id": "bundle--53b1a8d5-ca84-49c5-957f-f9fb3ad77b5b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3.json b/ics-attack/relationship/relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3.json index 97f4743c06..4c6d1632ed 100644 --- a/ics-attack/relationship/relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3.json +++ b/ics-attack/relationship/relationship--b4b698a7-b80e-41f6-8ca2-a954270cceb3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d499b7db-fa08-47f5-a625-95cb1baafd8d", + "id": "bundle--e007e021-7524-4632-a9a3-0209de62d1ce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b5979643-fefb-460f-b59c-971efe95f121.json b/ics-attack/relationship/relationship--b5979643-fefb-460f-b59c-971efe95f121.json index ee801db354..3066a57f13 100644 --- a/ics-attack/relationship/relationship--b5979643-fefb-460f-b59c-971efe95f121.json +++ b/ics-attack/relationship/relationship--b5979643-fefb-460f-b59c-971efe95f121.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d63d3c83-b7a5-4d3d-a870-401b0a29f06e", + "id": "bundle--95da4009-eb24-4b3f-8e9f-f349e0d8c3e8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json b/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json index bac85b959f..32a6834ba1 100644 --- a/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json +++ b/ics-attack/relationship/relationship--b5ab26e2-eb90-4f19-b35a-b8a0a5438961.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--037f84ef-5fa4-4536-bbbb-b028314f68f3", + "id": "bundle--edc095b5-a23a-4fc6-995f-236202c44463", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json b/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json index 55c8ca4933..a4173efa71 100644 --- a/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json +++ b/ics-attack/relationship/relationship--b5bb5ec3-aa3c-4734-8425-4be80c5658a9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a310f273-a0ca-409f-8df9-2e7626e42868", + "id": "bundle--b48a49a3-0b96-4b83-ae62-74ff000a4127", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json b/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json index ff8c2eb09e..c1ff42d613 100644 --- a/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json +++ b/ics-attack/relationship/relationship--b5e52859-8dab-4e7e-af70-bb38c6993c98.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5967a8f6-ca80-4e69-a68f-3a183062ebd6", + "id": "bundle--5ee919ee-8e42-4934-a09b-91181e2a8e47", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b5f94430-be03-43ed-97e1-0424d783073e.json b/ics-attack/relationship/relationship--b5f94430-be03-43ed-97e1-0424d783073e.json index 0f3264d5b1..128c552ec7 100644 --- a/ics-attack/relationship/relationship--b5f94430-be03-43ed-97e1-0424d783073e.json +++ b/ics-attack/relationship/relationship--b5f94430-be03-43ed-97e1-0424d783073e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a0ef72be-b6d2-4b4d-b116-7375d4fee7cf", + "id": "bundle--64e97aa4-1a7a-4920-abad-eac4f64ddf22", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json b/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json index 6b6e18114f..4fb0a79574 100644 --- a/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json +++ b/ics-attack/relationship/relationship--b628d878-4f35-4580-8d42-26984d13821e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc79774b-cc41-4118-bb73-a910a5d97b98", + "id": "bundle--f9c5b0f2-e572-446a-9e6e-45b1e8845a84", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b62da342-4b12-4d88-bb48-9fa84b8c967f.json b/ics-attack/relationship/relationship--b62da342-4b12-4d88-bb48-9fa84b8c967f.json index 2d8a61e416..8fef9e9ab4 100644 --- a/ics-attack/relationship/relationship--b62da342-4b12-4d88-bb48-9fa84b8c967f.json +++ b/ics-attack/relationship/relationship--b62da342-4b12-4d88-bb48-9fa84b8c967f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0938178c-aaf2-4984-a0d5-19479ee7d408", + "id": "bundle--4f025b9e-53fb-412d-b302-eb595b70e115", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json b/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json index 78e2f5772c..4a8995136f 100644 --- a/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json +++ b/ics-attack/relationship/relationship--b69f31c3-6c12-4b81-8e74-9c58ea635fa4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4e182970-7bdb-4432-88ca-64e2369abbfc", + "id": "bundle--74661a44-4a1b-42a4-bc23-07a59ab8c576", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json b/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json index b326064fa2..c3eb474e0b 100644 --- a/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json +++ b/ics-attack/relationship/relationship--b72b7dfd-f134-4324-84b8-52ff13fc6b5c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--882c85c2-8a11-419a-b841-78d36368b77e", + "id": "bundle--10a6ac7b-109c-431d-bf9a-141f7ac92239", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json b/ics-attack/relationship/relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json index e8a72d3eee..930776ea5f 100644 --- a/ics-attack/relationship/relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json +++ b/ics-attack/relationship/relationship--b778b3c3-5dd3-4c0b-b7d9-78e6bb40a544.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e6f8a50e-3b0e-41c9-8d1a-9b9fa2a9ade5", + "id": "bundle--6bc7b757-d6a0-4820-ba98-0d6945ff1aa0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json b/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json index d4d2a3dc25..bd6b05f1db 100644 --- a/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json +++ b/ics-attack/relationship/relationship--b7f23af2-e948-4531-af56-1a1b4d03702f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--830b005f-2371-4ca4-86ff-8590191591f2", + "id": "bundle--974c2736-ba9a-4cca-9df8-023be108cd71", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b8b1739d-dfa2-44e9-907f-7085e262512f.json b/ics-attack/relationship/relationship--b8b1739d-dfa2-44e9-907f-7085e262512f.json index db5257adf1..77b0c888b5 100644 --- a/ics-attack/relationship/relationship--b8b1739d-dfa2-44e9-907f-7085e262512f.json +++ b/ics-attack/relationship/relationship--b8b1739d-dfa2-44e9-907f-7085e262512f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--98e73dfb-768b-46d6-b69c-e73048b3563c", + "id": "bundle--d32ae58b-4a28-4522-a4cc-816e357f1bb5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290.json b/ics-attack/relationship/relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290.json index 57134d8393..19c5362198 100644 --- a/ics-attack/relationship/relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290.json +++ b/ics-attack/relationship/relationship--b8d484f3-85e7-4208-8ae4-72f0e055a290.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8e7e5805-eed1-4912-934b-b2ac7dddd3a3", + "id": "bundle--ef22fbee-c090-42f0-9877-06c40d32051a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json b/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json index fd12a43330..bfe76f3450 100644 --- a/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json +++ b/ics-attack/relationship/relationship--b8d6e550-18fe-49ad-9964-7802bbe0cb58.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--593d9fb1-a7f9-45c6-8a09-2ef7b80e9583", + "id": "bundle--5251ce27-2e13-452f-8392-657c13549150", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json b/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json index 761488ce7a..6d35c4c5a1 100644 --- a/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json +++ b/ics-attack/relationship/relationship--b8edcf0a-ec53-4203-b3ad-2cc734a1f1dd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--799d3c69-bd08-4b8c-b6ee-b334b0011eb3", + "id": "bundle--c3232207-b53e-4a96-a321-7723fd4873d7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json b/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json index 138408f303..670447dd29 100644 --- a/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json +++ b/ics-attack/relationship/relationship--b8f6d6a8-e668-4596-8ec2-41c5d1bd211d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ef67cb6b-af30-42c8-85cc-b6b5b8c1f7a3", + "id": "bundle--2474e16f-013b-43eb-bbc3-fdccf1b5acb2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json b/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json index cf62212761..c516025cec 100644 --- a/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json +++ b/ics-attack/relationship/relationship--b960c5ed-1ea8-4dde-9203-c02d291d3bc6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bf311b87-66aa-4aa8-8960-9e1eb1095329", + "id": "bundle--fddd765a-eb92-4111-97c9-02164aa4ec8b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json b/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json index 3be700781e..421e813a24 100644 --- a/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json +++ b/ics-attack/relationship/relationship--b9632b4d-43c3-4bfa-88e0-629245acb8eb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6877a6ca-647c-41c1-87a0-6a92fc2d905b", + "id": "bundle--f40d1323-8644-4fb5-aa04-b928f7031d9f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json b/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json index c16544fefc..b569261a10 100644 --- a/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json +++ b/ics-attack/relationship/relationship--b9e82422-b072-494f-99c1-fcab07b90133.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--731dc5f7-d3ed-437d-9c23-2c3e80440be4", + "id": "bundle--d90ab25c-c806-4359-ae7f-fc6c105e240b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json b/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json index b822a5e3e5..a87ac3e71f 100644 --- a/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json +++ b/ics-attack/relationship/relationship--ba010007-6dde-4c9d-8452-69527cd1c2ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a9526813-9629-4b26-a1ab-b8adaea95605", + "id": "bundle--ce34c952-b529-430d-9cfa-2068ed1e01e2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json b/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json index e94125530c..4915494f79 100644 --- a/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json +++ b/ics-attack/relationship/relationship--baf4bd30-4213-43c3-b70c-54418e734caf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ca083698-89ad-4b42-9ef6-ceb4dd84a827", + "id": "bundle--2dde1219-29ae-4ef6-bfd7-db3f990132db", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json b/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json index 1ee4e2531d..27d26ec33e 100644 --- a/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json +++ b/ics-attack/relationship/relationship--baf7daf3-2116-4051-91b5-f82e146167d0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e0216eac-e1a4-48c3-ba59-15884c581f2d", + "id": "bundle--a2bff1db-7eac-4036-ba09-5892ee89a1f2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json b/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json index 8f16270b02..52dfa6613d 100644 --- a/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json +++ b/ics-attack/relationship/relationship--bbf297d3-0c3c-44be-b780-332bac17b0ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0477bbe1-7a81-426f-a287-99c39e9bd45e", + "id": "bundle--f6aa9730-346b-4648-b7c7-a246c52c6a80", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json b/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json index 5891a8c91d..bfc0dcb931 100644 --- a/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json +++ b/ics-attack/relationship/relationship--bc3744d6-9275-4d91-8888-16d5f4d5187b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--08541da7-5759-4bd4-b849-eced0127fc77", + "id": "bundle--0cefd979-0ec5-4bb3-a817-8a56f9ca01a7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json b/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json index 24ea9c7d5e..65df04a780 100644 --- a/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json +++ b/ics-attack/relationship/relationship--bc383819-2e40-49b4-bea9-95eb5d418877.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cba27382-0710-4313-b8b3-2f08c2ad0eff", + "id": "bundle--6ce7e3b7-5d52-403d-961a-62daef17ee81", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json b/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json index 3e38dfe1e2..66317b44df 100644 --- a/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json +++ b/ics-attack/relationship/relationship--bc74ff8f-d5fa-40fb-8c0b-f16af3ff36e3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--67c618bc-cfde-44fc-a5b3-07a20752d2fd", + "id": "bundle--d8ab3f93-2608-4d0a-b9e6-5ebea87c78aa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json b/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json index 531603e732..df88c37429 100644 --- a/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json +++ b/ics-attack/relationship/relationship--bcaa4f7e-2e84-4bbb-9fb7-ca8fb003108f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a4248321-e7e4-452f-9e74-27766c95ae04", + "id": "bundle--5a543f9e-2df0-4088-a777-e81448e5c6d4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json b/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json index 4efb44890e..3d21a7ef6f 100644 --- a/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json +++ b/ics-attack/relationship/relationship--bcece7ce-91b5-40b3-b87a-25cab3600e5c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ef384bd3-18b4-4897-8bbe-e45e34b0e04d", + "id": "bundle--48c96501-4acf-4e06-9018-32943d656fa7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json b/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json index b3920d30b5..0a59245fc7 100644 --- a/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json +++ b/ics-attack/relationship/relationship--bda03e8d-5e06-4470-b786-11b11c7c97c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ff86cc0d-9686-4c83-a821-1a05e3895cf4", + "id": "bundle--b9bde519-383a-4a22-9b06-2f790f5b85f5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json b/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json index 2adbd6778a..bf68401f27 100644 --- a/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json +++ b/ics-attack/relationship/relationship--bde941c6-2ca0-4f94-9336-027e7eee15a1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3d768935-5edb-45db-977a-c4c168171784", + "id": "bundle--2332f00e-1b18-42cd-af1b-bafc35f60aca", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json b/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json index fab1ba28c6..0aa172b8ae 100644 --- a/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json +++ b/ics-attack/relationship/relationship--be532c78-daf5-431b-adae-ab11af395513.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b57bdecd-53f0-4e97-a36c-62858aec1a5e", + "id": "bundle--1c6c22e6-ef47-4a13-a89c-d1aa725c5eaa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json b/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json index 86e46c1ca2..b68a16f0c9 100644 --- a/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json +++ b/ics-attack/relationship/relationship--be950e87-80ac-49ea-810a-553c7f72151b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2d33e657-a742-4382-a1a3-b5f25629ae7c", + "id": "bundle--84da3269-7f4f-423d-bc9d-6b0246db4bf5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3.json b/ics-attack/relationship/relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3.json index e94d6caae2..43bc7a4c40 100644 --- a/ics-attack/relationship/relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3.json +++ b/ics-attack/relationship/relationship--bf75ca96-3f9d-413c-a244-888a3fbf0be3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--57ad69cf-fcea-457f-a0be-dfb69b520a4f", + "id": "bundle--b3e7f575-95de-4772-a992-f9d2494a4b3d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json b/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json index b661f88d97..31a6de5059 100644 --- a/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json +++ b/ics-attack/relationship/relationship--bff99f91-e1a9-4379-a2d9-5a99615a95d1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c5de61c0-1ee8-41c0-b9cb-6af09ffebb10", + "id": "bundle--60610a68-064f-4409-9a6a-6b4bb35ab2ec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json b/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json index de5f45a4e3..8e51f36e2d 100644 --- a/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json +++ b/ics-attack/relationship/relationship--c0efb24a-2329-401a-bba6-817f2867bb3f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--734339b9-411d-4840-bc68-29ae89264bd5", + "id": "bundle--fd2a5fb7-0bd6-49fd-84d9-f2955e8052f9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json b/ics-attack/relationship/relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json index bacbbf92dc..3f6ce4848a 100644 --- a/ics-attack/relationship/relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json +++ b/ics-attack/relationship/relationship--c11a95c2-6e9d-4d90-b6ab-20227869f2e4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1edf2110-9ae4-42c9-9c03-ef1d31273195", + "id": "bundle--93ff9179-cfb9-4951-836a-15dba24a214b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json b/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json index 5c9aa7d655..02f76c30db 100644 --- a/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json +++ b/ics-attack/relationship/relationship--c195a0e9-d46c-487f-9a96-b138e9ca05d2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e0a11950-3c86-4aa7-85f3-d50e2878e8ed", + "id": "bundle--c08a8a40-b668-4c76-a42d-0f33d1046b1d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c22acaab-baa4-45b0-9c4b-9330715e5455.json b/ics-attack/relationship/relationship--c22acaab-baa4-45b0-9c4b-9330715e5455.json index cb3e6f30e3..e444a67e25 100644 --- a/ics-attack/relationship/relationship--c22acaab-baa4-45b0-9c4b-9330715e5455.json +++ b/ics-attack/relationship/relationship--c22acaab-baa4-45b0-9c4b-9330715e5455.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0c1ea7ad-e422-480c-9d3d-4c36b77e6449", + "id": "bundle--af45711d-4854-439f-957f-e05d7f1d4085", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json b/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json index efe4254003..9ec8363d71 100644 --- a/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json +++ b/ics-attack/relationship/relationship--c2fe42b4-6750-4b51-86b7-6c37fbfdef2d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a6aee1a5-e2df-4809-b40a-2c152e178743", + "id": "bundle--8ac38170-ec37-4978-a46b-adf88040b56e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json b/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json index 1948db125d..a23f5e8475 100644 --- a/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json +++ b/ics-attack/relationship/relationship--c347b69c-e3f6-4eca-ba57-0781c7dc8eac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--04546542-2895-4cd9-a5a0-f9cc00a45a68", + "id": "bundle--d7866761-48bc-4c9e-907b-1c5107f3265a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json b/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json index e74517311e..f9eaace8d7 100644 --- a/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json +++ b/ics-attack/relationship/relationship--c4122b58-f1b2-4656-a715-55016700bf75.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4e5e1abd-6861-4261-bd72-0e80ab70a463", + "id": "bundle--9f862176-7ab8-43a2-851c-38f15dbf41f0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json b/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json index 789c29ef5e..d80ac343e8 100644 --- a/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json +++ b/ics-attack/relationship/relationship--c43fbdc0-4c1d-4ff8-9dd2-fd45199dcfaa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--10328e90-7de7-4726-835c-e2340d66fd83", + "id": "bundle--5ecc1368-f8f7-4ba0-a29e-a60c41003bac", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95.json b/ics-attack/relationship/relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95.json index a994b4d8a6..a5efef7093 100644 --- a/ics-attack/relationship/relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95.json +++ b/ics-attack/relationship/relationship--c473686a-2452-4ee6-bf1d-54bf3e575d95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3e17e6c6-c88c-483a-b5ff-1959ec076466", + "id": "bundle--cc34e4fd-3dbd-43eb-8da3-43b08f647b2c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json b/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json index 7f8efd2290..982e2c689d 100644 --- a/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json +++ b/ics-attack/relationship/relationship--c4e8dd42-9855-4a36-b915-dc7e1a91e235.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ce2177f7-5063-4a71-bb79-8f90f155931a", + "id": "bundle--f05a906c-55f5-4acb-94a1-e25d0d6b9a54", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json b/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json index 073d688f21..b605772c42 100644 --- a/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json +++ b/ics-attack/relationship/relationship--c59a3d89-c8fa-4c5d-813e-f4495d892d1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8f760497-e622-4648-9981-2b3fe543d8c0", + "id": "bundle--f5f34283-4b44-4e9f-ae52-9dd219a80713", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json b/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json index e0d4eeb90d..1bea12def4 100644 --- a/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json +++ b/ics-attack/relationship/relationship--c5dd0d66-99f1-4efd-b0f9-bf9f9118ff16.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4debe897-8999-4d07-b46a-475aff1463d8", + "id": "bundle--f97e7534-6130-43ed-bc53-682f52c63290", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json b/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json index 382fe09047..92c5aa0a2a 100644 --- a/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json +++ b/ics-attack/relationship/relationship--c5fd0969-c151-4849-94c2-83e2e208cff7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7aea42e3-0456-49d2-81da-40863fb22c0c", + "id": "bundle--c08bc21c-f0b9-4d2d-8533-360c5c54b24f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json b/ics-attack/relationship/relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json index 0d87703162..849ef99afb 100644 --- a/ics-attack/relationship/relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json +++ b/ics-attack/relationship/relationship--c63c35c2-a402-4d0d-bf25-f48eb9b379c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a65e4a73-28f7-4670-b754-1bc3c6b5d483", + "id": "bundle--20b38daa-1a7e-44a2-8ccd-8dc25bd34536", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json b/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json index 8c0c07fec1..6cc225982e 100644 --- a/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json +++ b/ics-attack/relationship/relationship--c64f2ed2-f7a7-4333-b0d3-d687ffb7ad6b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--80841fad-de49-4f98-b23f-d7c3f1518683", + "id": "bundle--4a995faa-c7d0-4939-bd5b-787281e8c512", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json b/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json index d6ba5d8249..e614f0d6af 100644 --- a/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json +++ b/ics-attack/relationship/relationship--c6520346-fe47-44ce-af75-d99004ac2977.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--137c05bd-a6fc-4ebc-9985-6cfa2e2918d6", + "id": "bundle--d275be74-4650-4a5b-8139-613baeacaef2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json b/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json index 94f7b18d72..6cd5ede950 100644 --- a/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json +++ b/ics-attack/relationship/relationship--c6562519-81c5-4eca-a815-f46ac0ed4bcc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fa105287-456b-4040-81a1-e59c91d0ca9d", + "id": "bundle--1818e68b-a6aa-4f87-8f6c-bfcfec1f3e0e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json b/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json index b7d0ddd269..900a1e90ec 100644 --- a/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json +++ b/ics-attack/relationship/relationship--c664bb6c-59f0-4b31-bbb4-ef66fca933d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2a370d74-fbd5-406f-b439-ce62aac7c70e", + "id": "bundle--b36b41ed-390d-415f-a25d-4f924e2f0b8c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json b/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json index 90024231b1..d68e84215c 100644 --- a/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json +++ b/ics-attack/relationship/relationship--c67e3535-69a9-4234-8170-4ad6efc632b7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d38ea6ff-2df9-4740-9ae3-29c93c1eada5", + "id": "bundle--e21addd8-bf8d-485d-bf9a-5c0d689af2a1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json b/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json index 281ba4cc1b..5dc255275e 100644 --- a/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json +++ b/ics-attack/relationship/relationship--c69eab3c-861c-45f5-8858-a595fcc7e6f6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--367bf8c7-a3e0-49d4-b129-ea3997b8f24d", + "id": "bundle--8c38dab0-cf1c-4f34-96f0-2f2acfb17180", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json b/ics-attack/relationship/relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json index 042df14ae1..6d8582b24a 100644 --- a/ics-attack/relationship/relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json +++ b/ics-attack/relationship/relationship--c726e8af-9b98-4ce9-b8f4-3e82e59d5374.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3bdf6d1c-6b70-4ed0-ac86-bd43c4fca949", + "id": "bundle--c9685f77-074e-4ba6-a955-6cce4f972e4f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json b/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json index d0e3257bed..45af82ae80 100644 --- a/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json +++ b/ics-attack/relationship/relationship--c785c026-4139-4c56-a6dd-cdd3ba75bab1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--68c42e93-f801-46ce-b1a0-57a108af0051", + "id": "bundle--f8e7fee2-62c1-4678-a360-9fdb4053436d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json b/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json index 6d2cfa1192..c0ad6e062c 100644 --- a/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json +++ b/ics-attack/relationship/relationship--c78f497f-01c3-4efb-aa74-92b700b9c02b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bb782970-4b55-4577-855b-c58bc790a6ff", + "id": "bundle--79dd767a-5a86-4b6b-a188-5469198050db", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json b/ics-attack/relationship/relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json index c6cc025a06..272052cad2 100644 --- a/ics-attack/relationship/relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json +++ b/ics-attack/relationship/relationship--c7a1037f-cb28-40d4-be19-78e2f0e0aa68.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0f320484-7cba-4dce-b4b4-f7bf154085d1", + "id": "bundle--5262087e-3d54-4d69-a6fc-e90ad9359d75", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json b/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json index b422957fb1..d4afefc985 100644 --- a/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json +++ b/ics-attack/relationship/relationship--c7aac6c9-da16-46e2-8cfa-dca07a0a7562.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b9d6d996-32a2-4900-88b4-4943c25ecb80", + "id": "bundle--833a7583-8a47-40ca-bf28-5f9588f1755c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c848b096-3703-4962-b8a2-57682e26f31b.json b/ics-attack/relationship/relationship--c848b096-3703-4962-b8a2-57682e26f31b.json index 829faa360a..d78868d9c0 100644 --- a/ics-attack/relationship/relationship--c848b096-3703-4962-b8a2-57682e26f31b.json +++ b/ics-attack/relationship/relationship--c848b096-3703-4962-b8a2-57682e26f31b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e59753a8-a9bd-464b-842e-f9b27dc8b0e9", + "id": "bundle--76f99240-9a68-45e3-b011-b6f0ade08a2f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json b/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json index 0e8ed9c075..65195a230c 100644 --- a/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json +++ b/ics-attack/relationship/relationship--c84e39ab-30c1-40e3-95a8-fcbb271e913c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--53fb8cce-6df5-4e4a-9825-3c520916b735", + "id": "bundle--27ce1777-5637-4340-8249-806f31dccaeb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json b/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json index 55cc0d6c72..34652a9e3a 100644 --- a/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json +++ b/ics-attack/relationship/relationship--c8a40335-90d6-496a-b4f9-1cc93d3fffc6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8340f8b4-79c5-41ab-b6aa-6c32dcd14b1c", + "id": "bundle--17a3301d-d808-480a-86c4-ea51fa6a2cde", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json b/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json index 2cae1c877b..3c298055db 100644 --- a/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json +++ b/ics-attack/relationship/relationship--c8dd2735-bd04-4413-847d-316b77c6de19.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a38fb582-1286-4a42-8e35-e8c7d789501a", + "id": "bundle--b39b1ca5-a883-4658-b7a1-14bc3b86a3fa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json b/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json index 7f45f47c90..a0ce45f1bf 100644 --- a/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json +++ b/ics-attack/relationship/relationship--c9065f74-556d-4728-8072-f96642e70316.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aaeec791-53c7-47dc-8573-c60cbc4e4177", + "id": "bundle--46258ce8-9d94-4c39-b619-265d1940f201", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json b/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json index 35752f5d8f..a769a797e2 100644 --- a/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json +++ b/ics-attack/relationship/relationship--c90cfddb-253b-41c8-9057-2abde6f8aa6d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0674b3c5-c396-40bc-92f4-4a875cf08833", + "id": "bundle--049fb930-0766-4423-beaf-565f25950aab", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json b/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json index 30b3417590..8c34714505 100644 --- a/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json +++ b/ics-attack/relationship/relationship--c9395e2a-afaf-427c-bcb2-ae663d72c05c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7f66b1b7-3623-4223-a9cd-a47e9f5b10d0", + "id": "bundle--1ad85651-84f7-4846-9946-8ea5fb7d9d7b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--c9c1c589-b5c6-4231-982f-cae0aa41f349.json b/ics-attack/relationship/relationship--c9c1c589-b5c6-4231-982f-cae0aa41f349.json index 4ae7509225..fbb50d3b3a 100644 --- a/ics-attack/relationship/relationship--c9c1c589-b5c6-4231-982f-cae0aa41f349.json +++ b/ics-attack/relationship/relationship--c9c1c589-b5c6-4231-982f-cae0aa41f349.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--105fe872-8630-415b-95ba-3efad09f92a4", + "id": "bundle--aedf8b96-3411-487e-a648-07b5750a9342", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json b/ics-attack/relationship/relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json index bbcba447e1..b6d058cbf5 100644 --- a/ics-attack/relationship/relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json +++ b/ics-attack/relationship/relationship--ca0c26d7-c4a9-4c4a-bbd4-f3df4b1f5f69.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d410e28b-0f90-400d-aaaa-e42ed420f545", + "id": "bundle--21c3aa6a-b36b-4a25-b3c6-85d8c90b63db", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json b/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json index f09ec9f267..c7edd7a362 100644 --- a/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json +++ b/ics-attack/relationship/relationship--ca3c4d4b-cf53-4489-904f-8a220e421aeb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--73064057-70f2-419a-8a94-cb3bbd4dcf3f", + "id": "bundle--a16aaf4c-e226-4085-bcba-5503eaf0fb06", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json b/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json index 9ae03cb4f7..31f10126c9 100644 --- a/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json +++ b/ics-attack/relationship/relationship--ca5c7ae7-5273-4888-bc50-183d6e200972.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2ca31b28-96a9-4ddd-bdd3-d715eff46f05", + "id": "bundle--9fba5369-8484-4e94-b0c6-86575fdaae55", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json b/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json index 6b4e2463f8..ebf05111fd 100644 --- a/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json +++ b/ics-attack/relationship/relationship--ca64a927-f050-41b3-80d3-93d22cdef26a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f075e49f-3c18-4a37-ab9e-ace442d4ed79", + "id": "bundle--9b83d0fe-d037-4e1d-b5f1-3299422eb5e1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json b/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json index 0f8417dff9..54a729bc0e 100644 --- a/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json +++ b/ics-attack/relationship/relationship--ca768c2a-0f14-471c-90a5-bce649e88d51.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e5f2cc12-0315-45bd-9728-1b4a57cc7d2e", + "id": "bundle--aaaf75e8-e97f-402a-8599-0bcf98407e3c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json b/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json index df629decc0..0b62def638 100644 --- a/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json +++ b/ics-attack/relationship/relationship--cad91f87-7cc7-4771-8c7b-1599793ed3c1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--86905a85-4a74-423e-bc00-59ffbf4ffe5d", + "id": "bundle--1f315522-75e9-45f7-be79-3c746776985c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json b/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json index dbe0cb96f2..896c713d74 100644 --- a/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json +++ b/ics-attack/relationship/relationship--cb1037c1-4b83-4a79-ba12-00558bb6b42b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dec26642-cb20-4659-a061-87ae49dbe81b", + "id": "bundle--259d5e32-6ae2-48bb-abdc-57084871de05", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json b/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json index b15c011e4c..3c6c18c4ba 100644 --- a/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json +++ b/ics-attack/relationship/relationship--cb30d507-edc6-4197-947c-7b3a6e395c0d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fc8d668d-32d9-4595-a48d-400b599fa920", + "id": "bundle--267e7e85-77a8-48cb-81cd-87f308cd2031", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json b/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json index 0d705f164d..77e5f64f70 100644 --- a/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json +++ b/ics-attack/relationship/relationship--cb38425c-646d-4bc8-bdea-e6cc630c3034.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4853064e-49de-48c0-a426-ad48a8fdf2b2", + "id": "bundle--d2da8147-5e67-4927-81c7-1c21108d6119", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json b/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json index 4cf971aff2..0226ee133d 100644 --- a/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json +++ b/ics-attack/relationship/relationship--cb4d802e-df5b-4017-81dd-47f65fff23a3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cdb97b29-e09a-4ea8-b243-bb5d021c141f", + "id": "bundle--9f2d76ca-e0bd-4d3c-8b62-c33eacc87985", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json b/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json index bd05ffc29f..fe24588877 100644 --- a/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json +++ b/ics-attack/relationship/relationship--cba8313b-c338-45f7-88ef-a514094882ac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c7692697-4013-40f5-a8a9-b7a24dc0d734", + "id": "bundle--cb3a7a9b-8b95-49bd-88a1-28bc676338a7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json b/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json index 00aaa7ae7c..e3eb4bb90f 100644 --- a/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json +++ b/ics-attack/relationship/relationship--cca191a1-3c50-4d4f-8f79-4247e58af610.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5cb2cc1d-c33f-4a86-9afb-dac01d084cca", + "id": "bundle--0eeb2ee9-2ea3-4db6-aac2-ae398e71529f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c.json b/ics-attack/relationship/relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c.json index b5389ee6d3..8e732aed29 100644 --- a/ics-attack/relationship/relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c.json +++ b/ics-attack/relationship/relationship--ccab2b58-7c47-45fe-bdd3-3444fb53760c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--066e7510-b6f6-4f82-b6b4-c289c363dcf1", + "id": "bundle--5966bf4c-01a9-4fea-8193-70aeab1ae2a8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json b/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json index 1913d89daf..ea042e927e 100644 --- a/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json +++ b/ics-attack/relationship/relationship--ccae6e5d-8a9e-4bab-ae77-26a2bd722f67.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bded56c4-be12-4a7e-80bb-520569d7b054", + "id": "bundle--f0b93297-05ba-4123-95dd-b91aade75deb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json b/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json index 9688c3330a..e4d8aba4df 100644 --- a/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json +++ b/ics-attack/relationship/relationship--ccc67bb3-acc3-4294-81b3-4a0d972f2dd7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--37c50d9e-59f5-4936-ad14-fe4d87431cac", + "id": "bundle--33f2c351-0ee0-4318-80bf-43ad0dbf74b3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json b/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json index dafa9b560f..fa6d25ce4a 100644 --- a/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json +++ b/ics-attack/relationship/relationship--cd297a7b-4b02-407e-a798-e36fef4cf3a1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--32de9c3a-5e5e-49e9-9c4b-beb3b89bed23", + "id": "bundle--2169be20-a4cc-4413-b224-2d09e83ed3fe", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json b/ics-attack/relationship/relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json index 51f8d5d325..c6e01dbf33 100644 --- a/ics-attack/relationship/relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json +++ b/ics-attack/relationship/relationship--ce0d3a3a-9c62-4bfb-a47a-7b1b23e9f035.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cc226b90-7d47-491c-ad2e-6323f3c1b442", + "id": "bundle--e27fa7b2-88a6-4184-8ab5-e1c87e2084a2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json b/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json index eddef851c1..bf3d1fcd3e 100644 --- a/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json +++ b/ics-attack/relationship/relationship--ce64ed04-f0ff-4897-b636-3177c9c5d9bb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cf40a4d8-79e9-4571-9d53-7a7fa0c10017", + "id": "bundle--cc77eebe-51bf-401a-a3ac-3e6a65ab439b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json b/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json index af6b35964a..17b9108a74 100644 --- a/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json +++ b/ics-attack/relationship/relationship--ce7c17b7-b60d-4ebd-9014-2c421a64d70a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b0191569-47ef-4b63-a1cc-25716bbb9b8d", + "id": "bundle--88bbc87c-efba-4e78-8188-c7839d54aec1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json b/ics-attack/relationship/relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json index 6483c51e5f..d0f7cef212 100644 --- a/ics-attack/relationship/relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json +++ b/ics-attack/relationship/relationship--cea2f5a7-4871-4c62-a2d5-5a76aadf2d1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8eafcb82-3b6d-446b-bc86-c158c53372dc", + "id": "bundle--9eefdc9b-a903-410d-b5ec-25050ea747af", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json b/ics-attack/relationship/relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json index f2a26680fc..94ffae245b 100644 --- a/ics-attack/relationship/relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json +++ b/ics-attack/relationship/relationship--ceafc04b-b31f-419b-82da-41ce9e1ec6e9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--23fc411c-06df-4545-9c5d-dad3b407af77", + "id": "bundle--4329bc16-d673-4451-ba4c-48f0cc94db69", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614.json b/ics-attack/relationship/relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614.json index 65bf4d46fa..7fb3a7dbff 100644 --- a/ics-attack/relationship/relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614.json +++ b/ics-attack/relationship/relationship--cf703ecc-e9f5-4d56-94d4-8fda9837e614.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a9dfda7a-f302-4187-bc6b-d77365f15151", + "id": "bundle--ff68a9e8-7f4e-4888-bc62-62531679b536", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json b/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json index 854af6b919..9162e73b68 100644 --- a/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json +++ b/ics-attack/relationship/relationship--cf8ac499-8c1c-4615-b933-7587f1b9488b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7ac78124-4b4f-4809-bfcb-9b1fed55bf91", + "id": "bundle--4a825752-270f-4264-a583-2b79c5caf2ff", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--cfcbca89-8912-40c0-ac15-47882162b132.json b/ics-attack/relationship/relationship--cfcbca89-8912-40c0-ac15-47882162b132.json index da6257e2f1..692d1a2bb6 100644 --- a/ics-attack/relationship/relationship--cfcbca89-8912-40c0-ac15-47882162b132.json +++ b/ics-attack/relationship/relationship--cfcbca89-8912-40c0-ac15-47882162b132.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b05b9941-bc14-49e9-a533-b0cb2d1e03b9", + "id": "bundle--4c2b19e1-8277-46f6-b16a-77835df92984", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json b/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json index 12b5c22862..c3559bc5ef 100644 --- a/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json +++ b/ics-attack/relationship/relationship--d08fdedd-12f6-4681-9167-70d070432dee.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--41cb58a9-50be-40c3-80de-7e2dfbf0de84", + "id": "bundle--1c529c47-9079-43c4-b5f1-c13f5cc7d342", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json b/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json index b4979fb8df..12e34fe363 100644 --- a/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json +++ b/ics-attack/relationship/relationship--d16e8909-d055-4174-aeb1-22c0613b2f73.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9262e5be-8531-4ef4-9786-0293a147c344", + "id": "bundle--0108c75d-1b38-4363-839d-0119c4efc239", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json b/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json index c3f6c0acab..cc6ede20ad 100644 --- a/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json +++ b/ics-attack/relationship/relationship--d1971b32-3a15-4544-9f36-80c05121deb6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fca33eee-a481-42fc-b1b1-5accf7ae428d", + "id": "bundle--a03b5189-6592-467f-bc51-604e5ab2aff4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json b/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json index 4963c0b1b6..888ab6ddd8 100644 --- a/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json +++ b/ics-attack/relationship/relationship--d1d98f8c-aea2-4f06-9b0d-c543ed42c6a4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--5349b661-f1ad-4e02-b74a-f6eea5cd4942", + "id": "bundle--8f0ea0e3-b932-4cd4-8c94-7d01edf3714e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json b/ics-attack/relationship/relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json index 3fd4276fce..575b59cb68 100644 --- a/ics-attack/relationship/relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json +++ b/ics-attack/relationship/relationship--d2addaa7-0fdf-44e3-9b20-c63b2b4179af.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eca2b5df-2e98-4b09-a267-02823ff8ba4e", + "id": "bundle--53290245-2464-4351-8b9b-e7ff08ccdeb2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json b/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json index 8a14a26c90..1f9212526c 100644 --- a/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json +++ b/ics-attack/relationship/relationship--d2dc57eb-5be2-4f9c-a4f7-18d2085ff412.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cdfe08b4-0db6-4986-8add-91dd72302291", + "id": "bundle--ea4b8bb1-d418-409c-b11a-3f751a915dd6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json b/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json index 3a98961861..cb140eeb8d 100644 --- a/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json +++ b/ics-attack/relationship/relationship--d3c94120-e6b5-4bd2-88f0-9c73f76b0104.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--55772994-609d-4839-b4d6-d3e77c5eac64", + "id": "bundle--29e9449c-b082-44e7-8ebd-6456d2f1ba68", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c.json b/ics-attack/relationship/relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c.json index f875e5e3a7..2e4d5d0df4 100644 --- a/ics-attack/relationship/relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c.json +++ b/ics-attack/relationship/relationship--d406671b-4d22-4cd5-8568-d04b0b70b51c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--44577f7e-fa25-4523-aabf-8c62706b39bd", + "id": "bundle--aac68fe1-9f2e-4744-b83d-a40548860816", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d464d443-6298-47eb-b767-8f1136f6b6b5.json b/ics-attack/relationship/relationship--d464d443-6298-47eb-b767-8f1136f6b6b5.json index 1a2f95100a..9dde6f840c 100644 --- a/ics-attack/relationship/relationship--d464d443-6298-47eb-b767-8f1136f6b6b5.json +++ b/ics-attack/relationship/relationship--d464d443-6298-47eb-b767-8f1136f6b6b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--97382cbc-78d9-4e7a-837a-b662dc069f11", + "id": "bundle--b6e9acb8-bdcb-4522-b6de-0dc149b4de8b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json b/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json index 5c73690176..fb7cd291d1 100644 --- a/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json +++ b/ics-attack/relationship/relationship--d4968f45-d06b-4843-8f72-6e08beb94cab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--90caf47a-85db-4861-8be9-e7c6be4da9d4", + "id": "bundle--7fe638d4-0294-4a55-b172-0cef30126ac8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json b/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json index 2d7e6086c7..484fb38a80 100644 --- a/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json +++ b/ics-attack/relationship/relationship--d50a3d89-c8fa-4c5d-813e-f4495d892d1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bc6b5a49-f3df-48a0-8a40-dd03ca1250c7", + "id": "bundle--7b497dc8-1cb6-47e9-923b-3491573c5766", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json b/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json index e2cb772595..baf5ae9ab0 100644 --- a/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json +++ b/ics-attack/relationship/relationship--d6a2a1a8-8f5b-4e94-8fce-8edd8a17627a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--45b65949-2ac5-4212-b976-a45b3f68cf2d", + "id": "bundle--b70b9c0f-05c5-4604-98dd-a97ace80e440", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json b/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json index dd8e4797c2..edc206edf0 100644 --- a/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json +++ b/ics-attack/relationship/relationship--d6a8b25c-53d4-4df1-8728-20ed4ba5ddab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4e2ac0ba-a075-4c7d-8a6e-dee8c0efbf3f", + "id": "bundle--2b0d8ef1-b011-49f6-9c3d-9edec4140848", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json b/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json index 72b6ed16ca..87bb1d74be 100644 --- a/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json +++ b/ics-attack/relationship/relationship--d72e7d01-56be-4fbd-8957-3384533ba83b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7e8b4109-0af9-4d3c-a2f3-b4536435ad0a", + "id": "bundle--ecd5ca7c-48c9-4583-a92c-d679d71c8fe6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json b/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json index 8fc7f5f843..d0ff7edaf4 100644 --- a/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json +++ b/ics-attack/relationship/relationship--d7ea83fa-87c7-4d36-96d5-aee554504040.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--388ade78-c30c-4778-bdb8-e42d4ca5e968", + "id": "bundle--bbfa6c47-9c8f-432c-b4ce-7625a57917a2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json b/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json index 867d5a1873..1b103852c4 100644 --- a/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json +++ b/ics-attack/relationship/relationship--d8354850-bd4c-4bd9-a585-b107f5f1398f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9a9cc140-b84e-4ef0-906c-fc81d637aa3c", + "id": "bundle--c9608c0d-2192-4509-ae9a-4fa811669d3b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json b/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json index 8918dcbb3f..29ced0ff31 100644 --- a/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json +++ b/ics-attack/relationship/relationship--d854cc38-adf7-485d-96b5-70606f6cb87e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7535efa2-dc53-4218-8982-f85723c19679", + "id": "bundle--63774eb1-0e2c-4ad6-83a7-cd2232120aae", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json b/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json index 981d2260b1..d1805b6dcf 100644 --- a/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json +++ b/ics-attack/relationship/relationship--d8911566-f622-4a01-b765-514dbbfd8201.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--994a7b32-84c2-48f8-82d7-d2672379d4e6", + "id": "bundle--49e31d6d-3f77-42c0-9710-8c2cf7f773d5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json b/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json index 42fbe6f9db..f66c503222 100644 --- a/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json +++ b/ics-attack/relationship/relationship--d8f45959-e0fc-4b4f-a074-a3acea926300.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9997859e-cc36-4108-813f-bf853906e111", + "id": "bundle--67d17d13-fe67-4bfb-86ab-d52c25765dc8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json b/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json index c44b4f5f52..e1de8fd942 100644 --- a/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json +++ b/ics-attack/relationship/relationship--d90aeeb6-3686-483a-8403-6514ecfe1a50.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ea34c326-a585-4d0c-97d6-2b0bf0acad71", + "id": "bundle--547966c8-431b-4169-a9a7-e3b1b801bdbe", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d90b1271-a90d-41c7-9df7-bec47880c82e.json b/ics-attack/relationship/relationship--d90b1271-a90d-41c7-9df7-bec47880c82e.json index 3ca1bdac0e..46b88134b7 100644 --- a/ics-attack/relationship/relationship--d90b1271-a90d-41c7-9df7-bec47880c82e.json +++ b/ics-attack/relationship/relationship--d90b1271-a90d-41c7-9df7-bec47880c82e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9ffdf2f6-8ab7-4870-8e8c-5655ae36cb95", + "id": "bundle--04912292-1c8b-4e0d-831a-cfaedb7e0284", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json b/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json index c203b24fdf..48e4b10664 100644 --- a/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json +++ b/ics-attack/relationship/relationship--d9165ecb-bc10-4189-a7e4-057bdf05bf3f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a36eb4e7-1b45-462d-be0e-7559956bf623", + "id": "bundle--8526e64c-3f83-4dcb-9989-becc1517106f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json b/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json index c2e8675074..b4c365b892 100644 --- a/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json +++ b/ics-attack/relationship/relationship--dadfed22-d70c-482b-9026-964396d75484.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d857577d-37ca-4027-b014-7cfb03f14add", + "id": "bundle--547b1b68-8be2-436b-9e04-d16cd30b2450", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json b/ics-attack/relationship/relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json index 341a1eba2a..4fc449d79e 100644 --- a/ics-attack/relationship/relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json +++ b/ics-attack/relationship/relationship--db52c1b6-4e48-4e8c-a34c-3ca21b26fe8a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a53aff9b-84b4-4a15-92bd-b9e3c43b0932", + "id": "bundle--1050c733-799e-44ef-8df7-e7e9adcd3511", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json b/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json index 3f4e09a7bc..fbb7d15d05 100644 --- a/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json +++ b/ics-attack/relationship/relationship--dbdd9a97-81df-40b8-b72d-ac67d121b8b3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7b1fd57c-b2dd-4ab9-8111-17f033e2d3e7", + "id": "bundle--3e3bece7-5182-474a-8f28-9abf008140fb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dc15440d-6683-435a-8c87-64daea29bcaa.json b/ics-attack/relationship/relationship--dc15440d-6683-435a-8c87-64daea29bcaa.json index 42ae3e1fd1..d0e5f01eec 100644 --- a/ics-attack/relationship/relationship--dc15440d-6683-435a-8c87-64daea29bcaa.json +++ b/ics-attack/relationship/relationship--dc15440d-6683-435a-8c87-64daea29bcaa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4608cbb6-7aaf-48eb-a92f-0bd762932fa8", + "id": "bundle--3e41a39e-2e78-463b-b742-a05cd1a61784", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json b/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json index 16eede7bc2..5948de8fe4 100644 --- a/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json +++ b/ics-attack/relationship/relationship--dc35c44a-a90c-48a1-8811-af2618216e42.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--00648e45-2414-40b5-9361-03005a56978b", + "id": "bundle--19c98189-d2fb-4910-a74b-362285d90e53", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json b/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json index 4feedfb829..21441dd8bb 100644 --- a/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json +++ b/ics-attack/relationship/relationship--dc46ffc2-eac7-4491-8d2a-46cf8e2e963f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a3dde6c5-78b1-407e-8bc3-3f8f720beed3", + "id": "bundle--8e70696a-0252-4ff2-897f-b881cf046ce6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dda29418-9570-405a-b7db-97e951e5aa53.json b/ics-attack/relationship/relationship--dda29418-9570-405a-b7db-97e951e5aa53.json index ba38ffc2e9..f1850903ee 100644 --- a/ics-attack/relationship/relationship--dda29418-9570-405a-b7db-97e951e5aa53.json +++ b/ics-attack/relationship/relationship--dda29418-9570-405a-b7db-97e951e5aa53.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9c07f90e-fbab-476a-a2af-fffb1907f487", + "id": "bundle--501a8b76-4013-470a-8909-6f086a6a2483", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json b/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json index a1a784fa0c..7c7c73dc8f 100644 --- a/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json +++ b/ics-attack/relationship/relationship--dda89758-9d0b-446d-b594-85acc7f9cb90.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--383a07ac-995f-49cd-aab8-edab1ad968b6", + "id": "bundle--7805caa1-5271-46fb-84bd-7f5f52d3a136", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json b/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json index 1227af76db..ecda00efcf 100644 --- a/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json +++ b/ics-attack/relationship/relationship--dded2d68-35c7-42c4-af10-efe7731673e3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2e49dcb8-f5d2-4016-8691-73c4dbeb63da", + "id": "bundle--ef9703e3-3114-46b9-a3d0-41d0f2874e81", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--de8b8a69-5f08-421a-96f0-2bed5707508d.json b/ics-attack/relationship/relationship--de8b8a69-5f08-421a-96f0-2bed5707508d.json index 9c0025191a..3e7fc8408d 100644 --- a/ics-attack/relationship/relationship--de8b8a69-5f08-421a-96f0-2bed5707508d.json +++ b/ics-attack/relationship/relationship--de8b8a69-5f08-421a-96f0-2bed5707508d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f74f9b12-52ff-49a5-b9a4-9c3a16b7ddd4", + "id": "bundle--3fa54aa2-6ea3-425c-b0ca-63f132072e3d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json b/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json index 810115db11..1dd03d9a53 100644 --- a/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json +++ b/ics-attack/relationship/relationship--df6da4ec-cbe8-4f93-a41f-3726a9491938.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c9bd03af-cde1-4f02-82a3-8adcf33cedcd", + "id": "bundle--bbfab291-81fe-42d4-91e4-4506e8c159b4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--df95c619-33ee-4484-934a-78857717323e.json b/ics-attack/relationship/relationship--df95c619-33ee-4484-934a-78857717323e.json index d08d113b49..1a63bf4982 100644 --- a/ics-attack/relationship/relationship--df95c619-33ee-4484-934a-78857717323e.json +++ b/ics-attack/relationship/relationship--df95c619-33ee-4484-934a-78857717323e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7a756fa7-9ab7-4da7-a4f6-11921a481f08", + "id": "bundle--b7149873-3f6c-4046-9dc4-ae7baeaad194", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json b/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json index a485656076..a028634aca 100644 --- a/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json +++ b/ics-attack/relationship/relationship--dfd0dc6c-33ad-44a4-9def-1d8e23e278fb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9007f5f5-ef73-431f-aa38-3c6f2eb029b7", + "id": "bundle--ab486cd2-da95-488d-afe7-41a783b1184c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json b/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json index 002af5d078..38750843be 100644 --- a/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json +++ b/ics-attack/relationship/relationship--dfe43fa1-ffc2-4c6c-a91d-f2ca55f21ccb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a699710d-fbef-4442-8883-3cc0a143201d", + "id": "bundle--d1bb11b9-68fb-41b3-a8f3-c75be34b1ae5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json b/ics-attack/relationship/relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json index 3131ac8a21..0b56c1232c 100644 --- a/ics-attack/relationship/relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json +++ b/ics-attack/relationship/relationship--e02565fe-65ff-4b70-8a8d-b0abf6d9a9f4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d5b5cdfa-5164-49c4-aa0d-d9aeb633ce3a", + "id": "bundle--cbe8c41c-4678-4d75-adb5-1fccd664a732", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json b/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json index 029d2be37e..461780c520 100644 --- a/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json +++ b/ics-attack/relationship/relationship--e09e253c-fd28-49ae-988e-1f80d769e8b8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--56f62238-a1b1-4e62-854b-d1ecc1b74510", + "id": "bundle--5b9f8ef9-d523-41a4-a04e-f55170106626", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca.json b/ics-attack/relationship/relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca.json index 9213493b33..7afda9391e 100644 --- a/ics-attack/relationship/relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca.json +++ b/ics-attack/relationship/relationship--e09f3308-57d7-4b2b-b340-784b88ae61ca.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cc33f278-03cb-49f1-ba00-188349665a17", + "id": "bundle--2cafbdcb-7ed7-43f7-85ae-3fc6cc99215f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json b/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json index cef83d8073..4b3e308843 100644 --- a/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json +++ b/ics-attack/relationship/relationship--e0aee02c-b424-4781-be10-793d71594c31.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c98a6a50-ff6f-4c91-a325-84b7db791ebc", + "id": "bundle--cddfd02c-f209-445f-a893-f5a2b8addd1d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json b/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json index de5593e77b..7f3e2ae586 100644 --- a/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json +++ b/ics-attack/relationship/relationship--e0d101cc-1284-4e88-82d6-227fe5d19d8a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--59cf9713-5e69-429d-985d-ffbb20335744", + "id": "bundle--a0e309d9-9a15-451d-8363-384a7719fd12", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json b/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json index fea8cc60f2..73d6f0fdba 100644 --- a/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json +++ b/ics-attack/relationship/relationship--e1461f8d-6a16-4526-ac0b-0acd27ae8065.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--49dfc86d-cfc8-4ed3-8df0-299065e89300", + "id": "bundle--5dd98f39-7bb8-48e7-a797-7966cc8f49a8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e18af08c-3953-4b1d-b46c-45572fdb5187.json b/ics-attack/relationship/relationship--e18af08c-3953-4b1d-b46c-45572fdb5187.json index fd3071f5f4..434029479a 100644 --- a/ics-attack/relationship/relationship--e18af08c-3953-4b1d-b46c-45572fdb5187.json +++ b/ics-attack/relationship/relationship--e18af08c-3953-4b1d-b46c-45572fdb5187.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--83406541-4605-4079-b900-ef731b645093", + "id": "bundle--40204c17-755c-4c3f-9df5-3eb8b30fe940", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json b/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json index a371044af0..05a7bd460d 100644 --- a/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json +++ b/ics-attack/relationship/relationship--e257913e-40ba-4a05-ba97-0c3175c966b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--db52f031-b8cf-4696-b99a-5ccdd70b2240", + "id": "bundle--0e465f24-4954-4521-b364-ce1807f14655", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json b/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json index fd5faa5ded..25562b8dd1 100644 --- a/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json +++ b/ics-attack/relationship/relationship--e323dee4-a896-4a82-85f5-d51d311b0437.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7a059788-7ae6-4911-a684-eeaa1f942fd9", + "id": "bundle--a16d30bd-48cc-4827-bb7f-df0eefc1e777", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json b/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json index 0c1c470fa6..713edab17f 100644 --- a/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json +++ b/ics-attack/relationship/relationship--e3923fcf-5580-4c1e-bc55-33f67792cc00.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--45323da9-c734-4bdc-9955-60240bf0dfc2", + "id": "bundle--cfe0e763-6808-423a-847f-1f1fd87b988f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e4a11381-8608-4c71-966f-df0cbb834fe0.json b/ics-attack/relationship/relationship--e4a11381-8608-4c71-966f-df0cbb834fe0.json index 9654ea29f5..1e8727b3eb 100644 --- a/ics-attack/relationship/relationship--e4a11381-8608-4c71-966f-df0cbb834fe0.json +++ b/ics-attack/relationship/relationship--e4a11381-8608-4c71-966f-df0cbb834fe0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1c7f8760-5b48-465c-8ef0-3b778ada68b6", + "id": "bundle--f52830f4-6fe2-4942-b6ef-5f3f93b8f33e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json b/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json index 43d46a3493..2742fe3b7c 100644 --- a/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json +++ b/ics-attack/relationship/relationship--e5afc447-a241-4773-9a8a-3d6fd205d926.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--689001b2-7df4-4d39-a23b-e180f5a8cb1f", + "id": "bundle--d7d47b05-beee-4996-a642-d076788f4c0c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506.json b/ics-attack/relationship/relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506.json index 25901c9fd3..9bf93ec216 100644 --- a/ics-attack/relationship/relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506.json +++ b/ics-attack/relationship/relationship--e5b62475-bd08-4ac6-a6f7-78f1843bf506.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4b4e5e68-ebbe-458f-a0ea-2da7d84da206", + "id": "bundle--02a5b78c-f47d-47e3-8c0d-5f8d31bba5b2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json b/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json index 030b8a56bb..3df8c9c29f 100644 --- a/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json +++ b/ics-attack/relationship/relationship--e607bb66-e53f-4684-b3f1-36a997e27d01.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fd995f7a-26fb-4ac6-af80-20c40ca4c4b1", + "id": "bundle--88595192-7921-4748-9905-4cf30791b88e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json b/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json index 3d6f519e8c..79d82943df 100644 --- a/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json +++ b/ics-attack/relationship/relationship--e6be2fb4-3815-4e52-8dec-2aed1dc3b7cf.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bfc19ab5-fedf-41c0-8684-2a11f45408a1", + "id": "bundle--07da5966-0db7-4787-84d5-a998e0ec1e87", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json b/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json index f0d255a902..df10e4aee3 100644 --- a/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json +++ b/ics-attack/relationship/relationship--e6e0ef82-2cb6-43fe-8f4a-b9e4d5a57b13.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f9e58c85-81d0-486f-af3c-a9bfa5443755", + "id": "bundle--8ba8874b-dc09-404a-8007-3c5c0baa696a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json b/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json index a252216f00..fe3f98e417 100644 --- a/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json +++ b/ics-attack/relationship/relationship--e767c178-e4b2-490a-b544-bb1b2d6c7de4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--308efc96-751e-4efa-b5d3-7e4aafdcaf94", + "id": "bundle--9883cfa4-733a-4328-a42c-d79a790e0269", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json b/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json index 215b1368cd..df64ff8293 100644 --- a/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json +++ b/ics-attack/relationship/relationship--e852e64c-b5e0-4e7f-a189-bbc7aa7932c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ee9f19f7-9932-4e8e-ac15-e31ac559af7a", + "id": "bundle--9c9c2600-e46a-47e0-97fd-1bd6041494eb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json b/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json index 47735dca06..1cf3847e82 100644 --- a/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json +++ b/ics-attack/relationship/relationship--e8af0b34-4a67-4966-a34a-c4d1b346ea15.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a5b7e9f2-a8ae-4e5e-a98b-8a713659d3cf", + "id": "bundle--303e8a63-fcb5-471f-af86-81ccb044243f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json b/ics-attack/relationship/relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json index 0eb6064ee7..b832dafd55 100644 --- a/ics-attack/relationship/relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json +++ b/ics-attack/relationship/relationship--e8d5ee60-952f-42ff-bf48-7da9cd0fdb23.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cd48c835-283c-4b85-acb4-8521d1b9dfa5", + "id": "bundle--331c982c-6d5c-468d-bcee-4c47369c0ffb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json b/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json index fa1f2c5429..1a73365fb9 100644 --- a/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json +++ b/ics-attack/relationship/relationship--e8eaac2d-a4bf-408f-b24f-14471db7059b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4ee6b9f8-9a99-49ae-9dbb-c7e107ce5e2f", + "id": "bundle--fba4cca5-1651-49d3-a9b0-271cdc56ca00", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json b/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json index 6211c04f24..31a38a4be2 100644 --- a/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json +++ b/ics-attack/relationship/relationship--e9f5096e-b9fc-459a-a303-88763b1269cc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--469b075d-fc35-4e1e-bbda-499b7f96408e", + "id": "bundle--ea22ba0e-7fee-4f60-afff-b7958f94e205", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ea218d63-d9de-4f63-804a-cb039d804025.json b/ics-attack/relationship/relationship--ea218d63-d9de-4f63-804a-cb039d804025.json index f882044385..895ebb3f24 100644 --- a/ics-attack/relationship/relationship--ea218d63-d9de-4f63-804a-cb039d804025.json +++ b/ics-attack/relationship/relationship--ea218d63-d9de-4f63-804a-cb039d804025.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--984afa8f-1313-4395-90e8-f5532ebb2e27", + "id": "bundle--b3e47884-62f0-4596-96eb-41f175b99ac0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json b/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json index 0d51f791ff..34a199d01f 100644 --- a/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json +++ b/ics-attack/relationship/relationship--ea50253a-3220-458b-b810-ad032f2b182f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--72b99c94-1813-4b09-94a1-dd6e1ca000ac", + "id": "bundle--7215f7c1-4a9a-4155-b549-c76bd325db11", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json b/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json index 6687b9a14b..d0bb3b815a 100644 --- a/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json +++ b/ics-attack/relationship/relationship--ea5828bb-5da7-4ed8-83b8-8d3b0e51cb3a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e84c11e4-68d6-4b30-bd0c-e5ea83f3e97f", + "id": "bundle--d4acedb0-7174-4325-9a9b-e4bf5e01f880", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json b/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json index 1f07726847..5436882a23 100644 --- a/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json +++ b/ics-attack/relationship/relationship--ea817c7a-9424-4204-90a5-6f8fb86037be.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c27d00a0-87cd-414b-9b2f-200ff4acdffb", + "id": "bundle--0df03a74-1d82-43b5-ba49-156cc104450b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json b/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json index cc02fe69e7..9ecde6d850 100644 --- a/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json +++ b/ics-attack/relationship/relationship--eac550b4-3bd2-4309-8b37-b797dd0bd8a7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e624df61-c617-4f8b-997c-2035998221f2", + "id": "bundle--f2840868-628a-4e01-9998-bc607995c350", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json b/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json index 8780c84d6a..752ab1c324 100644 --- a/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json +++ b/ics-attack/relationship/relationship--eaeb3c8d-9d91-4eb0-8049-5cb99e141026.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6226597d-537f-4278-a296-292a4ae43d32", + "id": "bundle--bc11ac9a-4818-42c3-af6c-000eeb3940f9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json b/ics-attack/relationship/relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json index 3902a9d02c..23018fd2cd 100644 --- a/ics-attack/relationship/relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json +++ b/ics-attack/relationship/relationship--eb06ac7d-117a-48ab-ae3b-8bfa8f332f60.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f5e0f09e-b77b-4a74-85ff-62ed127fb862", + "id": "bundle--47912668-8851-4a70-9292-2f8b9918ba07", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json b/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json index 70e3b85fbd..212a99dec4 100644 --- a/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json +++ b/ics-attack/relationship/relationship--eb1e05ef-58df-4c6d-acd7-5cc63ff7f44f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fa229b36-1a28-46e4-87fa-f3d74eccea5e", + "id": "bundle--353a6de9-34fd-40c4-8e90-33eeb7712ba5", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json b/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json index a68ee99ea1..ace73a6f24 100644 --- a/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json +++ b/ics-attack/relationship/relationship--ebc34374-2dee-4dc1-b0b7-f31ae94dab11.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a8aefd11-af55-43b4-b811-bd8b659c438c", + "id": "bundle--d2a0a611-5db4-46ee-be53-7ece7ea98e5e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json b/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json index 98f725b221..bdb0d947a7 100644 --- a/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json +++ b/ics-attack/relationship/relationship--ec105f62-2552-41fa-8b07-619dc1bf9b19.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0bc1a1d4-4a9e-4f45-b3bb-7da59ea566d0", + "id": "bundle--741ff513-c39d-4ca5-80c9-63064e70bcd9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json b/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json index 5ea2091313..c3ff1593d1 100644 --- a/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json +++ b/ics-attack/relationship/relationship--ecf39e19-439f-4e9a-97c2-673ce4eb0a1a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9cb2f396-1f8d-4f95-9da0-170ec8950934", + "id": "bundle--428a5b3b-a01c-498e-b511-61cfd425aefd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json b/ics-attack/relationship/relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json index e23a150603..db723b9717 100644 --- a/ics-attack/relationship/relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json +++ b/ics-attack/relationship/relationship--edb32a4d-62a3-467c-8dfa-f97f1bcbffc6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--49d1e84d-267e-4962-abe5-a2d48c6ba139", + "id": "bundle--4b959171-0ded-4ec6-bebb-7498029d5df7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json b/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json index 43c49c7df1..354993b170 100644 --- a/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json +++ b/ics-attack/relationship/relationship--edf73653-b2d7-422f-b433-b6a428ff12d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ca6f2872-4f25-413c-864d-7d21151bfecf", + "id": "bundle--55abd166-0850-4f39-8db5-02f7bc31436f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json b/ics-attack/relationship/relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json index 00ca513042..67fdfaf97a 100644 --- a/ics-attack/relationship/relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json +++ b/ics-attack/relationship/relationship--ee1a52bc-6c1b-4e2c-b296-173dccbc020a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--491ad4b4-8c15-4928-beaa-e3a117f43652", + "id": "bundle--3451383c-e6df-44b2-ab65-d7b08ea69cba", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json b/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json index 70e5185419..4c72caa648 100644 --- a/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json +++ b/ics-attack/relationship/relationship--ee1bf429-2c7c-4eb6-acca-e758522baf2e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--81eef13c-c362-4745-be00-3a8a2fbaf97d", + "id": "bundle--24c57c73-ade3-47c9-aa87-22d044ddc418", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json b/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json index ab79b27ead..28e3725b39 100644 --- a/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json +++ b/ics-attack/relationship/relationship--ee2fdebd-1587-4e53-a7d7-c15fcc88879d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f86e6ecb-c0b4-441f-90fa-02ed6d40e703", + "id": "bundle--b0331953-ef23-44f0-b816-1185ca863f1b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json b/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json index b12fca35e1..c4c4a4721e 100644 --- a/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json +++ b/ics-attack/relationship/relationship--ee89466e-0655-4217-844d-fb8ea4f76247.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b9de1b97-8176-4c41-b786-db9c4ba2eb9e", + "id": "bundle--401400eb-e485-439d-94ed-077cdba1da18", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json b/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json index 9c34c4e1be..65dd080383 100644 --- a/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json +++ b/ics-attack/relationship/relationship--eecca3e7-4db5-40d4-b04c-13f84701acb3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fe34a01d-cbea-445f-b7d4-da98c612d648", + "id": "bundle--55c1017b-f58b-4119-9284-abf9e155ac00", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json b/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json index 3b98f12392..e4769fdf21 100644 --- a/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json +++ b/ics-attack/relationship/relationship--eeeaa0d4-0ca0-468e-ae13-43ab7aba61b4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--97a54010-d284-493c-b971-7411275a6b24", + "id": "bundle--fee9e78b-67fa-4f7a-8fcc-aeac91f2c137", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json b/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json index f90043269b..59193e10be 100644 --- a/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json +++ b/ics-attack/relationship/relationship--eeeff03f-7436-4f76-8591-42075e6647d4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2412ba81-0e85-4b41-8a0c-2a0f000a5eac", + "id": "bundle--5162901e-5863-4a45-97f8-2b95d2e32332", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json b/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json index e343072ed1..8d4dd4b35c 100644 --- a/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json +++ b/ics-attack/relationship/relationship--ef615d62-fe85-4740-9c5d-5dddff9b5693.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--54a60b4d-80a2-46a8-9eb9-bcd0da9589c0", + "id": "bundle--25569b1f-ccae-4d69-adaf-8ceb70b33483", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json b/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json index 541c4fef5b..646023f73d 100644 --- a/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json +++ b/ics-attack/relationship/relationship--efb80069-e4be-4055-bd34-06d1376b4601.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d2c25295-bb3f-4048-ade5-dda905891088", + "id": "bundle--7ee63123-b18a-4d43-b862-57767873759a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json b/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json index 9b9b2a4232..1d4aeadc87 100644 --- a/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json +++ b/ics-attack/relationship/relationship--f0ac1d07-fccd-4330-93cf-fbc985ee6fb9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--06891ee0-e2e3-4c87-beb9-be960786881f", + "id": "bundle--0255e89a-827d-439d-9da6-ac5c28960081", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json b/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json index e27f2c64fc..470112818c 100644 --- a/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json +++ b/ics-attack/relationship/relationship--f0c81c9f-2fb7-4e7d-98ed-c75e3be7d962.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2d5d772b-0082-4f3e-a340-b8e73dd58b5e", + "id": "bundle--cf946dfa-d50f-41f2-81e9-a837979a9006", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json b/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json index 84b7d2373e..a3cd0f9b17 100644 --- a/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json +++ b/ics-attack/relationship/relationship--f0c8a954-c1a0-453a-9c1d-484305abdab2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--819793e2-d479-4393-aef1-c56aef4c861f", + "id": "bundle--bcc8b3a2-af8f-4d14-9eeb-5aa04408f4a8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json b/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json index 690fd03ce3..960ed0dc91 100644 --- a/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json +++ b/ics-attack/relationship/relationship--f130282b-f681-455f-966b-55829842be92.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--feb15a43-0ecd-4079-9d3d-589e4f957f86", + "id": "bundle--9da95148-4627-4023-80a4-6f3be2a22fe0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f145b7e5-048b-46e7-8439-e2b88917523c.json b/ics-attack/relationship/relationship--f145b7e5-048b-46e7-8439-e2b88917523c.json index b00ff78460..d1c5bf7e13 100644 --- a/ics-attack/relationship/relationship--f145b7e5-048b-46e7-8439-e2b88917523c.json +++ b/ics-attack/relationship/relationship--f145b7e5-048b-46e7-8439-e2b88917523c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6d7e7551-a306-4faa-9367-028b72485e4d", + "id": "bundle--e47b246a-6bfc-4644-8e03-b3a242e037fe", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json b/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json index c03255beda..7d8bb79ba1 100644 --- a/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json +++ b/ics-attack/relationship/relationship--f15f24d2-e581-46ce-83e4-a924f572aae6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--58ef7f07-f3b9-4ec3-aca0-017e4afc8c7f", + "id": "bundle--330ecf72-53a5-4637-bc4d-ece638759caa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json b/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json index f765f0622b..d7b583bd2f 100644 --- a/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json +++ b/ics-attack/relationship/relationship--f20d8eed-b517-4297-b32a-9a5e0845de9f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--649b505d-4636-4b32-a529-8455eca55b11", + "id": "bundle--153ab5f6-f19e-429f-a8bb-bcd75d0830bf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json b/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json index fff2f41efe..0282226fb1 100644 --- a/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json +++ b/ics-attack/relationship/relationship--f29ecf69-1753-44bb-9b80-1025f49cadda.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--22224095-11bb-4721-8921-43bec0cdad26", + "id": "bundle--300b9430-27b8-4467-b02f-f4fa63609281", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361.json b/ics-attack/relationship/relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361.json index 296ec8d83f..c7a2d267ab 100644 --- a/ics-attack/relationship/relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361.json +++ b/ics-attack/relationship/relationship--f2e6103d-ca06-45c4-8fe9-049687fc4361.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--34ee0e00-f59e-435b-9503-babcb9318d00", + "id": "bundle--e9fdb242-f031-40db-9365-b8736ee63d92", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json b/ics-attack/relationship/relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json index d5565f19ba..39f79f2f0c 100644 --- a/ics-attack/relationship/relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json +++ b/ics-attack/relationship/relationship--f2e672bb-8c73-4066-94d8-7dfb9a8025a7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d859896b-ec85-4765-ab5a-2334decfc82a", + "id": "bundle--faecf331-a3a8-403d-9ba6-02e15e04ab61", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json b/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json index fce4f20164..84733f66aa 100644 --- a/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json +++ b/ics-attack/relationship/relationship--f347b4fe-d829-427d-851a-fff3393441db.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6e72c2c6-815a-433b-914a-8d24cacc87d8", + "id": "bundle--fc47387a-00d7-411c-bedc-9162b6914d22", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json b/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json index 42efeced3f..1863b9a29b 100644 --- a/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json +++ b/ics-attack/relationship/relationship--f40cc6f5-111c-418f-aa84-50d920fa6c48.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8011306c-1435-4934-ac91-0690666b6a59", + "id": "bundle--083514b5-23cb-4586-9487-eb11ea82d8cd", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json b/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json index 06b2323fff..1beb5122da 100644 --- a/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json +++ b/ics-attack/relationship/relationship--f45c2df8-30e7-45d0-8067-7b2870767574.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8665b88a-d8fb-44c2-a56d-139aab0e8085", + "id": "bundle--17bd822a-797a-4d5f-8356-94896e22fc97", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json b/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json index 260f465ba7..283f4bbe52 100644 --- a/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json +++ b/ics-attack/relationship/relationship--f497fd3e-8f05-4db2-97cc-48a8d35a8827.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--48cd3265-f4f7-42cf-ac4a-1edd30923b33", + "id": "bundle--a8173513-68fb-4232-b4ea-43eec2270c20", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json b/ics-attack/relationship/relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json index 0b31c097f4..22e3721956 100644 --- a/ics-attack/relationship/relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json +++ b/ics-attack/relationship/relationship--f4f98ce1-d0b8-4699-b602-33a6a6ffca67.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--003918bb-40b8-4026-969e-f78e276acc72", + "id": "bundle--5f0c6163-50c1-43f6-acad-399bd5da4e35", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json b/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json index c46232a91b..c8eeac91d7 100644 --- a/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json +++ b/ics-attack/relationship/relationship--f584a257-c22a-434b-aa2d-6220987821ab.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d34c6348-4b05-44ec-b774-43b5538ceb39", + "id": "bundle--07f49a76-53a7-436c-a53b-db7766297bfb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json b/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json index 554df59f06..dac9a147b2 100644 --- a/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json +++ b/ics-attack/relationship/relationship--f65a8ce8-90fa-4d92-a0dc-3ee544c541fe.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--523651f4-1e67-4647-b1ba-8a46bbea1ce9", + "id": "bundle--84a766ed-9dae-4369-9904-5223854a2d3b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f664bf42-5fb2-41e5-b790-978ddf866da3.json b/ics-attack/relationship/relationship--f664bf42-5fb2-41e5-b790-978ddf866da3.json index 4f75b1f9c0..043f4eaa66 100644 --- a/ics-attack/relationship/relationship--f664bf42-5fb2-41e5-b790-978ddf866da3.json +++ b/ics-attack/relationship/relationship--f664bf42-5fb2-41e5-b790-978ddf866da3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7594da57-3b5e-41c2-ada8-1b982281ee04", + "id": "bundle--676a0c3b-74bd-4c4e-bb19-a306c1dd83aa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f6b1e463-5db5-40c7-8a6d-5f70194fdadd.json b/ics-attack/relationship/relationship--f6b1e463-5db5-40c7-8a6d-5f70194fdadd.json index d2f6f4f331..ae6bfd0c96 100644 --- a/ics-attack/relationship/relationship--f6b1e463-5db5-40c7-8a6d-5f70194fdadd.json +++ b/ics-attack/relationship/relationship--f6b1e463-5db5-40c7-8a6d-5f70194fdadd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b2e061ba-c75a-4fbc-b117-e062c08c543b", + "id": "bundle--b125baec-c08a-466e-938b-9c8bc986f379", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json b/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json index 4d148123ce..68474085d2 100644 --- a/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json +++ b/ics-attack/relationship/relationship--f6ff74c2-d088-4252-a8e0-189574863765.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e3f6a64d-b834-4df8-9157-c9d1f1d4e7d1", + "id": "bundle--8986d8fc-5edd-4528-bc5a-0bdcc145ccce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json b/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json index f53124123d..8d14d3db23 100644 --- a/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json +++ b/ics-attack/relationship/relationship--f703f8b2-b6b9-41f3-a551-6bb3647c45cc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--66f1e312-446a-4c09-b7d1-1f87e636d29b", + "id": "bundle--1e328cd4-acb8-48ff-be48-0f4806406cb0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f7adf126-3580-4b12-9e63-4d4f665e8cc3.json b/ics-attack/relationship/relationship--f7adf126-3580-4b12-9e63-4d4f665e8cc3.json index d06204684e..d163e5d828 100644 --- a/ics-attack/relationship/relationship--f7adf126-3580-4b12-9e63-4d4f665e8cc3.json +++ b/ics-attack/relationship/relationship--f7adf126-3580-4b12-9e63-4d4f665e8cc3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e535e7b1-1848-410d-a3cb-aef415fdc396", + "id": "bundle--d1980273-aa3f-4c71-9417-503d08484f92", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json b/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json index 711c9fc105..f683ff9659 100644 --- a/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json +++ b/ics-attack/relationship/relationship--f8318ac4-8ed0-478d-be87-faa2c9d8a740.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--41d5f6a0-fe1f-4c3d-9e45-e18dc6b8b50b", + "id": "bundle--637f6164-07cd-42f7-8875-a2b80a2d0d39", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json b/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json index f96a270e4a..b80de6ebd9 100644 --- a/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json +++ b/ics-attack/relationship/relationship--f862418a-e7b4-4783-8949-7145f3dee665.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a5106bfb-61e4-479c-8379-3505c8f4675f", + "id": "bundle--f25526b8-f80b-4b30-b9bd-eee843fd6352", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json b/ics-attack/relationship/relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json index e6fd75a236..e1ef259ff5 100644 --- a/ics-attack/relationship/relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json +++ b/ics-attack/relationship/relationship--f8cf3800-6521-41d9-b272-d6ba2db0ccd2.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--18584b15-1ade-4556-bf02-f12b7ca6f043", + "id": "bundle--0bc20b1d-288a-4d4e-ba29-b2544a0767d9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json b/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json index 1853919836..5651346988 100644 --- a/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json +++ b/ics-attack/relationship/relationship--f951d934-d555-45e9-a564-27b84518cae4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--90c3c787-31bc-4fe3-ba6e-3ad45a2a848c", + "id": "bundle--c1a63c7e-dcd3-45cc-b8bd-a57e7227a31b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json b/ics-attack/relationship/relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json index 78fcb8d04c..26ff7f8a96 100644 --- a/ics-attack/relationship/relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json +++ b/ics-attack/relationship/relationship--f9625775-662c-425e-9ea0-6cb3f3bf5c3c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ae24318b-2b4f-4ece-9d47-8687aaa17ecd", + "id": "bundle--eca0a20b-e47e-42d4-bc5c-4057cd5dac2b", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json b/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json index ad3c79bc9a..606f09f045 100644 --- a/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json +++ b/ics-attack/relationship/relationship--f9aa3364-a1eb-4776-ae03-c39b250545a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--061442ac-dc37-4093-b65b-26c1119a5fc7", + "id": "bundle--2542652a-3300-4ab7-b873-49abff5a1a28", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json b/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json index 8f59807f41..aa61419d1d 100644 --- a/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json +++ b/ics-attack/relationship/relationship--f9c29dd4-1c5e-4f7e-b60a-862319a6d0a0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--66c238ab-1c3e-4037-af35-38404a63faf8", + "id": "bundle--29e05cff-fed0-4500-b12a-dba91872d404", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json b/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json index f5d1e9519d..3bf392950b 100644 --- a/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json +++ b/ics-attack/relationship/relationship--fa1bde35-63d9-4c5c-969b-2c17c29089fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1964f93b-6207-44ac-9572-c214dd9f1dd3", + "id": "bundle--0f8efa52-0b6a-4b71-b550-2abe4ae58653", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json b/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json index 9f8d5b5437..2f1e24ae15 100644 --- a/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json +++ b/ics-attack/relationship/relationship--fb80368e-b3f6-4fa3-828b-b1cf792ea161.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6c73a7e8-58a8-41a9-a0c4-76b1a43191c8", + "id": "bundle--986b8a09-6b6f-495d-b396-ee6f27ccf34e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json b/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json index 02e4ddc731..3c00e3fd30 100644 --- a/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json +++ b/ics-attack/relationship/relationship--fc1d3924-3210-4ca6-b3cc-a7a525eab47c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b450d3d6-485e-4fd3-b9a4-0a34a48cbf2e", + "id": "bundle--64b44610-583e-4110-802e-59e04b1b7b3d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json b/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json index 5cd22b09a5..5fe904b7cf 100644 --- a/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json +++ b/ics-attack/relationship/relationship--fc3d0a84-e7c7-415c-ae47-42bc513e9bf9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aa8a3064-df44-4c7d-888f-000ab12d86b9", + "id": "bundle--284ec10f-9e9c-412c-85bb-0a09d9702253", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json b/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json index e8e0ec664e..aa5b2cda66 100644 --- a/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json +++ b/ics-attack/relationship/relationship--fc4803cb-d6bf-4674-bf40-d4b0997824ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--59d61f0d-5f07-4856-870f-99b0d6977a1e", + "id": "bundle--4653a8d8-7239-4217-abd0-f395d4939eb7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json b/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json index 9355b83149..a74482a9a3 100644 --- a/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json +++ b/ics-attack/relationship/relationship--fc6cc5f2-ef5b-4a28-a0b2-a277ee98191d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--13029c9d-bfe4-440b-98d0-fa24b88f052d", + "id": "bundle--8b90a5c6-dce4-4ca4-9d8d-3f3b0e6be8eb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json b/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json index e48a620847..c44352a14c 100644 --- a/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json +++ b/ics-attack/relationship/relationship--fcb7733f-553d-43de-a8c6-c85a5cd65041.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2b64a7c4-08af-4f77-94c6-d6bd17961d02", + "id": "bundle--e37b8769-3677-4672-89a1-2e8ce9bf48a9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json b/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json index 2e5d1918e5..bae56a191e 100644 --- a/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json +++ b/ics-attack/relationship/relationship--fcd3fdbf-4909-48ab-85c4-ce4b34172eb0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--ed27a36a-b68d-4674-a754-09285508e152", + "id": "bundle--b762d727-e83f-4eac-8c2b-8d8561e2a4f0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json b/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json index bd28fd93fc..91652a31db 100644 --- a/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json +++ b/ics-attack/relationship/relationship--fd0340cc-6105-4abd-89d0-60b0d9c00b55.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4b3ab8d8-8b79-47ad-b72b-3754b3a007c8", + "id": "bundle--345c6c88-d61c-416b-9f89-5e038570da69", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json b/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json index e4115babd1..aa5861be7d 100644 --- a/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json +++ b/ics-attack/relationship/relationship--fd856176-396c-4121-9754-35e49bfa5758.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0dd9bed5-f29b-40d9-8781-f6d1e601e248", + "id": "bundle--358885d5-9277-44e4-ae39-815b795c0761", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json b/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json index 6ba9ebebba..2b8a83589d 100644 --- a/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json +++ b/ics-attack/relationship/relationship--fe22637e-7187-4990-b24a-5dc851eec736.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--308dea72-927f-42ed-ae0d-ba550f7436b1", + "id": "bundle--661467bb-6066-408d-b04c-4625b221b055", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json b/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json index 006eb551fa..f59a2eb0fc 100644 --- a/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json +++ b/ics-attack/relationship/relationship--ff3f0668-98df-44c1-88c2-711f05720eb8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0bdfe9ab-585c-47a2-811c-f7f31afeffc2", + "id": "bundle--42641e3f-9b23-4edb-b284-c9596aafd9d4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json b/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json index 61bb7bca8f..0506b25e74 100644 --- a/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json +++ b/ics-attack/relationship/relationship--ffc5bbce-8d9c-4276-9dc6-efed5c01af8b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--feb6df8f-9667-4ae8-8ebc-2268f73e035a", + "id": "bundle--717c31b6-dcf8-4f5f-a684-9c9653dc3856", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json index adaa6b574f..c436fcf40d 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--1177a4c5-31c8-400c-8544-9071166afa0e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fa952976-cb43-4fd8-b06d-c10de8f1e27d", + "id": "bundle--b31472dd-6846-4226-9df3-493a07235063", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json index b3d0aa48c7..6fc54c68ad 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d73feb09-0347-43a6-9f94-bd959ae0007e", + "id": "bundle--30f8413e-1e72-419a-826b-765720016944", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json index a05558f25b..d705cdc787 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--235b7491-2d2b-4617-9a52-3c0783680f71.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a04ba3ca-70e3-48b7-95c1-79eed3d90aaa", + "id": "bundle--2285670e-10dd-4381-87da-70145b3a5fc1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json index cdbfa00268..5694fb0ad9 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--2b3bfe19-d59a-460d-93bb-2f546adc2d2c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a7462129-affc-41dd-b683-0e062f9aba5a", + "id": "bundle--1af87fa4-371a-4971-ab59-8068cede220d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json index b550cf8e15..e8265e491b 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7eda53e4-80e1-46ca-9680-0199ca423aea", + "id": "bundle--f97967d9-9f40-42b3-b1a9-954421348f4d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json index d2e3050888..61b3727ff9 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--39b9db72-8b48-4595-a18d-db5bbba3091b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--61a388c2-82d8-4e66-ab2f-d822eee009f5", + "id": "bundle--51506760-0bcd-42f3-907f-2fb49271c595", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json index eea46d7e92..a3e4d61ae6 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7a03fdea-c2a1-454a-9e97-04c4e03a3c8d", + "id": "bundle--1a3e8990-edd4-4e64-a81c-a24262ffdc4f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json index 31ebb71a1c..e0d910c3a7 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--3d6e6b3b-4aa8-40e1-8c47-91db0f313d9f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--dd36363d-60f9-4629-a4b8-292bd3de6cba", + "id": "bundle--f7b582f7-3e93-41c2-81b9-18bd88992bf3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json index 217215b4f4..4353800544 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--4c12c1c8-bcef-4daf-8e5b-fca235f71d9e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a96bd650-4023-4220-aaf2-bb5169271a8c", + "id": "bundle--22aa55d0-56b7-4ca5-9994-cd8d5a587811", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json index fd032a8eca..e2025e457f 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--4dcd8ba3-2075-4f8b-941e-39884ffaac08.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9e4cfaa8-ca9c-4067-b768-2e50ff9cb19c", + "id": "bundle--e1d2514b-0bbf-4e2f-a050-dd038e1499e2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json index 460acfe9be..5ed32a956b 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--5297a638-1382-4f0c-8472-0d21830bf705.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--94649b5d-4ee9-477e-aaa2-223345a29014", + "id": "bundle--305979f6-0831-4a9d-90ad-846454c40d54", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json index eb89fd428e..9b660d7cdb 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8081d84e-ccae-40a5-93a0-d4740aef7697", + "id": "bundle--9112c157-b3db-418b-8c4e-4f73a6ce97ce", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json index ab99f75a54..f290cd5abb 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--639e87f3-acb6-448a-9645-258f20da4bc5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--59cef241-0971-4a2f-b573-098d4c3857d1", + "id": "bundle--ff260dba-21df-46f1-8b25-4a5377f30ca7", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json index 7ad5e189ea..e7b553cd09 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--66531bc6-a509-4868-8314-4d599e91d222.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--461659a8-3bf1-4c10-95ce-d4484be13db2", + "id": "bundle--67789731-adb3-464d-affe-1ea035b1bb47", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json index 9d6e004e13..37983ca1a2 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--89080221-304f-4883-952a-ecdca2ce2b78", + "id": "bundle--5f0a2fbb-005f-4b64-ae9e-f4c866ef227d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json index 99a554e351..a6b125936f 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--74fa567d-bc90-425c-8a41-3c703abb221c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9a8a679d-a945-4a95-a6b4-10f3abf08959", + "id": "bundle--48682189-d125-4712-9396-1589daa8514c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json index d4d9b4d49c..5051d03a97 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--7b375092-3a61-448d-900a-77c9a4bde4dc.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--14d04a8b-2f1c-48a4-986b-2906ac94b102", + "id": "bundle--326210b0-adf8-43ef-9767-4a5f478e0961", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json index 4c93f27dc5..52a8513836 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--84572de3-9583-4c73-aabd-06ea88123dd8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--977d3868-b516-474f-b349-764f05d1f2b4", + "id": "bundle--996f0540-3532-41fd-a2de-ebc755d203d0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json index b1d10437da..7b6bede41d 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--8ed4e6d0-56d7-4e6b-8fa6-41f41631f30d.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--e8a6fd3b-0c4f-4c62-a5a6-a255bb194b48", + "id": "bundle--6874bd07-8ec4-44a3-a7e5-643f207875e3", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json index 45a2993822..606b9bd94b 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--931b3fc6-ad68-42a8-9018-e98515eedc95.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9b3cbb2e-94a5-4657-ac8b-c81b87b2ec94", + "id": "bundle--8ff6ae63-a377-40f7-b217-df903b390340", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json index 48a8a6485a..ef02fce016 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cf1b5eac-2696-4257-a46a-d6e9ff493f99", + "id": "bundle--92c56ed1-51b3-4914-b367-950609f9eacf", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json index d9b372b4ea..1e60536d05 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9c2fa0ae-7abc-485a-97f6-699e3b6cf9fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8143c6d5-d714-43e7-9879-48a2c7e03f6a", + "id": "bundle--cd349503-7ead-4306-bb36-55758d13d0aa", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json index 484877a6da..9797babc46 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9ce98c86-8d30-4043-ba54-0784d478d0b5.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6485e573-ad50-44a3-a642-0acc5712f7d7", + "id": "bundle--3a4ff41d-17ae-4c1f-adaa-02805ac9ceb2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json index a2b78f8a40..4a1d317db9 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9d56be63-3501-4dd3-bb5f-63c580833298.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--978d08a3-b89f-4464-8610-572cdb202af1", + "id": "bundle--357dc7eb-5c46-40f0-b144-8012b7b09609", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json index 972db77331..2200b9939b 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--9f387817-df83-432a-b56b-a8fb7f71eedd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1bc7bf6f-66d8-49d7-a33f-21a965bb6a1d", + "id": "bundle--f8a6bdcd-2b29-47f6-a3fd-033c4abda077", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json index 728bff0209..85ec112814 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--03ee6b60-eed7-4cd9-b865-ab0a3242d1fb", + "id": "bundle--3466a8c5-6b2b-4341-a5a2-7ba9227e5c76", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json index 7165dee996..085c89a469 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--a953ca55-921a-44f7-9b8d-3d40141aa17e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f9c061ad-4d8c-4b41-ba9f-ef4f3ebc5f6e", + "id": "bundle--6c77a994-7d06-43e5-b2f2-9d1452f092f4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json index 5cd535b6c4..f7e6d64600 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--b05a614b-033c-4578-b4f2-c63a9feee706.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a5d80e4d-16da-43c0-8a65-bc1448cabc0e", + "id": "bundle--12768064-fd7d-43c5-b0a3-44c3ba8c9b96", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json index 2436c53e21..d530f7a31e 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--b9d031bb-d150-4fc6-8025-688201bf3ffd.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3d70db6f-9446-459f-866c-9b37600b83c6", + "id": "bundle--e9726fba-ad15-435f-8709-29eb52ff57d6", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json index a59f99698d..6c00c76263 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--c0a4a086-cc20-4e1e-b7cb-29d99dfa3fb1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--61efebe6-12a6-48fc-a778-a1a2c96d8512", + "id": "bundle--c7c16fb3-5af2-44db-9e07-4a1c40cc0b95", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json index 07ac17eef2..dfb3628825 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--da85d358-741a-410d-9433-20d6269a6170.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--b0414980-301f-4c94-b32a-6dc2a967cf18", + "id": "bundle--13a5f04d-51d2-4497-b218-9df215c4e2a8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json index a37a98f829..5ff5e2cbbe 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--e905dad2-00d6-477c-97e8-800427abd0e8.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a5281fcb-3331-4025-87a2-5199833a3aff", + "id": "bundle--f1385958-2a05-4f3b-8f2b-22baa8fff11a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json index c55c14f673..c04992c44c 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--2130313f-8724-4d61-9c0c-b8cdbf9d8154", + "id": "bundle--5ef4835f-ec97-4384-a800-3526330b8b43", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json index 6f13064651..fbcd01556b 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--f42df6f0-6395-4f0c-9376-525a031f00c3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a7e12eef-de92-4d6f-88eb-c5179ed86ab8", + "id": "bundle--a8ecb166-c44e-404d-b25f-c6d00538963a", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json index 0d20db7ddb..c1efa2cb01 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--f5468e67-51c7-4756-9b4f-65707708e7fa.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--0ee2f374-d97c-46f9-b6c6-fa5518fa66ea", + "id": "bundle--3c592162-da84-48bd-8930-ab38e793c3e9", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json b/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json index 2ed3c9fc03..4aeb6e177e 100644 --- a/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json +++ b/ics-attack/x-mitre-data-component/x-mitre-data-component--faa34cf6-cf32-4dc9-bd6a-8f7a606ff65b.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d0ff3e85-8c16-4aad-b1a3-16564722a638", + "id": "bundle--95c28b6c-a86c-4f24-905c-3e6dde2b23cb", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json index 1191e50cb3..72a22c09e3 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--0b4f86ed-f4ab-46a3-8ed1-175be1974da6.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--90140dae-e99c-4095-a823-c9fccf0d3240", + "id": "bundle--32da5fce-f901-4309-a224-7f6e59a3ad72", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json index a25577d2d9..467088c480 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--0f42a24c-e035-4f93-a91c-5f7076bd8da0.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--c67ba8b5-7cc5-4906-95e6-664859faa053", + "id": "bundle--92822d68-ce50-4467-978b-bdf7795db015", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json index d909305769..d261c6023e 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--12c1e727-7fa4-49b6-af81-366ed2ce231e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--4af4de58-016c-493f-9ecd-a8f9d8b4547a", + "id": "bundle--6da9ea13-7ee8-4102-ba8a-2eae6a32d17f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json index c2c6c694ec..fd6b0937d4 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--1b8c9f31-ad35-4850-bf8c-80c565ad3552.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7aa6fe91-71be-4882-bca7-c307f6094990", + "id": "bundle--aeb54a65-876b-4f57-9402-3884af488abc", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json index c06e24c31e..e307a18271 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--40269753-26bd-437b-986e-159c66dec5e4.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--df34bd79-5087-4188-b93b-3ac29ad2db48", + "id": "bundle--fdf113ef-405f-427e-ad43-88f4961bd4db", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json index f0c28f0210..8b4978699d 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--4358c631-e253-4557-86df-f687d0ef9891.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--34689242-f39c-48c7-9058-bb638e4f78a5", + "id": "bundle--119e5bf4-9294-4575-b3c9-ab7689c9274e", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json index 631a64c5ad..74ee82d3f4 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--509ed41e-ca42-461e-9058-24602256daf9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--eccb66aa-a976-47fa-a84d-76939a15a374", + "id": "bundle--dfdaee4b-bb67-4328-ac9a-62cd322e3b95", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json index eebfc3d2ef..3fb630b7aa 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--61bbbf27-f7c3-46ba-a6bc-48ae76928065.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--9d04112b-6827-4994-8ac9-78b51d7c1d60", + "id": "bundle--4ce05c79-065c-4de1-89cc-85629afde627", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json index 4906f7a7ed..1b36246225 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--55872563-e5c7-4dda-ab00-dd3e3c81b99d", + "id": "bundle--a0bca09e-cec1-4f53-8daa-c72eda499a21", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json index 4fc9b93773..17bee589af 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--b1717cb4-d536-4e2b-b5e5-07e67e26183c.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--d91e311d-821b-4fca-8b28-734fc05fb5c0", + "id": "bundle--4d544b5e-264a-4c3f-859e-7d8b81ccff9f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json index 894e60c602..5237de4683 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--ba27545a-9c32-47ea-ba6a-cce50f1b326e.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--aa09f266-7532-4990-9d33-c3d0c2a88341", + "id": "bundle--d5ac3d21-56c0-4d0d-8707-d00277c580b8", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json index 18ce0fc23d..50f8be21f2 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--f410ed16-3760-4460-933a-677bf3c43378", + "id": "bundle--88808934-2a43-473a-b0ef-6fbda5c50740", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json index ec5f44934f..11e9dd5730 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--c9ddfb51-eb45-4e22-b614-44ac1caa7883.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--000f9129-cd7d-4d30-8456-251b55fbf6ac", + "id": "bundle--8059608a-b9c9-4bc8-baff-639509c5e9d2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json index e3985df629..863c5690b4 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--ca1cb239-ff6d-4f64-b9d7-41c8556a8b4f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--56592d8a-bf2f-4f83-acf6-37bba2152f48", + "id": "bundle--ceedc349-ee55-4274-aaa6-ab79b812d07d", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json index a3f36b38fa..ca586bb7fe 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--d710099e-df94-4be4-bf85-cabd30e912bb.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8f29e5df-d6ac-4c06-af28-aeb94d0d92ec", + "id": "bundle--37308ba7-1c57-4fc1-a68f-079a5d75af34", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json index 631a7d9f0f..0e2cbcd4e4 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3b757da8-fbf8-4544-9779-59994bf09733", + "id": "bundle--b2e9f37b-9ad6-49e5-a6d1-f206c27107e4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json b/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json index 6e6d8684c8..3ec316ab04 100644 --- a/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json +++ b/ics-attack/x-mitre-data-source/x-mitre-data-source--f424e4b4-a8a4-4c58-a4ae-4f53bfd08563.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--8da400a2-e84a-494e-8390-78ea131f6914", + "id": "bundle--3be82646-04b1-445d-9e8b-1cdefbfd354c", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json b/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json index f43510c6ca..f269e697c2 100644 --- a/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json +++ b/ics-attack/x-mitre-matrix/x-mitre-matrix--575f48f4-8897-4468-897b-48bb364af6c7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--78eb6474-c903-4242-bb4b-b4cd9381e3f8", + "id": "bundle--02d1b4a1-21a4-4c98-a14d-ff67a6dec790", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json index fcf9271645..e174d74f2b 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--298fe907-7931-4fd2-8131-2814dd493134.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--6bd15f34-4ab8-4987-9cdf-349eec850682", + "id": "bundle--698ebf3f-5511-4075-918b-610b883008a2", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json index 9b2819773f..dbc846bbb9 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--33752ae7-f875-4f43-bdb6-d8d02d341046.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--97c92831-e6c6-481d-953f-ad454bd25997", + "id": "bundle--217b6c4b-c52f-4e5a-9143-cee101a71b37", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json index 01505b7881..e06f1344d7 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--51c25a9e-8615-40c0-8afd-1da578847924.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--1f718ca3-4133-45da-a05a-ff983a043682", + "id": "bundle--54d4b03b-8196-4332-bf46-c31c9ec505ec", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json index bb5c3d2069..24292425f0 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--696af733-728e-49d7-8261-75fdc590f453.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--98cfa138-9c28-42a3-a835-5a391dbdb909", + "id": "bundle--48cd445d-9518-424b-bc7f-0e04d481d276", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json index 225afcc902..20fc82707a 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--69da72d2-f550-41c5-ab9e-e8255707f28a.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--a446accd-7bb8-47e8-bf14-8c40382930a8", + "id": "bundle--2af14bba-2aa1-4c21-acae-8984f3580b48", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json index a2c26894e8..c870435c29 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--77542f83-70d0-40c2-8a9d-ad2eb8b00279.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--fe1699c2-e60e-4ea0-8cc9-c86d5e8c6bd2", + "id": "bundle--dd25c4af-9cee-4ce6-b086-7c0837ce61c0", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json index 7ff5b514d1..f028405726 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--3362b711-3d4a-4255-b805-4c668f833338", + "id": "bundle--75cc23b3-86cf-4735-b0da-4307b8402a0f", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json index 2318bca01e..ac2cb9d0df 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--93bf9a8e-b14c-4587-b6d5-9efc7c12eb45.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--894ae29b-dce1-45ce-bb2a-ff13263f73e1", + "id": "bundle--82133c5a-4e1a-4f57-bb8d-52eb0df76b88", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json index 2d5cd95cce..aeb7b626f2 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--97c8ff73-bd14-4b6c-ac32-3d91d2c41e3f.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--bd19a362-557e-4f4d-9e10-ba1d126baed3", + "id": "bundle--6015c374-1a73-4775-94bf-c900b18730e1", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json index 006c952bf1..f15822a8c2 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--b2a67b1e-913c-46f6-b219-048a90560bb9.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--cf52a266-8f71-480a-907f-1de5ed8ba3cc", + "id": "bundle--b0b8e2ba-88eb-497e-97ac-e9f32dc90a68", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json index 91e92b3370..6bacc077e3 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--ddf70682-f3ce-479c-a9a4-7eadf9bfead7.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--7d6b59be-8cc5-4496-a6fd-ebf78a81512b", + "id": "bundle--2658720f-ee42-4887-819a-db494a4c03c4", "spec_version": "2.0", "objects": [ { diff --git a/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json b/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json index 65b0ed166b..bb37b53392 100644 --- a/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json +++ b/ics-attack/x-mitre-tactic/x-mitre-tactic--ff048b6c-b872-4218-b68c-3735ebd1f024.json @@ -1,6 +1,6 @@ { "type": "bundle", - "id": "bundle--564f1ad1-d093-45ef-bb61-7128503acf38", + "id": "bundle--7daf3051-e09c-42d2-b140-ac8c895c786a", "spec_version": "2.0", "objects": [ {